Prioritization to Prediction, Vol. 1

To remediate or not to remediate is the central question of vulnerability management, yet few teams can answer it with analytical rigor. With 120,000 published CVEs to manage, firms often fall into a patchwork of haphazard fixes. This inaugural report analyzes the relationship between vulnerability disclosures and attacker behavior to build the industry’s first predictive model for remediation.

The data confirms that most vulnerabilities are never weaponized; only 23% have associated exploit code and a mere 2% are actually observed in the wild. This creates an intense efficiency problem where remediating randomly or comprehensively would waste massive resources. This report rewards the reader by proving that standard prioritization rules—like patching everything above CVSS 7—only achieve a 32% efficiency rating.

Speed is also a critical factor, as 50% of exploits publish within two weeks of the vulnerability disclosure. Our “Everything” model, which uses 250 different features to predict risk, achieves 2x the efficiency and 3x fewer false positives than CVSS-based strategies. This research serves as the foundation for a proactive, data-driven defense.

Key Findings

• The 2% Reality: Only 2% of all published vulnerabilities have actually been observed being exploited in the wild.
• The Exploit Code Signal: The chance of a vulnerability being exploited in the wild is 7x higher if exploit code has been publicly released.
• Rapid Weaponization: 50% of known exploits are published within two weeks of the associated vulnerability being disclosed.
• CVSS Accuracy Gap: Strategies based on CVSS scores of 8 or more perform no better than random chance from an efficiency standpoint.
• The “Everything” Advantage: A predictive model incorporating all available data is 2x more efficient and achieves better coverage than CVSS 7+ strategies.
• Reference List Signals: Vulnerabilities discussed on lists like Bugtraq or BID have a significantly higher likelihood of exploitation.