Vulnerabilities - The Broken Physics of Remediation Explained
Basically, security teams are having a tough time fixing vulnerabilities before attackers exploit them.
A new study reveals that security teams are struggling to keep up with vulnerabilities, often falling behind attackers. This highlights a critical need for improved remediation strategies to protect organizations effectively.
What Happened
The landscape of cybersecurity has shifted dramatically. Traditionally, security programs operated on the premise of patching vulnerabilities faster than attackers could exploit them. However, a recent study reveals that this model is outdated. Over the past four years, defenders have failed to keep pace with attackers 88% of the time when it comes to critical vulnerabilities. Alarmingly, many vulnerabilities were weaponized before patches even existed.
This extensive research analyzed over one billion CISA KEV remediation records from 10,000 organizations between 2022 and 2025. It uncovered a troubling trend: despite the hard work of security teams, they are falling behind due to a structural problem rather than just speed. The sheer volume of vulnerabilities and the expanding attack surfaces have left many organizations struggling to keep up.
Who's Affected
The implications of these findings are significant for organizations of all sizes. Security teams are tasked with managing an ever-growing list of vulnerabilities, yet many lack the resources or processes to address them efficiently. The study highlights that 15% of organizations that optimized their remediation processes managed to patch vulnerabilities by the time they were added to the Known Exploited Vulnerabilities (KEV) list. This suggests that while many are struggling, there is a path forward for those willing to change their approach.
What Data Was Exposed
The report introduces new metrics that help organizations understand their vulnerability exposure better. The Average Window of Exposure (AWE) captures the time between when a vulnerability is weaponized and when it is remediated. For instance, the Follina vulnerability had an exposure of 33,000 days, with most exposure occurring outside the typical monitoring periods. Additionally, the Manual Tax metric illustrates the long tail of vulnerabilities that manual processes often miss, leading to prolonged exposure.
What You Should Do
Organizations must rethink their vulnerability management strategies. The report emphasizes the need for a multi-faceted approach that includes:
- Embedded intelligence to prioritize risks effectively.
- Active confirmation to validate threats and ensure that vulnerabilities are genuinely exploitable.
- Automated remediation processes to fix vulnerabilities quickly and efficiently.
By adopting these strategies, organizations can significantly reduce their risk exposure and improve their overall security posture. The findings from this study serve as a wake-up call to the industry, urging a shift from outdated practices to more effective, data-driven remediation strategies.
Qualys Blog