Prioritization to Prediction, Vol. 5

Vulnerability management is often asset-influenced, yet most research focuses purely on the vulnerabilities themselves. This fifth volume of the series shifts the focus to common asset platforms to help teams stay on target. By analyzing over 9 million active assets across nearly 450 organizations, we examine how the specific technical architecture of an environment dictates the success of risk reduction.

The analysis confirms that Microsoft Windows platforms dominate the Enterprise, representing about half of all active assets and typically harboring 119 native and third-party vulnerabilities per month. This is four times the density of Macs and 30 times that of network appliances. This report rewards the click by revealing that while Windows systems are more vulnerable, they are also remediated the fastest, with a half-life of just 36 days compared to 369 days for appliances.

The data also provides a stark warning regarding legacy technology. Supported versions of Windows and Mac OS X reach a 70% remediation rate within two years, but 50% of vulnerabilities on unsupported platforms (like Windows XP or 2003) remain open indefinitely. This study provides the empirical evidence needed to justify tech refreshes and minimize the accumulation of “bloatware” on critical systems.

Key Findings

• Windows Vulnerability Density: Supported Windows assets typically manage 119 native and third-party vulnerabilities per month, the highest density of any major category.
• The 36-Day Fix Rate: Windows systems exhibit the fastest remediation velocity with a vulnerability half-life of 36 days—10x faster than network appliances.
• Widespread High-Risk Footholds: 70% of Windows assets and 40% of Linux/Unix systems have at least one open vulnerability with a known exploit available.
• Unsupported Platform Decay: Over half of all vulnerabilities affecting legacy, unsupported Windows platforms remain unresolved for more than two years.
• The 41-Vendor Red Hat Load: Red Hat systems have the highest median number of unique software vendors per asset (41), leading to significantly higher risk density than other *nix assets.
• Net Capacity Success: Two-thirds of organizations are successfully gaining ground or maintaining their position against high-risk vulnerabilities for the majority of their assets.