Root Evidence Research Finds Only 1.4% of Vulnerabilities Are Known to Be Exploited in Real-World Attacks

‍New Q1 2026 analysis challenges the industry’s reliance on CVSS scores and volume-based remediation strategies

‍

BOISE, Idaho — May 27, 2026 — Root Evidence, the cybersecurity startup championing evidence-based security, today released new research showing that the cybersecurity industry’s current approach to vulnerability management is overwhelmingly focused on the wrong problems. The report, Stop Counting CVEs: What Actually Mattered in Q1 2026, analyzed publicly available vulnerability and exploitation data from Q1 2026 and found that only a small fraction of vulnerabilities are actually tied to real-world exploitation and breaches.

‍

The findings challenge long-standing assumptions that more visibility, more scanning, and more remediation volume automatically lead to better security outcomes.

‍

“Security teams have spent years drowning in dashboards, critical severity scores, and endless remediation queues, but breaches continue to happen because the industry has confused activity with risk reduction,” said Robert Hansen, CTO at Root Evidence. “The data shows that exploitation is highly concentrated and measurable. Organizations should prioritize what attackers actually use, not every theoretical vulnerability equally.”

‍

The report analyzed approximately 4,920 publicly known exploited vulnerabilities (KEVs) made available from CVEdata.com and compared them against common industry prioritization signals, including CVSS, EPSS, exploit code availability, Metasploit modules, and Nuclei templates.

‍

Among the report’s key findings:

• Only approximately 1.4% of publicly disclosed vulnerabilities are known to be exploited in real-world attacks, suggesting that the industry’s “patch everything” approach creates massive inefficiency with limited measurable risk reduction.
• Exploitation activity is heavily concentrated around a relatively small subset of vulnerabilities, many of them years old, as attackers prioritize reliability and scale over novelty.
• Commonly used prioritization signals perform poorly as indicators of real-world exploitation. The research found weak correlation between KEV data and exploit proof-of-concept availability, Metasploit modules, and Nuclei templates.
• CVSS severity scores alone are insufficient predictors of operational risk, as many exploited vulnerabilities fall below the “critical” threshold commonly used in enterprise remediation programs.
• Attack surface exposure matters more than severity. Exploited vulnerabilities disproportionately affect widely deployed edge technologies, VPNs, firewalls, client-side applications, and injection-based weaknesses.
• Threat intelligence and risk models are often misaligned with financial reality, focusing heavily on nation-state activity while underrepresenting financially motivated criminal actors responsible for the majority of material losses.

‍

The report argues that vulnerability management programs should move away from volume-based remediation models and toward evidence-based prioritization grounded in real-world exploitation patterns, actuarial data, and observed attacker behavior.

‍

“CVSS base score isn’t broken because it’s inaccurate; it’s broken because organizations treat it like a business risk predictor when it was never designed to be one,” said Hansen. “The organizations that shift from counting vulnerabilities to measuring evidence-based risk reduction will operate more efficiently and will arguably be more secure.”

‍

Root Evidence recommends organizations:

• Prioritize vulnerabilities with demonstrated exploitation or evidence-based indicators tied to attacker behavior.
• Treat CVSS as one signal among many rather than a standalone decision-making framework.
• Focus remediation resources on concentrated areas of measurable risk exposure.
• Measure success through risk reduction outcomes instead of remediation volume or ticket closure metrics.
• Incorporate business exposure and attack surface context into prioritization decisions.

‍

The report concludes that organizations continuing to optimize for remediation volume instead of evidence-driven outcomes are likely overspending resources while leaving genuinely dangerous exposures unresolved.

‍

The full report, Stop Counting CVEs: What Actually Mattered in Q1 2026, is available from Root Evidence.

‍

Organizations interested in learning how evidence-based vulnerability prioritization can reduce remediation fatigue and improve security outcomes can request a demo from Root Evidence.

‍

About Root Evidence

Root Evidence is a cybersecurity company advancing evidence-based vulnerability management to help organizations focus on the small percentage of vulnerabilities that are actually exploited in the wild, have caused reported breaches, and led to material financial losses. With Root Evidence, security teams can measurably reduce financial risk, prioritize remediation efforts where they have the greatest impact, and reduce the likelihood of breaches. Founded in 2025 by Jeremiah Grossman, Robert Hansen, Heather Konold, and Lex Arquette, the company is headquartered in Boise and backed by Ballistic Ventures, Grossman Ventures, and leading cybersecurity experts.

‍

Media Contact:

Kylie Heintz

Marketing Advisor, Root Evidence

kylie@rootevidence.com 

‍