November 19, 2025
Greg Reber
.png)
Much of what we call “security” is theatre. We perform rituals of protection at airports: taking off shoes, submitting to full-body scans, emptying out water bottles, not because they make us invulnerable, but because they make us feel less exposed. These illusory perceptions also apply to cyber security.
We conduct scans, patch vulnerabilities, and generate colorful dashboards. Yet, beneath the choreography, many organizations remain dangerously unprotected. The ritual satisfies auditors and executives but how many attackers are deterred?
The center of this illusion is external vulnerability scanning - the automated probing of an organization’s internet-facing systems for weaknesses. It is, in principle, a sound intent. But like any ritual, it can become ineffectual, and even detrimental, when performed without intelligent reflection.
Most companies pay someone to scan their external networks because compliance requires it. They run a tool that scans for hundreds of thousands of vulnerabilities, resulting in a sea of findings. The results feed a dashboard that shows comparisons of last week’s scan and patching activity, which leads the watcher to conclude risk has gone down. But such comfort is misleading. Many companies aren’t getting their entire attack surface scanned (too expensive or too big). Others are only scanning assets governed by some regulatory framework, while some unfortunate souls impose arbitrary ‘risk thresholds’ for remediation efforts. The really dangerous vulnerabilities - those on forgotten servers, neglected APIs, orphaned cloud buckets - exist outside the script.
Attackers don’t play by compliance rules. They explore what is reachable, not what is reported. They use what is effective and easy, not what CVSS scores say are the most severe.
A vulnerability scan without effective prioritization is like a medical test without diagnosis. The tool can detect symptoms, but not determine which are life-threatening. Each finding is assigned a CVSS score, a number from 0 to 10 meant to represent severity, but many organizations mistakenly use it to determine risk. But without context, this is not really possible. We need to take into account environmental factors that help truly describe the risks we are trying to reduce.
Without these factors, the numbers become noise, and teams drown in false urgency. Scanning looks like progress. It produces data, graphs, and the appearance of motion. But without intelligent prioritization, it’s just a dance performed for auditors, not defense against adversaries.
A while back, a mid-sized financial services firm was once the perfect example of cybersecurity theatre. They scanned monthly, patched “critical” vulnerabilities (CVSS 8.0+), and presented clean metrics to the board:
“We have zero Critical Vulnerabilities” and “We have 99% patch compliance”!
Then came the breach. Attackers exploited an outdated content management system on an unscanned marketing server and pivoted into production. Customer data was exfiltrated before the breach was detected. The audit logs told one story; the attackers told another.
A new CISO dismantled the illusion. The first step was redefining external assets, not as what was listed on paper, but what was truly exposed to the internet. Using continuous asset discovery, the company identified 40% more public endpoints than previously documented.
She also initiated a risk-based prioritization model blending four factors:
This approach changed everything. Remediation of a vulnerability with a CVSS score of 6.5 but active exploits on a critical public server was prioritized above an issue scoring 9.8 on a system with mitigating controls. For the first time, the company’s remediation activity reflected risk reduction rather than busyness.
Within six months, the company reduced total remediation workload by 40% while cutting external exposure significantly. They weren’t doing more work, they were doing the right work.
The psychological shift was just as profound. Previously, scanning had been a quarterly compliance exercise. Now, it became a conversation, meaning that security teams spoke with operations about exposure, not just patch counts. Reports began to highlight risk narratives: why something mattered, not just that it existed.
Metrics evolved from performance indicators to measures of understanding. Security stopped being a checklist and became a discipline of awareness.
One of my favorite writers once observed that humans prefer comforting illusions to uncomfortable truths. Cybersecurity is no exception. It’s easier to satisfy compliance frameworks than to confront the full complexity of risk. It’s safer to produce a report showing scanning activity than to admit ignorance of your true attack surface.
Yet, real safety begins only when this illusion collapses. When we stop mistaking effort for progress, and metrics for meaning, we begin to see the digital landscape as it is: messy, dynamic, and unforgiving. We have to measure outcomes, not optics, and focus on reduced attack surface, not the number of findings reported.
Theatre has its comforts. It reassures investors, satisfies auditors, and perhaps assuages the Board’s fears. But when the curtain rises for a real attack, activity alone won’t save us. The only thing that matters is the substance beneath the show: accurate visibility, intelligent prioritization, and the courage to see the world as it truly is.
My example company learned this the hard way. Their metrics once told a story of near-perfection. Reality told a story of vulnerability. Between those narratives lies the lesson every organization must learn:
The appearance of safety is not safety itself.
Only when we recognize and abandon the performance can we understand how to protect what truly matters.
.svg){kind=small}
.svg){kind=small}
© 2025 Root Evidence