Vulnerability management has been around forever, yet I don’t think we’ve ever had a true Key Performance Indicator (KPI) for it. At least not one that tells us if we’re actually making progress as an industry. We scan. We prioritize. We patch. But how do we know if all of this effort is working?

‍

Here’s my take: progress in vulnerability management should be measured by whether we force the adversary to shift resources from scaling to innovation.

‍

Think about it. Adversaries love scale. Spray-and-pray attacks across the Internet with the same handful of CVEs. Cheap, easy, repeatable. But innovation? That costs them time, money, and brainpower. If we can force adversaries to innovate to keep from being thwarted, we’re winning. Every dollar or hour they burn is one they can’t spend pummeling us at scale.

‍

How We Measure Scale vs. Innovation

‍

There are a couple of signals that give us a peek into this balance.

‍

1. Attack traffic. Tools like GreyNoise and others show adversaries hammering the Internet with mass traffic using only a tiny set of vulnerabilities. This is the definition of scale: volume over novelty.

‍

2. Known Exploited Vulnerability (KEV) lists. These are even stronger indicators of what’s actually being used in the wild. CISA has their KEV, but in my view VulnCheck’s KEV is the most comprehensive. If we’re looking for a KPI, this might be the best one we’ve got.

‍

The Numbers Don’t Lie (and They’re Kind of Embarrassing)

‍

At the time of this writing, there are 306,861 CVEs in total. VulnCheck KEV? Roughly 4,017 vulnerabilities. That’s about 1.3%. Only 1.3% of all known CVEs have ever been exploited. And here’s the kicker, that number hasn’t budged much at all in years. 

‍

Different datasets say the same thing:

‍

• VERIS (source data under Verizon DBIR): 44 CVEs
• Mandiant’s Initial Access Vectors: 12 CVEs
• A top-tier DFIR firm recently shared with us that across ~1,400 breaches they investigated over the last year, the list of initial access vectors that mattered was “about 20 CVEs.”

‍

In other words, adversaries don’t need to innovate. The old stuff still works. Let’s be honest with ourselves. After all these years of vulnerability management, all the reports, the money spent, all the talk, and we’re still only at ~1%. If that isn’t proof that the current approach to vulnerability management is broken, I don’t know what is. We have to fix this.

‍

The Path Forward

‍

Here’s the premise: adversaries will not burn calories on exploiting new vulnerabilities if the old ones still get the job done. So if, as an industry, we can collectively wipe out the CVEs they rely on the most, those KEV-listed vulnerabilities that actually lead to breaches, then adversaries will be forced to adapt. And when they do, their costs rise. 

‍

That’s progress.

‍

The KPI I’d want to see? The percentage of exploited CVEs going up. If today it’s ~1%, I want to see it climb to 2%, then 5%, then higher. Because that would mean attackers are being forced to innovate and spend more just to break in.

‍

That’s the real win in vulnerability management. Not just patch counts. Not dashboards turning from red to green. But bending the economics of the game until the adversary is the one stuck working harder for less return. Forcing their focus from scaling to innovating and increasing their costs in the process.

‍

Closing Thought

‍

We don’t need to boil the ocean of 300,000+ CVEs. We need to strangle the 1% that adversaries actually use. Do that, and for the first time, we’ll have a KPI that shows we’re making real progress. If we’re still stuck at 1% next year or a couple years from now, we’re doing something wrong, very wrong. And if the day ever comes where attackers finally have to innovate instead of recycle old bugs, well… you’ll know we’re on the right track.