Originally published in Cyber Defense eMagazine
Navigating Security Beyond Disclosure: Resilience, Response, and the Future of Cyber Defense
When most people think of vulnerability management, they immediately think of the Common Vulnerabilities and Exposures (CVE™) program. For over a quarter century, CVE identifiers have become synonymous with tracking the enterprise’s cybersecurity stance, forming a foundational pillar of security programs worldwide.
However, earlier this year, this fundamental bedrock of cybersecurity was shaken when MITRE’s National Security federally-funded research and development center (FFRDC) nearly lost the contract funding from the US Department of Homeland Security. A last hour intervention from the Cybersecurity and Infrastructure Security Agency (CISA) averted the worst-case scenario of shutting down CVE, but this crisis was a wake-up call for the cybersecurity industry.
While the CVE Program’s continued operation remains critical to global cybersecurity efforts, and its closure would be a significant hit to tracking known vulnerabilities, we really need to come to terms with the fact that not all hacker tactics are described as CVEs. In fact, according to the 2025 Verizon DBIR, only about 20% of reported incidents can be traced to an exploited vulnerability for initial access.
What is required is a single source of truth when it comes to vulnerability and exposure management, and one that reflects the real-world risk landscape – not just CVEs.
The CVE crisis #
CVEs give you a snapshot of enterprise assets, but they fail to provide a complete picture. They overlook critical issues like misconfigurations, segmentation flaws, and internally exposed assets, all flaws that attackers could exploit. Traditional tools fall short when it comes to asset discovery. Agent-based and credential-dependent solutions struggle to detect shadow IT, operational technology (OT) and IoT devices, all of which are increasingly common on today’s attack surfaces, and difficult to monitor with traditional endpoint detection and response (EDR) and authenticated scans.
With under-resourcing a problem across the board, affecting not only the CVE program but also the National Vulnerability Database (NVD), an approach that isn’t entirely CVE-centric is urgently needed.
Rising risk #
This urgency is amplified by the complex nature of the modern corporate attack surface, which has become a tangled web of on-premises servers and desktops, remote working laptops and smartphones, public cloud containers, edge devices, and operational technology (OT). It is virtually impossible to maintain visibility and detect exposures with so many transient and dynamic assets and defenders are constantly left in the dark.
This is taking place in tandem with major changes to the threat landscape, which is becoming increasingly dangerous as actors grow more sophisticated and professional.
The cost #
The consequences of cyberattacks are escalating and impossible to ignore. In the US alone, data compromises have reached a near-record high, with almost 1.4 billion victims receiving notifications regarding a breach. Ransomware also remains a top concern, and recent research by Sophos indicates that half of 3,400 responding IT professionals paid ransomware operators in the first part of this year.
The cost of the ransomware payment itself is just the tip of the iceberg, beyond this there is the business interruption, cost of missed sales and IT and legal costs.
When breaches stem from preventable exposures, organizations also risk facing regulatory penalties. Senior managers can be held personally accountable for instances of serious negligence and organisations can face huge fines and reputational damage if they can’t give evidence which proves all assets are visible and secure.
Regaining the upper hand #
The writing is on the wall: an over-reliance on CVEs and agent-based approaches won’t keep you safe. So what else can you do to regain the upper hand?
Combining active scanning, passive discovery and API integrations is an effective method for gaining comprehensive visibility into both the internal and external attack services, including unknown and unmanaged assets like OT and IoT endpoints.
Once identified, the next step is to profile each asset in depth. This is when fingerprinting technology can play an integral part in extracting context-rich data. The more expansive the research is into what service a device uses, who the asset owner is, whether it’s unpatched or misconfigured and what it’s connected to, the more accurate the insight. This enables exposures that may otherwise remain an enigma to network defenders, to be understood.
Above all, solutions must be simple and data driven. That means consolidating capabilities into a single platform that has the capacity to deliver risk-based, prioritized alerts. Security teams are already overwhelmed by false positives, alert fatigue, and situational blindness, and what they need is to cut through the noise and see what exposures and vulnerabilities truly poses a threat.
If you'd like to hear more musings like this from me and the runZero Research team, indulge yourself with our free monthly webcast, runZero Hour. See you there!