$5,000,000 Mythos-era Warranty

Well before Mythos, vulnerability exploitation via CVE was already the leading cause of initial access during a security breach.

‍

Companies have long had more vulnerabilities than they can realistically patch. The challenge is not finding more vulnerabilities, or even fixing more. AI models like Anthropic’s Mythos are only increasing the volume. The real challenge is deciding which vulnerabilities matter, right now, those most likely to lead to breaches and financial loss.

‍

Everyone has a theory. CVSS, EPSS, CISA KEV, VulnCheck KEV, and proprietary scoring systems from nearly every vendor. Each measures something, and maybe even something useful, but they do not agree. So, companies are left asking: Which one is right? Which one actually works? Which one should we trust?

‍

At the end of the day, customers want more than another prioritization scoring system. They want a cybersecurity partner willing to stand behind its recommendations and put its money where its mouth is. Root Evidence was created to do exactly that.

‍

If a customer suffers a breach from any remotely exploited CVE that Root Evidence did not report, our warranty covers up to the first $5,000,000 in financial loss. This amount is designed to adequately cover the losses for the vast majority of breach victims and is underwritten by our cyber insurance industry partners. This is not cyber insurance, it is accountability for our recommendations.

‍

The obvious question is why or how we are willing to do that.

‍

We started with a simple constraint that was echoed by all of our design partners: no organization can find or fix everything. The Root Evidence team spent years studying actuarial and cyber insurance claims data, breach reports, vulnerability disclosures, exploit activity, and incident response investigations. We spoke with security leaders, vulnerability management teams, insurers, underwriters, and responders. 

‍

What we found was remarkably consistent. Most vulnerabilities never lead to a breach. An even smaller number lead to measurable financial loss. Yet organizations are often expected to treat tens of thousands of vulnerabilities as if they deserve equal attention. They don’t.

‍

We also found that organizations cannot remediate assets they do not know exist. Unknown Internet-facing assets appeared again and again in breach investigations and insurance claims. That became a necessary part of our approach.

‍

Root Evidence continuously identifies all Internet-facing assets of our customers, scans them for vulnerabilities that matter, and prioritizes those associated with real-world breach activity and financial loss. The result is an evidence-based vulnerability management program focused on helping organizations spend their limited remediation resources where they matter most.

‍

Companies do not need more opinions. They need Evidence. They need a partner who shares in the financial risk, so that interests are in alignment.

‍

→ Get more info: https://www.rootevidence.com/mythoswarranty

‍