The State of Risk-Based Vulnerability Management in 2022

Apr 19, 2022
Ed Bellis
Chief Technology Officer, Co-founder

Share with Your Network

Once executives make an investment, they’re eager to see one particular metric: Return.  

In many cases, it’s a piece of hardware or software that needs to pay for itself by saving time, amplifying efforts, or even reducing risk to be a win for the company. Kenna Security customers bought into the risk-based vulnerability management (RBVM) strategy for their operations teams. It may sound like an abstract idea, but the return on investment for this strategy has proven itself year over year.   

We measure success by looking at four major metrics: remediation capacity, velocity, and a combined view of coverage and efficiency. Evaluating all four offers a thorough report card for a vulnerability management (VM) program and can show executives what they’ve gained. 

Let’s take a look at how Kenna customers performed over the past year.   


SOTU Chart

These charts show how organizations fare in remediating vulnerabilities over the course of a month. We’ve seen steady improvement over the past few years with organizations “keeping up,” meaning they are either treading water or improving their VM efforts. In last year’s State of the Union, we saw a 5% increase in those keeping up. This year, it’s up another 4%, but the success runs a bit deeper than that.  

We saw a 9% increase over last year in organizations improving their efforts. Both the group treading water and the group falling behind are shrinking, which is a great overall indicator of RBVM’s effect on security.  

Coverage & efficiency 

On this chart, each dot represents a different organization and tells you two things about its remediation efforts. Coverage is on the x-axis and shows the percentage of high-risk vulnerabilities an organization was able to remediate from its systems. On the y axis, efficiency measures the ratio of high-risk vulnerabilities to not-so-high-risk vulnerabilities that were remediated.  

While we’re happy to report there are more dots (more customers) on this year’s chart than last, the plotting trend looks roughly the same. It makes sense that the graph maintained its coverage and efficiency results because a greater data pool means more stabilization.  

In general, we see customers start with efficiency in their RBVM efforts (to get more bang for their buck) so their dots rise each year on this chart, then shift to the right for improved coverage.  



Finally, let’s take a closer look at velocity by identifying milestones for both remediation and time. It’s important to note that the onus here isn’t solely on the organization. Velocity is largely affected by patch management and automation tools, so vendors play a big role, as well. 

Over the last couple of years, Kenna customers have gotten much faster in their remediation efforts (and so have vendors in their patching). Our first SOTU, in 2020, showed a vulnerability half-life—the time it takes to remediate 50% of an organization’s vulnerabilities—of 158 days. Last year, security teams were working at breakneck speed and cut that down to 27 days.  

This year we’re showing slightly slower results, but we also have a possible explanation.  

One of the findings in the seventh volume of our Prioritization to Prediction series was that two of the vendors with the most vulnerabilities—Google and Microsoft—also patch the quickest. It took roughly 22 days for organizations to remediate Google and Microsoft vulns as opposed to around 900 days for Linux and SAP software vulns. In 2021, Microsoft patched 883 bugs, fewer than it did in 2020. When one of the fastest and most frequent patchers is patching less, you’d expect overall velocity to take a bit of a hit.    

This all boils down to a pretty positive outlook for RBVM. We’re still seeing short-term gains in areas like capacity and have come a long way in others, like velocity. By looking through the lens of risk and targeting the most dangerous vulnerabilities, organizations are vastly improving their security and showing a return on investment several times over.  

To see how Kenna’s RBVM platform can help you reduce your risk, book a demo today. 



Read the Latest Content

Threat Intelligence

18+ Threat Intel Feeds Power Modern Vulnerability Management

You need lots of threat intelligence feeds to cover all of the threat and vulnerability data categories in the world. Learn about the threat intel feeds...
Data Science

Ask Us About Our Data Science

In vulnerability management, data deluge is a recurring problem. Learn what data science is and how it can help your company.
Risk-Based Vulnerability Management

What is Modern Vulnerability Management?

Modern vulnerability management is an orderly, systematic, and data-driven approach to enterprise vulnerability management.

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.