The Fast and the Frivolous

In many ways, cybersecurity is a race against malicious adversaries, staffing gaps, and an ever-growing array of third parties. To determine if organizations are winning, this study analyzes a massive dataset from SecurityScorecard spanning 1.6 million organizations and billions of internet-exposed assets over a three-year period. The research establishes a definitive baseline for how quickly—or slowly—the global internet is actually closing its security holes.

The data reveals a systemic bottleneck: it typically takes organizations about a year to remediate half of the vulnerabilities in their internet-facing infrastructure. While firms with 10 or fewer open vulnerabilities can close half in about a month, that timeline stretches to a full year as soon as the list grows into the hundreds. This report rewards the reader with a clear-eyed look at the operational “speed limits” that currently prevent organizations from achieving rapid risk reduction.

Surprisingly, common industry assumptions about sector performance are often inverted in the data. The Utilities sector ranks among the fastest to remediate (median of 270 days), while the historically high-budget Finance sector is among the slowest at 426 days. This research provides the benchmarks necessary for third-party risk managers to reliably identify which partners across their portfolio are winning the race and which are falling behind.

Key Findings

• Universal Exposure Presence: 53% of the 1.6 million organizations assessed have at least one open vulnerability currently exposed to the internet.
• The Vulnerability “Iceberg”: A significant 22% of organizations with open exposures have amassed over 1,000 vulnerabilities each across their digital footprint.
• Fixed Performance Capacity: Organizations typically fix only about 10% of their vulnerabilities each month, regardless of the total volume present in their domain(s).
• Sector Speed Disparity: There is a 156-day gap in median remediation times between top-performing Utilities (270 days) and bottom-performing Finance firms (426 days).
• Exploitation Activity vs. Fix Rate: Despite a 15-fold increase in exploitation activity for vulnerabilities with published exploit code, there is little evidence that organizations fix these exploited flaws faster.
• The “Win” Majority: About 60% of organizations are successfully managing to drive down the total number of vulnerabilities across their external assets over time.