Latest Cybersecurity Blog Posts from Root Evidence

Expert insights in the world of vulnerability management

June 16, 2026

Why MSSPs Are Getting Fired (And Probably Know It)

Greg Reber

Read More

Read More

Latest Articles

Why MSSPs Are Getting Fired (And Probably Know It)

MSSPs are not losing clients because they are inactive, but because they often fail to prove that their work reduced the risks that mattered most to the business. This piece argues that the providers who survive will be the ones that translate security activity into measurable financial exposure reduction, clear board-level narratives, and renewal-worthy business outcomes.

Blog Image

Evaluating AI in Infosec

The best AI use cases in infosec are not the flashiest ones, but the ones that can survive failure, cost, and delay. This blog lays out a simple three-part test for separating useful security AI from features that look impressive in demos but collapse in production.

Blog Image

Just Fix Everything

Autopatching sounds like the obvious answer to AI-driven vulnerability discovery, but production systems are too complex and fragile for “just fix everything” thinking. This blog explains why LLM-powered patching may help in development, while autonomous patching in production introduces risks that can be worse than the vulnerabilities themselves.

Blog Image

What does ‘Defensibility’ mean to a CISO?

CISOs are no longer judged only on whether they prevented a breach, but on whether they can prove their decisions were reasonable, documented, and financially defensible. This piece explains why defensibility is becoming a core requirement for modern security leaders and the vendors who sell to them.

Blog Image

What “Due Care” Actually Means in Vulnerability Management

A vulnerability backlog will never be perfectly cleared, but boards need proof that security teams prioritized the risks most likely to cause real financial harm. This article argues that defensible vulnerability management is not about fixing everything, it is about showing due care where it matters most.

Blog Image

AI Failure Mode: Lie. And how will that impact vulnerability management?

AI doesn’t fail loudly, it fails convincingly, producing confident answers that can be completely wrong. This blog explores why that makes it uniquely dangerous in security and how misplaced trust can waste time on threats that don’t even exist.

Blog Image

Removing 3rd Party CVEs

What if you could eliminate most third-party vulnerabilities by rewriting the code entirely? This blog explores using Lib-Theseus to replacing risky dependencies, and why focusing on the vulnerabilities that actually matter is still the real win.

Blog Image

Explaining the Myth of Mythos

Mythos may dramatically increase vulnerability discovery, but it amplifies the real problem rather than solving it: knowing which flaws actually matter. This blog explains why prioritization, asset visibility, and real-world risk data are more critical than ever in an AI-driven security landscape.

Blog Image

AI and the Artisan Vulnerability Researcher

AI won’t eliminate vulnerability research, it will raise the bar, making discoveries rarer, harder, and more dependent on elite expertise. This blog explores how automation reshapes the field and why the future belongs to highly skilled, “artisan” security researchers.

Blog Image

Mythos Preview vs VM Reality: What Changes When AI Finds “Everything”

Mythos and similar AI tools may accelerate vulnerability discovery, but they don’t change the fundamentals of how real attacks succeed. This blog explains why attackers already have everything they need and why defenders must shift focus to prioritizing the risks that actually lead to loss.

Blog Image

The Blue Team is a Losing Man’s Game

Is the Blue Team doomed to lose, or just playing the wrong game? This piece breaks down the structural disadvantages defenders face and argues that shifting the economics of cybersecurity is the key to finally gaining the upper hand.

Blog Image

AI Malware Woes

A grounded look at why AI-generated malware is often far less dangerous than the hype suggests, from outdated tactics to obvious mistakes that make detection easier. Read this post for a sharp, insider take on how real attackers operate and why today’s AI tools may be giving defenders more of an advantage than adversaries.

Blog Image

It’s Not Their Fault (they did the best they could at the time…)

Why do legacy vulnerability management platforms still overwhelm teams with endless CVE lists? Read how outdated risk models from Tenable, Qualys, and Rapid7 create noise at a time when security teams need precision.

Blog Image

AI Security will be Bolted On

Everyone wants AI to be secure by design, but cybersecurity history suggests that some defenses will always be added later as real attacks reveal what no one could fully predict upfront. This blog explains why the winners in AI security will not be the teams that guess best at the start, but the ones that adapt fastest once real-world evidence shows what actually matters.

Blog Image

The Cost of Cybersecurity Will Exceed the Cost of Breach

This blog explores why traditional, asset-based cybersecurity pricing is breaking down as attack surfaces expand faster than breach costs, especially in large enterprises. Read it to see how AI-driven growth is forcing security teams and vendors to rethink pricing, prioritization, and what actually reduces risk.

Blog Image

Application Security Won. The Industry Missed It.

Application Security did not win by eliminating vulnerabilities. It won by making common web app attacks less reliable, less scalable, and less profitable for attackers. This blog argues that the real measure of success is not fewer flaws, but forcing adversaries to change tactics and proving why that shift matters now more than ever.

Blog Image

The AI Vulnerability Surge That Doesn’t Change a Thing

Cybersecurity has a long history of overhyping the next big threat, and AI-driven vulnerability exploitation may be the latest example. This blog challenges the panic with a sharper question: if attackers already ignore most known vulnerabilities, what really changes when AI helps them find more?

Blog Image

Subrogation Lawsuits as Peer Pressure

Explore how subrogation lawsuits are reshaping cyber insurance into a powerful force for accountability, turning security marketing claims into measurable, outcome-driven proof. This blog explains why insurers may become the industry’s most effective regulators and what that means for underwriting, vendor risk, and security investment decisions.

Blog Image

Companies Buried in Vulnerabilities Still Get Insured. How?

Companies are overwhelmed by vulnerabilities, yet still qualify for cyber insurance. This blog explores what actuarial data reveals about which vulnerabilities actually lead to financial loss and why most don’t matter as much as we think.

Blog Image

Why We Built Evidence Scan the Way We Did

Evidence has launched the enterprise preview of Evidence Scan, a scalable vulnerability scanner designed to identify the risks that truly matter. Learn how it helps security teams cut through vulnerability noise and focus on the issues most likely to cause real-world financial loss.

Blog Image

Announcing the Evidence Scan Enterprise Preview

We’ve spent years refining the math of loss. Now, we’re making that same "Loss-First" intelligence available directly to security teams. We are officially launching the Enterprise Preview for Evidence Scan: the first tool designed to let you see exactly which of your vulnerabilities could lead to breaches or real-world financial loss.

Blog Image

The Difference Between Vuln Severity and Financial Exposure

Cyber insurance is won or lost in the gap between CVSS “severity” and real-world financial exposure. This post explains why pricing and remediation should be driven by empirically exploited loss drivers, not theoretical scores, and how that shift sharpens underwriting and portfolio performance.

Blog Image

Millions of Vulns

Organizations are reporting tens or even hundreds of millions of vulnerabilities, yet few appear to translate into real-world attacks or losses. This piece explores that contradiction and asks an uncomfortable question: if these flaws rarely change outcomes, why are vulnerability counts still used to define risk?

Blog Image

Datasources are not Created Equal

Not all threat intelligence feeds are created equal. This post explains why high-fidelity data built on direct observation of real compromises delivers clearer, more actionable security insight than rule-based feeds full of noise.

Blog Image

Who Measures Risk Better

A sharp examination of the opposing incentives between vulnerability management vendors and cyber insurers reveals why counting vulnerabilities is a poor proxy for real risk. By reframing evidence around actual loss instead of noise, this piece argues for a more honest way to measure what truly changes security outcomes.

Blog Image

The ‘Dark Energy’ of Orphaned External IT Devices

A compelling analogy between dark energy and orphaned, internet-facing systems reveals how forgotten assets quietly expand enterprise attack surfaces. It shows why unmanaged infrastructure becomes an invisible but powerful breach vector, and why exposing and eliminating these hidden systems is critical to preventing real-world compromises.

Blog Image

Cyber Security Incentives

Cybersecurity is broken less by attackers than by the incentives shaping our tools, teams, and decisions. This post breaks down why risk based security is mostly a myth, how volume and fear replaced insight, and what it will take to realign the industry around outcomes that actually reduce loss.

Blog Image

From Aristotle to CVSS: Why First Principles Matter in Cyber Risk

We are drowning in confident conclusions built on shaky assumptions. This post shows how applying first principles thinking cuts through bad data, false causation, and noisy vulnerability scores to focus security decisions on what actually leads to real breaches.

Blog Image

Peak Patch Management and Busy Work

This blog challenges the belief that patch management alone reduces risk, arguing that blindly fixing millions of vulnerabilities without adversary context often wastes time and resources. It makes the case for prioritizing patches based on how attackers actually operate, not on raw vulnerability counts.

Blog Image

Moneyball in Infosec

Infosec is still playing the wrong game, trusting expert intuition, CVSS scores, and tradition instead of outcomes that actually prevent loss. This post argues for an Infosec Moneyball approach that replaces security theater with rigorous, dollar-driven decisions focused on what truly reduces breach and business impact.

Blog Image

The Cognitive Bias Behind Cyber Risk Scoring

This blog uses a surprising deck of cards analogy to expose a critical misunderstanding in cybersecurity: why CVSS scores measure severity, not risk. Learn how separating impact from likelihood leads to smarter vulnerability prioritization and better business aligned security decisions.

Blog Image

The Vulnerability Management Warranty

Are your vulnerability management and external attack surface programs actually working, or just reporting success? This post challenges conventional security metrics and argues that only warranties and real accountability can prove whether risk is truly being found, prioritized, and reduced.

Blog Image

Evidence: 2025 Year in Review

Evidence’s first year charts its evolution from an idea into a movement, redefining vulnerability management through evidence-based prioritization, community collaboration, and real-world results. Read how practitioner insight, design partners, and a focus on measurable risk shaped the product and what comes next.

Blog Image

CVSS V4 vs V3

Read about why CVSS 4.0 struggles to gain real adoption, how its added complexity can reduce practical scoring resolution, and why base scores continue to undermine meaningful risk prioritization. This post breaks down the technical, philosophical, and incentive-driven reasons CVSS V4 has not fixed the problems it set out to solve.

Blog Image

The Importance of Prebuilt EASM

Read why traditional EASM approaches fail to deliver a reliable picture of what organizations actually expose to the internet and why accurate, real-time asset inventory is becoming a prerequisite for both security and cyber insurance decisions.

Blog Image

What Infosec Doesn’t Understand about Cyber Insurance

Read about how cyber insurance carriers actually evaluate risk, losses, and security controls, and why many long-held infosec assumptions don’t match actuarial reality. This post breaks down how insurers really think about premiums, breaches, and which controls truly reduce financial loss.

Blog Image

Patching ROSI Math

A practical guide to using ROSI math to prioritize vulnerabilities based on real financial impact, not guesswork or compliance-driven patching.

Blog Image

When Old Assumptions Move Aside and Evidence Takes Over

A look at how history, and cybersecurity, keep proving that rational assumptions can still be wrong, and why the future of vulnerability management depends on evidence, not theory.

Blog Image

Fast Scanning and Dwell Time

Rapid scanning and shared intelligence can shrink attacker dwell time, disrupt post-compromise movement, and meaningfully reduce breach impact.

Blog Image

AI and the Acceleration of CVEs

Discover why AI is set to dramatically increase CVE volume and how this shift will force security teams to rethink prioritization, triage, and long-term risk strategy.

Blog Image

Replacing Security Theatre with Real Risk Reduction

Security theatre gives organizations the illusion of safety. Shifting to true visibility and context-driven prioritization is what actually reduces real-world risk.

Blog Image

The Unit Cost of Infosec

Cyber insurance is reshaping security. Vendors must deliver real efficacy and lower unit costs as market forces finally enforce accountability.

Blog Image

Vulnerability Management has always been about Evidence

Trace the evolution of vulnerability management from early scanners to evidence-based security. Learn how forensics and actuarial data are redefining prioritization and shaping the next generation of risk reduction.

Blog Image

The Rational Rejection of Vulnerability Management

Explore why most vulnerability management efforts waste time and resources on low-impact flaws, and how a rational, evidence-based approach focused on real-world exploitation can redefine what “effective security” really means.

Blog Image

CVSS Base Scores

CVSS Base Scores were never meant to measure real risk. This post explains how their misuse distorts prioritization and why context (not convenience) must define vulnerability management.

Blog Image

At the Risk of CVSS

Expose why CVSS misleads: inconsistent math, context-free scores, poor correlation to real exploitation and loss, and version/data flaws. Then, replace it with evidence-based, loss-driven prioritization and ROSI-focused metrics.

Blog Image

The Epoch Theory of Cybersecurity

The Epoch Theory of Cybersecurity explains how attackers and defenders evolve through distinct eras, from manual exploits to scalable automation and, soon, AI-driven complexity. By understanding these epochs, organizations can anticipate shifts in attacker behavior, invest strategically, and force adversaries to spend more time and money, turning defense into an economic advantage.

Blog Image

A Post-VM Warranty World

Explore the coming “post-VM warranty world,” where vulnerability management shifts from empty promises to accountability. As vendors begin offering warranties, only those that back limited, high-impact vulnerabilities with real financial risk will align with customer success.

Blog Image

What Enterprises Get Wrong About Vulnerability Management ROI

Expose the illusion of “fixing everything.” VM programs measure success by volume (tickets closed, vulns patched) but those metrics don’t reduce risk. True ROI comes from prioritizing exploited vulnerabilities and measuring avoided loss, not activity for activity’s sake.

Blog Image

Nulns: The Untold Story of Non-Exploitable Vulnerabilities in Cybersecurity

Discover the concept of “nulns”: non-exploitable vulnerabilities often mistaken as risks. Learn why most security flaws may never lead to real-world breaches.

Blog Image

The Biggest Challenges of 100+ Vulnerability Management Practitioners

Vulnerability management is broken. 100+ security pros reveal why CVEs, bad tooling, and poor risk context are overwhelming teams.

Blog Image

Stoplight Infosec

Learn about “Stoplight Infosec”: color-coded scoring systems that masquerade as math but mislead security priorities. Replace arbitrary grades with better metrics that quantify real risk and ROI.

Blog Image

The Triangle Model for Evidence-Based Prioritization

Master evidence-based vulnerability prioritization with the Triangle model. Focus on exploitability, adversary activity, and losses to reduce breaches effectively.

Blog Image

Exploitation vs Loss

Understand the difference between vulnerability exploitation and actual financial loss in cybersecurity. Discover why not all exploits lead to breaches and how to focus on real risks.

Blog Image

Evaluating EPSS as a Primary Vulnerability Prioritization Tool

Does prioritizing EPSS make sense in vulnerability management? Analyze the debate, FIRST guidance, and best practices for effective risk prioritization. Read the full analysis.

Blog Image

Determining Remediation Thresholds in Vulnerability Management

Find the remediation cut-off in vulnerability management. Compare models and cyber-insurance insights for defining when to stop patching.

Blog Image

Why Zero-Day Doesn’t Belong in a Vulnerability Management Discussion

Why zero-days are irrelevant in vulnerability management discussions. Focus on known CVEs for enterprise risk & separate myths from effective strategies.

Blog Image

How Do You Explain Your Vulnerability Prioritization Strategy Post-Breach?

Post-breach, how will you justify your vulnerability prioritization strategy? Learn defensible approaches using KEVs, compliance, and risk assessment to explain decisions to stakeholders.

Blog Image

The KPI We’ve Been Missing in Vulnerability Management

Discover the missing KPI in vulnerability management: Forcing adversaries to innovate. Analyze data showing only 1.3% of CVEs are exploited and how to shift attack economics.

Blog Image

Paradoxes of Vulnerability Management

Uncover paradoxes in vulnerability management: Does fixing flaws always reduce risk? Explore scenarios, costs, and alternatives for smarter remediation strategies.

Blog Image

The Myth of Objective Security Scoring Models

Debunk the myth of objective security scoring like CVSS and EPSS. Learn why subjectivity persists and how to validate models with real-world breach data.

Blog Image

Do financially motivated hacking groups innovate? The numbers say NO

Explore why financially motivated hackers rarely innovate, reusing known vulnerabilities for efficiency. Data from VulnCheck and reports reveal only 1.1% of CVEs are exploited. Learn more.

Blog Image

We Are Security Optimists

Embrace security optimism: Focus on evidence-based fixes for known vulnerabilities. Raise attack costs and protect against breaches with actionable strategies.

Follow Along as Evidence Takes Shape

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.