2024 State of Exposure Management

Modern vulnerability management stands at the crossroad of threat-based prioritization and contextual risk management. This report analyzes 36 million detected vulnerabilities to measure how effectively organizations are closing their most critical exposures. The data reveals that while total vulnerability counts are rising, established leaders are successfully whittling down their attack surface through automated remediation and better risk scoring.

Remediation speed is highly dependent on asset type and vendor. Vulnerabilities affecting workstations are closed in just 71 days on average, while those affecting servers stretch to 275 days. The analysis also challenges the “celebrity” vulnerability obsession, demonstrating that there is little correlation between a vuln getting a scary name/logo and it actually representing high risk to the enterprise.

A primary focus of this report is the innovative use of Large Language Models (LLMs) to map CVEs to the MITRE ATT&CK framework. By using models like Google Gemini to establish semantic relationships, system owners can finally query which vulnerabilities in their environment lead to specific attacker tactics like lateral movement. The study rewards the reader with a detailed breakdown of LLM accuracy, showing that AI can identify relevant TTPs that human analysts often miss.

Key Findings

• The 204-Day Asset Gap: Servers take an average of 275 days to remediate, which is nearly seven months longer than the 71-day average for workstations.
• Efficiency gain of Risk Scoring: Organizations using NopSec’s Business Risk Score close high-risk vulns two months faster than the overall average, with nearly 60% remediated within 90 days.
• Microsoft Footprint: Microsoft is responsible for 11% of all published CVEs, which affect 55% of all enterprise assets and account for 40% of all detected vulns.
• LLM TTP Mapping: Multimodal LLMs like Google Gemini achieved a 43% accuracy rate in mapping CVEs to MITRE ATT&CK techniques, outperforming human analysts in identifying certain complex attack chains.
• Linux Remediation Delay: Vulnerabilities in Linux systems take an average of 98 days longer to remediate than the overall baseline.
• The Celebrity Fallacy: Celebrity vulnerabilities are frequently found in low-risk zones of the landscape, proving that media attention is a poor indicator for prioritization.