A modern open-plan office with large floor-to-ceiling windows and a group of diverse young professionals working collaboratively. Several people are seated at desks using desktop computers, while others are engaged in conversation or using laptops. The space is well-lit with natural light and features minimalist décor, ergonomic chairs, and carpeted flooring.

Vulnerable ≠ Exploitable

Horizon3.ai  |  September 19, 2021  |  Whitepapers

Fix What Matters NOW!

The Typical Approach – Points to Ponder

Pen testers, vulnerability scanners, and installed agents alert on potential vulnerabilities and breaches. You receive a list, or a notification, and you respond. Ever wonder how much of your time and effort is being wasted fixing things that don’t actually matter?

You may be surprised to hear that a large majority of all vulnerabilities are un-exploitable. According to Kenna research, in 2020 only 2.7% of the vulnerabilities found appeared exploitable, and only 0.4% were ever observed being used in the wild1.

Verizon’s 2020 DBIR echoes this reality: vulnerabilities dominate security mind-share, yet only a sliver are ever leveraged in breaches. In its SIEM dataset, most organisations saw 2.5% or less of alerts tied to vulnerability exploitation2.

Traditional agent-based scanners and port-scans create too much noise, diverting attention from the issues that pose provable risk. Harvard Business Review once noted this overload helped attackers exfiltrate 40 million Target cards, persist for 60 days at Neiman Marcus, and stay undetected for two years at Sony3.

When Low-Risk Gets Prioritized Above Real Risk

The pile-up of low- or no-risk findings can actually weaken security posture: time is burned finding owners, scheduling downtime, patching, retesting—while critical flaws wait their turn.

So how do you know what must be fixed first?

Criticality = Exploitability × Impact

The hardest part of cybersecurity is deciding what not to do with limited resources. Spending scarce effort on weaknesses that cannot be exploited—or would have negligible business impact—is itself a risk.

Imagine a funnel diagram: a wide stack of CVEs narrows to the 2–3% that are empirically exploitable, then to the still-smaller set whose exploitation truly endangers the business.

Six Reasons a “Critical” Finding May Be Nothing of the Sort

  1. No exploit exists – there is simply none available.
  2. High complexity – multiple impractical conditions must align.
  3. Component not in use – the vulnerable code‐path never runs.
  4. Outdated ≠ exploitable – old software without a specific CVE isn’t automatically high risk.
  5. Not accessible – attackers cannot reach the vulnerable area.
  6. Network context – placement limits real-world impact.

Customer Profile: MSSP Pentest vs. NodeZero

The customer’s managed-service provider had just finished its annual pentest when Horizon3.ai’s NodeZero ran its automated assessment.

Assessment summary:

  • NodeZero assessed 3,644 hosts in 2.75 days
  • Delivered results within minutes
  • Found critical/high-impact findings across many hosts
  • Surfaced several additional exploitable risks like BlueKeep and EternalBlue
  • The MSSP scan hit ~600 hosts, took a week to run, and weeks to report
  • Nearly 80% of the MSSP’s “critical” findings were unexploitable or wildly impractical

Fixing 79% of those MSSP-flagged issues would have wasted precious time. NodeZero proved exploitability, linked business impact, and let defenders fix what matters.

A Future of Continuous Security Assessment

Over the last decade, the torrent of new CVEs has snowballed, creating defender fatigue and huge “craters” between annual pentest cycles. Continuous assessment lets you catch up, keep up, and stay ahead.

Catch Up

  • Accept that attackers may know more about your environment than you do.
  • Remember: Vulnerable ≠ exploitable.
  • Prioritize and fix only the findings that matter.

Keep Up

  • Verify and improve security controls, processes, and training.
  • Find + fix + verify what’s exploitable—continuously.
  • Embrace a Purple-Team culture where Red and Blue work together.

Stay Ahead of the Adversary

  • View your estate through the attacker’s eyes.
  • Pre-emptively close threat vectors before they’re abused.
  • Re-assess, verify remediation, and report results—without pause.

Proactive Security Goal: A continuous loop where you identify exploitable paths, validate fixes, prioritize by impact and effort, and report meaningful results to stakeholders—on demand.

Footnotes

[1] Kenna Security: Introducing Predictive Vulnerability Scoring
[2] Verizon: 2020 Data Breach Investigations Report
[3] Harvard Business Review: Why Our Best Defense Against Cyberthreats Is Not Technical

How can NodeZero help you?
Let our experts walk you through a demonstration of NodeZero®, so you can see how to put it to work for your organization.
Get a Demo
Share: