Traditional vulnerability management often leaves defenders drowning in endless lists of CVEs without the context needed to stop an actual attack. This third annual State of Exposure Management report from XM Cyber analyzes over 40 million exposures to shift the focus from individual assets to “attack paths.” The report rewards the reader by identifying the…
The barrier between “us” and “them” is eroding when it comes to managing cyber risk. The Security and Exchange Commission’s (SEC) recent ruling is a perfect example, concluding that investors see no difference between a breach occurring in first vs. third-party systems when assessing the materiality of an cyber event. This study examines the evolution…
Security debt is no longer a localized problem; it is an endemic condition affecting the majority of the software landscape. This 14th edition of the State of Software Security deep-dives into Veracode’s 18 years of historical data to define and measure “security debt”—flaws that remain unremediated for longer than one year. The report rewards the…
If you’re only managing your third-party risk, you’re barely scratching the topsoil of your threat landscape. This comprehensive study of 50,000 business relationships uncovers the “small-world” phenomenon within the global supply chain, where almost every organization is connected to an 8th-party entity in just six hops. The report rewards the reader by revealing that the…
The MITRE ATT&CK® matrix is the industry’s most valuable dictionary for adversary behavior, but the industry’s threat reports are often like a “tower of Babel,” with different vendors reporting widely different trends. This Cyentia-led meta-study analyzes 22 distinct public sources of ATT&CK statistics to find the consensus among them. The report rewards the reader by…
The Cybersecurity and Infrastructure Security Agency’s (CISA) “Known Exploited Vulnerabilities” (KEV) catalog has become a primary driver for vulnerability prioritization across the public and private sectors. This ninth volume of the Prioritization to Prediction series subjects the KEV to rigorous statistical analysis to determine its role in a mature risk-based program. The report rewards the…
A modern organization’s security posture is no longer defined solely by its own perimeter; it is inextricably linked to the practices of its third-party partners and the broader supply chain. This third edition of the “Ripples” series analyzes multi-party security incidents—which we call “ripple events”—where a single breach propagates to impact dozens or hundreds of…
Organizations frequently operate under polarized assumptions regarding third-party risk—assuming either their vendors are secure by default or that they are all liabilities waiting to explode. This research shatters those assumptions by investigating the equity of over 50,000 business-to-business relationships from a cybersecurity perspective. By comparing the security ratings and finding densities of sourcing firms against…
Security teams are currently drowning in a sea of 11,000 exploitable exposures per organization. Traditional vulnerability management, which treats each CVE as an isolated issue, fails to see how attackers combine vulnerabilities and misconfigurations to move laterally. This report analyzes over 60 million exposures to shift the focus from individual bugs to “attack paths” that…
As security professionals, we often live and die by the release cycle of individual vulnerabilities, yet the overall “topology” of the landscape is often a blur. Sponsored by F5 Labs, this report takes a retrospective view of the last 20 years of the Common Vulnerabilities and Exposures (CVE) process. The report rewards the reader by…