Prioritization to Prediction, Vol. 2

Building on the theoretical models of Volume 1, this report “gets real” by analyzing how vulnerability remediation actually occurs inside hundreds of production environments. We transition from studying CVEs in the abstract to measuring billions of instances across live assets. The result is a definitive look at the gap between what is published and what represents a “real and present” danger to the enterprise.

The problem space is smaller than it seems, but more complex at scale. Only one-third of published CVEs are ever observed in live environments, and just 5% are both present and known to be exploited. This report rewards the click by using “survival analysis” to project remediation timelines, revealing that the median time to close a vulnerability is 90 days.

Variation among organizations is extreme; while some firms remediate 50% of their vulnerabilities in a month, others take nearly a year. We also discover that “patches are inefficient” on paper because they fix multiple bugs, but they significantly reduce the decision space for defenders. This study serves as a benchmark for programs to measure their realized coverage and efficiency.

Key Findings

• The 5% Critical Core: Only 5% of all published vulnerabilities represent a real and present danger by being both observed in an enterprise and exploited.
• Pervasive Open Vulns: 40% of all vulnerabilities observed in enterprise networks remain open and unremediated today.
• Remediation Speed: Half of all discovered vulnerabilities take at least 90 days to be remediated, with 18% still open after a full year.
• The Scale of Exposure: Some individual CVEs were observed across a million or more unique assets each.
• Realized Efficiency: Organizations typically achieve a 70% coverage of high-risk vulnerabilities, but with a low efficiency of just 16%.
• The Multi-Bug Boost: Factoring multi-bug patches into remediation models can improve efficiency metrics by up to 50%.