Executive Summary

Organizations are overwhelmed by vulnerability volume but attackers are not. While tens of thousands of CVEs are disclosed annually, only a small percentage are actively exploited.

 

Despite this, most patch programs still rely on static severity scoring, compliance-driven SLAs, and incomplete asset visibility. This creates a structural failure where:

 

• High-risk vulnerabilities remain exposed

• Low-risk vulnerabilities consume remediation capacity

• Actively exploited weaknesses persist in enterprise environments

 

Modern guidance from FIRST, CISA, and MITRE emphasizes a shift toward exposure-based and exploitation-driven prioritization yet most organizations have not operationalized it.

 

Key Risk:
Patch programs fail not due to lack of effort, but due to misalignment with how attackers actually operate.

 

Threat Overview

 

The CVE Volume Problem

Vulnerability disclosure continues to accelerate. Nearly 50,000 CVEs were published in 2025, with similar growth expected in 2026.

 

However:

• Only a small fraction are exploited

• Attackers focus on exposed, valuable systems

• Security teams must triage ~100+ vulnerabilities per day

 

This creates an operational asymmetry:

• Attackers prioritize with precision. Defenders prioritize at scale.

 

Why Severity-Based Prioritization Fails

Traditional patching models rely heavily on CVSS severity scores. This approach breaks down because CVSS:

 

• Measures theoretical impact, not real-world exploitation

• Does not account for attacker behavior

• Ignores asset exposure and business context

 

Research shows CVSS performs near random chance in predicting exploitation likelihood.

 

This leads to:

• Thousands of “critical” vulnerabilities

• No clear prioritization signal

• Patch fatigue across security teams

 

 

The Shift to Exploitation Intelligence

Modern vulnerability prioritization guidance from FIRST introduces EPSS (Exploit Prediction Scoring System):

 

• Predicts probability of exploitation within 30 days

• Ranks vulnerabilities by likelihood, not severity

• Provides percentile-based prioritization

 

Key principle:

If exploitation is confirmed (e.g., KEV), it overrides all predictive models. If not, EPSS estimates likelihood.

 

At the same time, CISA KEV catalog provides:

• Confirmed exploitation evidence

• Mandatory remediation timelines (in federal environments)

 

But:

• KEV is reactive

• EPSS is predictive

• Neither alone is sufficient

 

 

Operational Failure Analysis

 

1. Prioritization Failure

Organizations still prioritize based on:

• CVSS severity

• Compliance SLAs

• Scanner output volume

 

Instead of:

• Exploitation evidence (KEV)

• Exploit likelihood (EPSS)

• Asset exposure and criticality

 

Modern frameworks now recommend:

 

Risk = EPSS × Asset Criticality × Exposure

 

The Shift to Decision-Based Triage (SSVC) Beyond just scoring, CISA and SEI (Carnegie Mellon) recommend SSVC (Stakeholder-Specific Vulnerability Categorization). Instead of a 1-10 number, SSVC uses a decision tree to land on one of four outcomes:

• Track: Monitor during normal cycles.

• Track+: Monitor closely.

• Attend: Fix sooner than normal.

• Act: Immediate remediation required. This forces teams to stop asking "How bad is this bug?" and start asking "What is our specific obligation to act?"

 

Yet most enterprises have not operationalized this model.

 

 

2. Asset Visibility Failure

Patch programs assume full visibility. In reality:

• Internet-facing assets are often unmanaged

• Shadow IT and SaaS remain undiscovered

• Edge devices sit outside traditional tooling

 

Without accurate asset inventory:

• Vulnerabilities cannot be prioritized correctly

• Exposure risk is underestimated

 

As industry guidance highlights:

 

Not all CVEs apply, only those affecting your environment matter.

 

The Reachability Gap: Even if a vulnerable library (like Log4j) exists on a server, the risk is effectively zero if the application's execution path never calls the vulnerable function. Modern teams use Reachability Analysis to prune up to 70% of their "critical" backlog by proving the exploit path is physically inaccessible.

 

 

3. Patch Execution Failure

Even when prioritized correctly, execution breaks down due to:

• Change control delays

• Patch testing bottlenecks

• Ownership ambiguity

• Operational risk concerns

 

Data shows:

• Enterprises often take months to remediate critical vulnerabilities

• Attackers exploit within days or hours

 

This creates a persistent exposure window gap.

 

 

4. Exposure Management Failure

Defining the Gap: Vulnerability vs. Exposure A Vulnerability is a flaw in code (a CVE). An Exposure is a condition that makes an exploit possible.

• A patch fixes a vulnerability.

• Exposure management fixes the context such as a misconfigured S3 bucket, a forgotten shadow IT server, or a set of leaked admin credentials. You cannot "patch" a misconfiguration, yet these exposures are often more attractive to attackers than a complex CVE because they require zero exploit code to weaponize.

 

The most critical failure is ignoring exposure context:

 

High-risk vulnerabilities typically share:

• Internet accessibility

• Privileged system placement

• Lack of monitoring (e.g., edge devices)

 

Examples include:

• VPN appliances

• Firewalls

• Identity infrastructure

• Remote access systems

 

These systems:

• Are frequently targeted

• Lack EDR visibility

• Sit at high-value network positions

 

 

5. KEV Lag and Reactive Security

KEV provides a strong signal but:

• Often appears after exploitation begins

• Does not cover all exploited vulnerabilities

• Cannot keep pace with attacker speed

 

Research presented at industry forums shows:

• Attackers can have months to years of advantage before remediation occurs

• KEV alerts may arrive after weaponization is already widespread

 

Operational Impact for SOC Teams

 

Detection Challenges

• Exploitation occurs before patch cycles complete

• Edge devices lack telemetry

• Identity compromise masks initial access

 

Why Controls Fail

• EDR does not cover network appliances

• SIEM lacks exploit-specific detection rules

• Patch SLAs do not reflect real threat timelines

 

Visibility Gaps

Standard EDR will not see this because:

• Exploitation targets unmanaged systems (VPNs, appliances)

• Activity occurs outside endpoint visibility

• Credential abuse blends with legitimate access

 

 

Indicators & Warning Signs

 

• Unexpected external access to edge systems

• Authentication anomalies (VPN / identity platforms)

• Sudden spikes in exploit scanning traffic

• Unusual service crashes or restarts

• Privileged session anomalies

• High outbound data flows (exfiltration signals)

 

 

Defensive Recommendations

 

Prioritization Model

• Prioritize KEV vulnerabilities immediately

• Use EPSS percentiles for non-KEV vulnerabilities

• Factor in:

- Internet exposure

- Asset criticality

- Business impact

 

 

Detection Strategy

 

• Monitor edge infrastructure (VPN, firewall logs)

• Deploy network-based detection for exploit attempts

• Correlate vulnerability + identity signals

 

 

Asset & Exposure Management

 

• Maintain real-time asset inventory

• Identify all internet-facing systems

• Continuously validate exposure paths

 

 

Patch Execution Improvements

 

• Create emergency patch workflows for KEV / high-EPSS

• Reduce dependency on rigid change cycles

• Align patch SLAs with exploitation timelines not compliance

 

 

Advanced (Differentiator Insight)

Move beyond generic scoring:

 

• Combine EPSS + KEV + exposure context

• Use contextual scoring platforms (e.g., Hackerstorm contextual EPSS approach)

• Align prioritization to your environment, not global averages

 

 

Industry / Strategic Context

The vulnerability management model is undergoing a structural shift:

 

• From volume → precision

• From severity → exploitation

• From compliance → operational risk

 

Key reality:

 

• Only ~0.45% of CVEs appear in KEV

• Only a small percentage show high EPSS likelihood

• Yet these represent the majority of real-world risk

 

Attackers already operate this way.

 

Defenders are still catching up.

 

 

Hackerstorm Analysis

Most organizations believe they have a patching problem. They do not.

 

They have a decision problem.

 

Security teams are still optimizing for:

 

• completeness

• compliance

• volume

 

Attackers optimize for:

 

• exposure

• access

• speed

 

The organizations that close this gap will not patch more vulnerabilities.

 

They will patch fewer but the right ones.

 

 

Strategic Context & Further Reading   🔗 Vulnerability Management: Operational Risk & Exposure-Based Prioritization Why read this: Most vulnerability programs fail long before patching begins. This article breaks down the systemic issues—asset visibility gaps, prioritization failures, and operational constraints—that prevent organizations from reducing real-world risk.   🔗 Operational Threat Intelligence: Practical Guide for Security Teams Why read this: Prioritization requires context. This guide explains how to integrate threat intelligence into security operations—helping teams move from reactive patching to intelligence-driven decision making.   🔗 JLR Breach Analysis (OFA) - Third-Party Identity Exposure and KEV Prioritization Gaps Why read this: A real-world example of how control failures—not lack of tools—lead to compromise. This analysis highlights identity, third-party, and visibility gaps that mirror the same breakdowns seen in failed patch programs.

 

 

 

 

---

About This Report

 

Reading Time: Approximately 15 minutes

 

This Threat Intelligence Brief is based on publicly disclosed corporate incident reports, U.S. law enforcement advisories, federal court records, and threat intelligence research from multiple cybersecurity organizations.

 

Information reflects the operational threat landscape as of March 2026.

 

Author Information

Timur Mehmet | Founder & Lead Editor

Timur is a veteran Information Security professional with a career spanning over three decades. Since the 1990s, he has led security initiatives across high-stakes sectors, including Finance, Telecommunications, Media, and Energy. Professional qualifications over the years have included CISSP, ISO27000 Auditor, ITIL and technologies such as Networking, Operating Systems, PKI, Firewalls. For more information including independent citations and credentials, visit our About page.

Contact: This email address is being protected from spambots. You need JavaScript enabled to view it.

 

Editorial Standards

 

This article adheres to Hackerstorm.com's commitment to accuracy, independence, and transparency:

• Fact-Checking: All statistics and claims are verified against primary sources and authoritative reports
• Source Transparency: Original research sources and citations are provided in the References section below
• No Conflicts of Interest: This analysis is independent and not sponsored by any vendor or organization
• Corrections Policy: We correct errors promptly and transparently. Report inaccuracies to This email address is being protected from spambots. You need JavaScript enabled to view it.

Editorial Policy: Ethics, Non-Bias, Fact Checking and Corrections

Learn More: About Hackerstorm.com | FAQs

 

Sources

• FIRST – EPSS framework and prioritization guidance

• CISA – KEV catalog and directives

• MITRE – CVE framework and vulnerability standardization

• Vulnerability volume and exploitation trends

• EPSS prioritization model and guidance

• CVSS predictive limitations research

• Exposure-based prioritization practices

• Industry prioritization and KEV timing insights