CVEs and CWEs give us useful structure for describing software bugs. But real attackers optimize for outcomes, not taxonomy — and they rarely need a neatly cataloged CVE to own your environment.
On this episode of Distilled Security, we talk with Tod Beardsley, VP of Security Research at runZero and CVE Board member, about reframing risk from checklist completion to adversary capability. The stuff that actually gets attackers from initial access to lateral movement to persistence usually isn't a beautiful exploit — it's misconfigurations, default credentials, unintended network paths, end-of-life systems, and surprise trust relationships between environments, none of which will ever get a convenient CVE to scan for. Tod makes the case for whole-enterprise vulnerability assessment as an exercise in "what can an adversary actually do from here?"
Get the latest news and expert insights delivered in your inbox.