The Biggest Challenges of 100+ Vulnerability Management Practitioners

Vulnerability management: everyone knows it’s broken. Security teams are in the trenches doing heroic work with impossible odds. For more than a year, I’ve spoken to well over 100 of them personally. They’re drowning in CVEs and somehow expected to patch faster than exploit kits evolve. It’s not from lack of effort. They’re buried in data, starved for context, under-resourced, and told to prioritize the un-prioritizable. Dashboards scream red but whisper very little that’s useful or able to justify a business decision. Meanwhile, when speaking with or reading reports of several cyber-insurance carriers, their claims show what some are already figuring out: remotely exploited software vulnerabilities are behind roughly half of all incidents causing material financial loss.

‍

Vulnerability management remains one of cybersecurity’s biggest unsolved problems, and the people knee-deep in it need more than another scoring model, KEV list, or motivational platitude to get this problem under control. Real advancement demands a new way of thinking. Solving large cybersecurity problems that protect people and businesses, and actually reduce breaches, is exactly the kind of impact we (Jeremiah Grossman, Robert “RSnake” Hansen, Heather Konold, and Lex Arquette) are excited to take on.

‍

To solve any hard problem, you start by truly understanding the problem. For us, this means listening to those who live it every day. So, that’s exactly what we did. Our team already has decades of combined experience in vulnerability management, but we still spent over a year reading every industry report, dissecting the strengths and weaknesses of current products, and most importantly having 100+ candid conversations with CISOs and vulnerability management teams. No assumptions, just a blank sheet of paper and a lot of questions. As we suspected, patterns emerged. We heard the frustration, the fatigue, the creative hacks to make broken tools work. And we kept going until the “Aha” moments turned into “Yeah, we’ve heard that one before.”

‍

‍

Unsurprisingly, most companies have far more vulnerabilities than they can fix now, or ever, and the problem is only getting worse. Many scanners can’t even keep up with the size of modern networks, especially for organizations trying to scan all assets daily. That’s a serious problem when adversaries are now weaponizing the availability of patches faster than change-control meetings can finish.

‍

Scanning everything is also brutally expensive, often costing as much as a breach over time. Prioritization tools? Everyone is still customizing the defaults. No one uses them as-is. Justifying remediation is still a nightmare. How do you weigh the cost of a fix against the dollar value of avoided risk? And let’s not forget: ~1% of all CVEs are ever exploited in the wild. Adversaries don’t have to innovate when scaling the same old tricks works just fine. It’s a glaring sign that the way we approach vulnerability management isn’t working and needs a rethink.

‍

From all of our meetings, we categorized vulnerability management’s biggest challenges:

‍

Overwhelming Vulnerability Backlogs: Security teams are drowning in more vulnerabilities than they can ever realistically fix.

‍

Scanner Scalability: Existing scanners are often unable to scale to the size or speed needed for daily scans across many large modern networks.

‍

Excessive Scan Costs: Resulting from the size of the attack surfaces, and the number of vulnerabilities to scan for, scanning all assets continuously is so expensive it can surpass the financial cost of a breach.

‍

Lack of Context and Prioritization: Security teams need improved prioritization tools that reflect the real risk in the environment so they don’t have to constantly customize priority queues.

‍

Difficulty Justifying Remediation Spend: It’s extremely difficult to compare the costs associated with fixing vulnerabilities to the actual reduction in financial or operational risk.

‍

Chronic Under-Resourcing: Security teams are often underfunded and understaffed for the scale and complexity of the problem.

‍

Unrealistic Patching Expectations: Security teams are expected to patch all ‘critical’ issues in under 30 days as mandated by compliance or other legal obligation, which is a rare accomplishment and of unclear value in terms of risk.

‍

Exploit Velocity: Adversaries are improving at how fast they can reverse engineer to turn the vulnerability into a working exploit, shrinking the defender’s response window.

‍

Adversary Advantage: Adversaries rarely have to innovate as they’re able to just scale what's already working.

‍

We’ve taken a hard look at today’s vulnerability scanners. What they promise, how they work, and how vendors pitch them. Let’s be honest, for the incumbents their valuation proposition is nearly identical across the board and a decade old: find more vulns than anyone else, no matter how theoretical, rank them with some black-box “prioritization,” then hand off the results. Sure, these tools have value, but when adversaries are exploiting less than 1% of known vulnerabilities, “find everything” is no longer the winning strategy.

‍

What companies really want isn’t rocket science: they need to identify the vulnerabilities that are most likely to cause a breach and cost real money immediately, translate that risk into dollars and cents, pinpoint who owns the fix, and justify why it’s worth doing (or not). Everything else, the mountain of never-exploited CVEs, can wait their turn. If we work on this together, there is an opportunity to reduce breaches by 50%. All we have to do is build a technology that focuses on these exact vulnerabilities and provide teams what they need to justify fixing those first.