Moving beyond vulnerability

Modern security teams are under massive pressure.

 

As of early 2026, the number of Common Vulnerabilities and Exposures (CVE) listed on the National Vulnerability Database (NVD) tipped over 330,000.

 

That sheer volume of potential security flaws is taking its toll on organisations. According to our research, 46% of organisations report that managing the rising number of vulnerabilities has placed additional strain on their security team’s resources.

 

Security operation centres (SOCs) have become swamped with alerts which analysts are tasked with investigating and remediating, with the view that leaving one single vulnerability unaddressed might be the difference between the organisation becoming a victim of ransomware or not.

 

Today, that approach is untenable. Given the volume of vulnerabilities, security teams cannot and should not patch everything. Turning every single stone over and examining it is unrealistic – particularly when many teams are inundated with false positives.

 

Striving to hit KPIs relating to vulnerability metrics such as patch counts might look good on dashboards, or sound good in meetings but, in reality, it can detract attention from what really matters – protecting the organisation from genuine risks and high severity threats.

 

A security team could patch 100 vulnerabilities. But if they leave the one that’s being actively exploited and poses the greatest threat until last, it will increase the likelihood that the organisation falls victim to an attack.

 

Beyond compliance and traditional vulnerability metrics

It is for this reason that firms must consider the business context to gain a true measure of their programme’s effectiveness.

 

Goodhart’s Law applies. It states that when a measure becomes a target, it ceases to be a good measure. In the case of vulnerability management, targeting a certain number of patches a day or average CVSS scores will likely drive activity rather than impact.

 

At the same time, prioritising quantity in vulnerability remediation can also compound the growing resource challenges facing security teams. Should the number of overall alerts become unmanageable, then security professionals may miss actual threats while responding to false alarms.

 

Hackuity’s findings reflect this. Indeed, 38% of security teams are concerned about burnout impacting vulnerability management, while 36% flag delayed incident response as a worry, and 33% fear missing critical alerts entirely.

 

This is the reality facing many SOCs today. Under-resourced analysts that are mentally and operationally exhausted from striving to hit vulnerability KPIs may be failing to address real risks at speed, while also becoming more likely to let threats slip through the cracks.

 

In response to the concerns surrounding missing alerts and burnout, security teams are upgrading tools and tightening oversight of management processes.  However, operational and budget constraints remain significant barriers to such improvements on a widespread basis.

 

There’s also the issue of where vulnerability management fits in terms of strategic security priorities. Concerningly, 60% of respondents to our survey admitted that vulnerability management does not receive the same focus as other IT security projects – a lack of appreciation that’s reflected in strategy shortcomings. When addressing exposures, two in five (43%) organisations simply follow compliance-driven methods to vulnerability management because they are straightforward, measurable and mandated.

 

Compliance should be the baseline, not the end goal. Indeed, many firms still need to go the extra mile, prioritising a risk-based approach to vulnerability management that adds crucial context. Only with an understanding of those vulnerabilities that are exploitable in the wild, the business assets that could be exposed, and the potential impacts of exploitation can teams identify and respond to the most pressing threats.

 

Embracing automation and VOCs

Achieving this relies on automation, triaging events and streamlining workflows in a way that delivers measurable benefit.

 

Our research reflects this, showing that organisations with fully automated vulnerability management processes achieve significantly faster Mean Time to Remediation (MTTR) for critical vulnerabilities (3.5 weeks) compared to those without full automation (4.5 weeks). In addition, those firms that are not fully automated express greater concern about false positives and spending time where it’s not needed than those with full automation.  

 

Clearly, a risk-based approach to vulnerability management is critical in avoiding falling into a false sense of security, and a strategy underpinned by the wrong KPIs and metrics.

 

Whilst volume-based metrics may look reassuring, they don’t reflect real-world exposure. They prioritise activity over impact and detract attention from addressing the very risks that are most likely to lead to breaches. Instead of patching everything, security teams should focus on using context and insights to focus on what matters.

 

Here, establishing a vulnerability operations centre (VOC) can be invaluable, transforming vulnerability data into context-rich, risk-based decisions for SOCs to then action.

 

If organisations want to reduce real exposure, not just improve the numbers on a dashboard, then embracing risk‑based vulnerability management and building VOC capability isn’t optional. It’s the only path to genuine resilience. 

 

---

 

Sylvain Cortes is VP Strategy at Hackuity

 

Main image courtesy of iStockPhoto.com and amgun