Vulnerability programs measure scans, not risk

Vulnerability management is having a measurement problem. Most teams can tell you how many assets they scanned, how many findings they opened, and how many “criticals” are sitting in the queue. But that doesn’t answer the question executives actually care about — what is truly exploitable right now, and is that exposure going down? This week’s push from SC Media commentary and practitioners landed on exactly that gap: modern environments got more complex, but a lot of security programs are still grading themselves on activity, not risk. ### Why are scan counts suddenly looking weak? Because the environment changed faster than the metric did. Hybrid IT now means public cloud, private infrastructure, SaaS, containers, legacy on-prem systems, and increasingly AI systems all living together. A scanner can still produce a giant list. But a giant list is not the same thing as a prioritized picture of danger. In these mixed estates, visibility is fragmented across consoles, teams, and scoring systems, so raw totals mostly tell you how much stuff exists — not which path an attacker can actually use. (scworld.com) ### What broke in the old model? The old model assumed periodic scanning plus patching was close enough to risk reduction. That worked better when estates were smaller and slower-moving. It works worse when cloud roles change by the hour, APIs appear and disappear, and AI systems introduce issues like prompt injection, data leakage, and unintended actions that don’t fit neatly into classic software flaw buckets. (scworld.com) Basically, the measurement layer still thinks like a patch program while the exposure layer now includes identity, configuration, reachability, and runtime behavior. ### Why doesn’t CVSS solve this? Because severity is not exploitability. NIST’s National Vulnerability Database is still foundational, but even its scoring data needs constant maintenance — NIST said on April 28 it had to correct about 4,500 CVE records with inaccurate CVSS v4 numerical scores. That doesn’t make CVSS useless. It just means a severity score is one signal, not the answer. A “critical” issue that isn’t reachable or is blocked by existing controls may matter less than a lower-scored flaw sitting on an exposed internet-facing asset. (scworld.com) ### What are teams using instead? They’re layering in evidence about real-world exploitation. CISA’s KEV catalog tracks vulnerabilities that are known to be exploited in the wild. FIRST’s EPSS estimates the probability a CVE will be exploited in the next 30 days. Those two signals push teams away from “fix everything with a high base score” and toward “fix what attackers are actually likely to use against us.” It’s a shift from theoretical danger to attack likelihood. (nist.gov) ### Why is this getting louder now? Volume. Qualys said 48,177 CVEs were published in 2025, and argued that only 1% are ever weaponized. Even if that exact ratio varies by dataset, the point stands — the vulnerability firehose is now too large for blanket remediation. When every dashboard is red, teams start optimizing for what they can count easily. That usually means scan coverage and ticket closure. (cisa.gov) But those are throughput metrics, not exposure metrics. ### So what should the KPI be? Time-to-remediate for exploitable, exposed issues is better. Exposure reduction over time is better. Asset coverage still matters, but as a hygiene metric, not the main success metric. The useful scoreboard is something like: how many internet-facing or business-critical exposures were validated, how fast were they fixed, and how much attack surface actually shrank? (blog.qualys.com) That is much closer to the question a board or CISO is really asking. ### What does this mean for AI and hybrid estates? It means vulnerability management is turning into exposure management. The catch is that the work gets messier — more identity context, more cloud configuration data, more validation, more correlation across tools. But that mess is real. Pretending it can be reduced to scan totals is like judging a hospital by how many thermometers it owns. The instrument count is not the patient outcome. (sentinelone.com) ### Bottom line? The story this week is not that scanning stopped mattering. It’s that scanning became the easy part. The hard part now is proving which exposures are reachable, exploitable, and worth precious engineering time first. Teams that keep measuring volume will look busy. Teams that measure exposure reduction will actually get safer. (scworld.com)