Horizon3 pushes evidence-first SOC

Horizon3.ai is using a new whitepaper to press security teams to change how they decide what to fix first. The May 5 guide, “Unifying SOC and ITSM,” argues that security operations center teams and IT service management teams should rely on attacker-validated evidence rather than theoretical severity scores when they triage exposures. The company says the goal is to align security findings with remediation workflows and reduce time spent on issues that look urgent in a scanner but do not translate into a workable attack path. Horizon3.ai promoted the paper again this week in a social post that framed the approach as a response to assumption-driven risk scoring. ### Why is Horizon3 trying to reframe exposure management? Horizon3.ai says its case starts with a gap between how many organizations measure risk and how attackers actually move. On its website, the company describes NodeZero as an autonomous penetration testing platform designed to show “what attackers can actually do” in an environment, contrasting that with “opinion-based risk scores.” The whitepaper applies that same argument to operational workflows, saying SOC and ITSM teams should align around evidence from real exploitability and validated attack paths. (horizon3.ai) The May 5 download page says the guide is a leadership document on “evidence-driven cyber risk management and real-world validation.” The paper’s stated focus is not just vulnerability ranking, but coordination: it presents a model for connecting security validation results to ticketing and service management processes so remediation teams receive findings with business and attack context attached. (horizon3.ai) ### What does “attacker-validated evidence” mean in practice? Horizon3’s product and documentation define the term in operational rather than academic language. The company says its Vulnerability Risk Intelligence feature lets customers import scanner output from tools including Tenable, Rapid7 and Qualys, then reclassify findings using “real exploit evidence and attack correlation” to prioritize what attackers can actually exploit. (horizon3.ai) That is the clearest product-level expression of the whitepaper’s thesis: a finding matters more if it has been tied to a viable attack path than if it simply carries a high score. Horizon3 also uses the phrase across its broader marketing. Its homepage says the platform is built to reveal “actual business exposure” and to let customers “stop guessing and start proving” their security posture. The whitepaper extends that pitch to SOC and ITSM teams, arguing that evidence can give responders and infrastructure owners more actionable remediation context than a CVSS number on its own. (docs.horizon3.ai) ### Where do SOC and ITSM teams fit into this? The whitepaper is aimed at the handoff problem between security teams that detect and validate issues and operations teams that have to fix them. Horizon3 says organizations should integrate offensive validation into existing ITSM workflows so remediation tickets reflect exploitability, likely attack paths and the systems that matter most, rather than raw scanner volume alone. The company says that approach can help teams focus on exploitable paths, reduce vulnerability noise and improve remediation outcomes. (horizon3.ai) A related Horizon3 research report published this month, “The State of Assumed Security,” makes a similar argument with survey findings. That report says only 26% of respondents test whether their SOC detects and interrupts real attack techniques, and only 11% confirm or remediate known exploited vulnerabilities within 24 hours. Those figures are presented by Horizon3 as evidence that many security programs still trust controls and prioritization models they have not recently validated. (horizon3.ai) ### How does this fit Horizon3’s broader product push? Horizon3 has been moving beyond autonomous pentesting into what it calls attacker-validated risk management. A company release in late 2025 described new risk-based vulnerability management enhancements as a way to help enterprises prioritize “the most business-critical cyber risks” with proof. The current whitepaper follows that line by shifting the message from product capability to operating model: use offensive validation not as a one-off exercise, but as an input to day-to-day prioritization and service management. (horizon3.ai) The whitepaper remains available through Horizon3.ai’s downloads section and whitepaper archive, where it is listed under a May 5, 2026 publication date. (horizon3.ai) (aithority.com)