8 June 2026 Security Tips .
You like this content ?
Share it on the networks
In brief: 48,185 CVEs were published in 2025 — a 263% increase since 2020. Attackers now exploit critical vulnerabilities in under 5 days. Since April 2026, NIST no longer updates all entries in the NVD. For every security team, vulnerability management is no longer a quarterly task. It is a continuous monitoring process that directly shapes your security posture.
Most organisations fix less than 15% of their vulnerabilities each month. The rest sit in a backlog that grows faster than teams can clear it.
At the same time, attackers move faster than ever. Offensive AI tools now generate working exploits in under 15 minutes. Emerging threats appear daily. A quarterly scan simply cannot keep up.
Three changes make proactive vulnerability management essential in 2026.
Volume. Too many security vulnerabilities, not enough time. Without a clear method to prioritize vulnerabilities, security teams end up working on issues attackers will never touch.
Speed. The median exploitation window dropped from 45 days in 2020 to under 5 days in 2025 (Cloud Security Alliance, 2026). By the time a quarterly report lands, critical assets may already be compromised.
Incomplete data. Since April 2026, NIST no longer enriches all NVD entries. Security teams that rely only on NVD scores are working with gaps. Vulnerability scanners that depend on this data inherit those gaps too.
For years, the maturity of a vulnerability management program was measured by its ability to identify an ever-growing number of vulnerabilities. The evolution of scanners, SAST tools, SCA platforms, and more recently artificial intelligence has fundamentally changed that reality.
Today, organizations generate thousands—or even tens of thousands—of findings every month. Yet only a fraction of those results lead to concrete remediation actions.
The challenge is therefore no longer to produce more alerts, but to distinguish:
vulnerabilities that are actually exploitable;
assets that are genuinely exposed;
risks that could impact business operations;
actions capable of significantly reducing the organization's exposure.
In this context, the value of a vulnerability management program is no longer measured by the volume of findings detected, but by its ability to transform thousands of signals into a handful of prioritized actions.
These terms appear in every vulnerability management tool, report, and compliance conversation. Understanding them is the foundation of an effective approach to vulnerability management.
CVE — a unique ID for a known vulnerability, managed by MITRE. Every finding from vulnerability scanners maps to a CVE ID.
CVSS — a score from 0 to 10 measuring theoretical severity. It is the standard starting point but must be combined with EPSS and KEV to reflect real risk. Note: CVSS v4.0 (released November 2023) improves granularity and better covers OT/ICS systems — teams migrating from v3.1 should review their SLAs before applying new scores.
EPSS — daily probability of exploitation within the next 30 days. Only 2.3% of CVEs scored CVSS 7+ are actually exploited in a given month (FIRST). EPSS tells you which ones attackers are targeting right now.
CISA KEV — a catalog of CVEs with confirmed active exploitation. In 2025, it listed 1,484 entries, including 24 linked to ransomware campaigns. Any KEV entry is top priority, regardless of its CVSS score.
MTTD / MTTR — Mean Time To Detect and Mean Time To Remediate. The two metrics that measure how fast your security team finds and fixes problems.
A real-world example of why scores alone are misleading: Heartbleed had a CVSS of 5.0 despite global impact. Spectre scored 4.7. In Q1 2025, 28% of exploited vulnerabilities had only a medium CVSS score (Picus Security, 2026).
You cannot start identifying vulnerabilities on assets you do not know exist. The first step is building a complete, live asset inventory: servers, applications, cloud services, APIs, containers, network devices.
This must include shadow IT — SaaS tools used without approval, forgotten subdomains, cloud instances deployed outside the IT process. These are exactly the gaps that attackers look for.
Vulnerability scanning tools analyse the assets you give them. EASM (External Attack Surface Management) finds what you did not know about and adds it to your monitoring automatically.
Once assets are known, vulnerability scanning identifies the issues. But a raw list of findings is not a risk assessment. To make good decisions, each finding needs to be evaluated on three factors: the vulnerability itself, the threat context, and the asset it affects.
CVSS gives you severity. EPSS gives you likelihood. KEV tells you if it is already being exploited. Together, they give you the full picture.
A simple example: which vulnerability should your security team fix first?
The intuitive answer is #1. The correct answer is #2: internet-exposed, public exploit available, patch ready to apply. #3 is KEV but has no patch — it needs a compensating control (WAF rule, network segmentation). #1 is critical on paper but internal with no exploit in the wild.
Once risk is clear, remediation efforts can be focused on what matters. Three paths exist.
Patching removes the vulnerability completely. It requires coordination between the security team and IT, maintenance windows, and regression testing. The rule is simple: no owner, no fix. Every critical vulnerability needs a named owner.
Mitigation reduces exposure when patching is not possible — disabling a service, applying a WAF rule, restricting access.
Risk acceptance is a formal decision to leave a vulnerability in place, documented and approved by the CISO, based on compensating controls.
Clear SLAs make remediation efforts consistent:
Modern security tools generate a massive volume of results from scanners, code analysis platforms, dependency checks, and automated detection systems.
Consider the following simplified example:
These figures do not necessarily indicate that security tools generate mostly false positives. Instead, they highlight the effort required to qualify, contextualize, and prioritize findings before remediation teams can take action.
Not every finding represents an exploitable risk. Some vulnerabilities affect non-exposed assets, others have no known exploit, and some may already be mitigated by existing security controls.
The most mature organizations focus their efforts on:
internet-facing assets;
exploitable vulnerabilities;
business-critical systems;
vulnerabilities actively exploited in the wild;
actions that provide the greatest risk reduction.
The objective is no longer to address every finding that is detected, but to identify the relatively small number of exposures that account for the majority of the organization's risk.
A patch applied is not a patch confirmed. Some patches are incomplete. Others do not cover every affected instance. Validation means running a new vulnerability scan after remediation, and for critical vulnerabilities, manual penetration testing to confirm the issue is truly resolved. Penetration testing is also the best way to check whether compensating controls actually block exploitation.
Track MTTD and MTTR by severity. Monitor attack surface coverage. Measure the percentage of KEV vulnerabilities fixed within SLA. These metrics show whether your approach to vulnerability management is improving over time — and they provide the auditable evidence required by NIS2 (Art. 21), DORA (Ch. II and IV), and ISO 27001 (Annex A 8.8).
The number of vulnerabilities detected or tickets created measures activity. It does not necessarily demonstrate risk reduction.
The most mature organizations complement traditional vulnerability management metrics with exposure-focused indicators such as:
the number of internet-facing assets;
the percentage of KEV vulnerabilities remediated within SLA;
reduction of the critical vulnerability backlog;
coverage of the known attack surface;
the number of critical exposures eliminated each quarter.
The goal is no longer simply to measure what has been detected, but to demonstrate what has actually been secured.
No single tool covers the full lifecycle. An effective security team combines several categories.
Vulnerability scanners (Tenable Nessus, Qualys VMDR, Rapid7 InsightVM) run automated vulnerability scanning across known assets. Fast and broad — but limited to what you tell them to scan.
SAST (SonarQube, Checkmarx) catches security vulnerabilities in source code before deployment.
SCA (Snyk, Dependabot) identifies vulnerable open-source dependencies. The VEX format is emerging as a complement to SBOM — it lets vendors declare whether a CVE is actually exploitable in their specific context, reducing noise for teams consuming the data.
RBVM (Hackuity, Vulcan Cyber) aggregates scanner data and prioritises based on real risk, not raw CVSS.
CTI (MISP, Recorded Future, Sekoia) adds threat context: which attacker groups are active, which CVEs they are using, what campaigns are running.
EASM finds the assets your scanning tools do not know about — the blind spot that traditional vulnerability scanning cannot cover.
Five criteria to evaluate any solution: coverage of all asset types, prioritization quality beyond CVSS, false positive rate, ITSM integration for ownership tracking, and audit-ready reporting.
Patrowl is a French platform combining EASM and continuous penetration testing (PTaaS). It addresses the two structural gaps of traditional vulnerability scanners: assets you do not know about, and alert volumes that exhaust security teams.
In practice: a security team managing 3,000 CVEs in their scanner backlog receives from Patrowl a short list of actionable findings. Each one has been manually reviewed by an in-house CERT analyst before it reaches the team. No noise, no ticket opened on a vulnerability with no real exposure. Only what is genuinely exploitable — with the context to act.
Patrowl enables security teams to continuously discover uninventoried assets, detect exploitable vulnerabilities with findings prioritized based on CVSS × EPSS × KEV × exposure, run continuous penetration testing with documented retests, monitor supplier exposure, and produce audit-ready reports for NIS2 and DORA.
