When is a vulnerability not a vulnerability?

CVEs and CWEs give us useful structure for describing software bugs. But real attackers optimize for outcomes, not taxonomy — and they rarely need a neatly cataloged CVE to own your environment.

On this episode of Distilled Security, we talk with Tod Beardsley, VP of Security Research at runZero and CVE Board member, about reframing risk from checklist completion to adversary capability. The stuff that actually gets attackers from initial access to lateral movement to persistence usually isn't a beautiful exploit — it's misconfigurations, default credentials, unintended network paths, end-of-life systems, and surprise trust relationships between environments, none of which will ever get a convenient CVE to scan for. Tod makes the case for whole-enterprise vulnerability assessment as an exercise in "what can an adversary actually do from here?"

Meet Our Speakers

todb

VP, Security Research, runZero

Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.


Related Resources

Podcasts
Know Your Adversary with HD Moore
runZero CEO HD Moore breaks down the myth of air-gapped networks, the impact of AI on security, and why asset connectivity is everything.
Podcasts
Risky Biz Interview: Navigating the AI vibe shift with HD Moore
runZero Founder and CEO HD Moore drops by in this week's Risky Biz sponsor interview to talk about the concerning AI vibe shift and what to do...
Podcasts
From two weeks to three days: The KEV deadline debate
Former CISA insider Todd Beardsley joins Greg to reveal what it takes to land on the KEV catalog and why ultra-short patching deadlines might...
Podcasts
OT asset exposures & mitigations
Rob King joins the Nexus Podcast to discuss the security risks and exposures introduced by digital transformation to operational technology...

See Results in Minutes

See & secure your total attack surface. Even the unknowns & unmanageable.