Elevating Security Posture: A Comprehensive Approach Beyond Vulnerability Management

The reactive nature of vulnerability management, along with the delays introduced by policy and process constraints, places considerable strain on security teams. Capacities are often limited, making immediate patching unfeasible. An analysis of our Vulnerability Operation Center (VOC) dataset revealed 1,337,797 unique findings across 68,500 customer assets, including 32,585 distinct Common Vulnerabilities and Exposures (CVEs), of which 10,014 were rated with a Common Vulnerability Scoring System (CVSS) score of 8 or higher. External assets accounted for 11,605 distinct CVEs, whereas internal assets had 31,966. With such a high volume of vulnerabilities, it is expected that some remain unpatched, ultimately leading to security breaches.

This predicament raises important questions: Why are we entrenched in this situation? What actions can be taken to improve it, and is there a more effective methodology available?

In this discussion, we will examine the current state of vulnerability reporting, prioritize vulnerabilities based on threat likelihood and potential exploitation, evaluate statistical probabilities, and briefly touch on risk considerations. Furthermore, we will explore solutions designed to mitigate vulnerability ramifications while maintaining flexibility in crisis response.

Western nations and organizations utilize the Common Vulnerability Enumeration (CVE) and Common Vulnerability Scoring System (CVSS) to monitor and rate vulnerabilities, under the auspices of U.S. government-funded initiatives like MITRE and NIST. By September 2024, the CVE program—operational for 25 years—had documented over 264,000 CVEs. By April 15, 2025, this number was anticipated to expand to approximately 290,000, encompassing both “Rejected” and “Deferred” entries.

The National Vulnerability Database (NVD) relies on CVE Numbering Authorities (CNAs) for initial CVSS assessments, streamlining the process but also introducing varying biases. Disclosures regarding serious vulnerabilities are frequently complicated by discrepancies between security researchers and vendors regarding impact and relevance, which in turn affects the broader cybersecurity community. A backlog exceeding 24,000 unenriched CVEs built up at the NVD due to bureaucratic delays initiated in March 2024, momentarily stalling CVE enrichment despite ongoing reports of vulnerabilities; this situation underscores the system’s inherent fragility.

On April 15, 2025, it was also announced that the U.S. Department of Homeland Security would not be renewing its contract with MITRE, creating further uncertainty about the future operations of the CVE program. Thankfully, subsequent funding for the program was extended, prompted by robust community and industry advocacy.

While the CVE and NVD are pivotal resources, they are not the only sources of vulnerability intelligence. Many organizations, including ours, have developed independent solutions that monitor significantly more vulnerabilities than those encompassed by MITRE’s CVE framework and NIST’s NVD.

Since its inception in 2009, China’s CNNVD has operated a separate vulnerability database. However, geopolitical barriers hinder collaboration opportunities. Not all vulnerabilities are disclosed promptly, leading to potential blind spots, particularly concerning 0-day exploits. In 2023, Google’s Threat Analysis Group (TAG) and Mandiant discovered 97 zero-day exploits, predominantly impacting mobile devices, operating systems, browsers, and various applications. Alarmingly, only 6% of vulnerabilities within the CVE database have ever been exploited, with reports from 2022 indicating that half of organizations only patch about 15.5% of vulnerabilities each month.

Despite its significance for security professionals, the CVE system remains an imperfect system—voluntary, lacking global regulation and universal adoption. This narrative also seeks to explore methods for reducing dependency on it within our operational context.

Despite its limitations, the CVE system offers valuable insights into vulnerabilities of potential concern. Nevertheless, prioritizing vulnerabilities most likely to be targeted by threat actors should be our foremost objective. The Exploit Prediction Scoring System (EPSS), created by FIRST’s Special Interest Group (SIG), aids in forecasting the likelihood of a vulnerability being exploited in real-world scenarios. Armed with EPSS insights, security managers can decide whether to prioritize the remediation of numerous CVEs for broad coverage or assess critical vulnerabilities that could maximize efficiency and prevent exploitation.

To illustrate the trade-off between wide-ranging coverage and strategic efficiency, we need two datasets: one reflecting potential patches (VOC dataset) and another comprising actively exploited vulnerabilities, incorporating resources such as the CISA Known Exploited Vulnerabilities (KEV) catalog, ethical hacking outcomes, and insights from our CERT Vulnerability Intelligence Watch service.

The EPSS threshold can help derive a selection of CVEs for patching based on their likelihood of exploitation in the field. The intersection between the proposed remediation set and the exploited vulnerabilities set enables the calculation of Efficiency, Coverage, and Effort of any chosen strategy.

EPSS forecasts the probability of any given vulnerability being exploited in a general sense, rather than targeting specific systems. The concept of scaling informs us that while one coin flip sits at a 50% chance for heads, ten flips increase the probability of at least one head to approximately 99.9%. According to FIRST, “EPSS predicts the likelihood of a specific vulnerability being exploited and can be scaled to estimate threats across servers, subnets, or entire networks by calculating the odds of at least one event occurring.”

To demonstrate this, we analyzed 397 vulnerabilities sourced from the VOC scanning data of a Public Administration client. Most vulnerabilities initially revealed low EPSS scores until a noticeable spike emerged, showing a rapid increase in the probability of at least one vulnerability being exploited, particularly as the number of distinct CVEs considered rose. By scrutinizing vulnerability data from publicly accessible systems, we illustrate the difficulties inherent in prioritizing vulnerabilities as the system’s complexity escalates.

As predicted by EPSS, the likelihood of a vulnerability being leveraged increases with the number of observed vulnerabilities, revealing that in extensive networks, even low-scoring vulnerabilities can collectively represent a meaningful exposure to threat.

This extensive analysis identifies three essential truths that should shape our vulnerabilities management strategy:
1. Attackers typically focus on compromising systems, not just exploiting specific vulnerabilities.
2. Exploiting vulnerabilities is merely one pathway to total compromise.
3. The skill levels and persistence rates of attackers can vary significantly.

Understanding these principles allows for a refined assessment of how to gauge the probability of an arbitrary system being breached, and how to extrapolate these probabilities across a broader environment, particularly regarding system access.

Assuming every hacker can be assigned a specific probability of breaching a system, influenced by their experience, tools, and persistence, we can extend analysis to determine the statistical chance of compromise across networks. Using an adjusted binomial distribution, one can evaluate the estimated attempts required for successful system compromise by attackers with various success rates.

This framework leads to critical implications: within a corporate environment, even a moderately skilled attacker can often breach a single machine with just 100 attempts. Once a foothold is established, access to expansive resources often follows.

Moving forward, we must rethink our approach to vulnerability management by creating resilient architectures and environments that are less susceptible to compromise. The current focus on “vulnerabilities”—as cataloged by CVE, CVSS, and EPSS—limits proactive strategies, drawing attention to a reactionary posture induced by the chaotic influx of vulnerability data.

Thus, we propose a shift towards a mindset focused on Threat Mitigation—distinct from simple vulnerability management—by actively identifying threats, assessing their relevance, and implementing proactive security measures.

Threat Mitigation embraces a holistic approach that integrates patching, reconfiguration, filtering, and the implementation of compensatory controls. The focus remains primarily on reducing the exposure of internet-facing systems.

Moreover, the overarching goal of Risk Reduction hinges on three strategic efforts:
1. Reducing the Attack Surface – Systematically minimizing entry points to mitigate exploitation probability.
2. Limiting Impact – Implementing segmentations and restricting vulnerable systems utilizing a Zero Trust framework.
3. Improving Baseline Security – Reducing the overall number and severity of vulnerabilities strategically, as opposed to merely reacting to newly reported threats.

In conclusion, a reimagined vulnerability management methodology—centered on Threat Mitigation and effective Risk Reduction—permits tactical freedoms in allocating cybersecurity resources to higher-priority areas. By evolving beyond mere vulnerability responses, organizations can adopt a more effective stance against the dynamic nature of cyber threats that they face.