Executive Summary

Prioritization to Prediction

Volume 2: Getting Real About Remediation

As a cybersecurity professional, you might ask yourself, “How are my peers managing risk in their own environments?”

External models are helpful for understanding cybersecurity, but gaining a view into the tactics and results employed by real companies can reveal valuable new insights.

New research from Kenna Security, in collaboration with the Cyentia Institute, takes a rare look at the vulnerability management strategies of leading enterprises, revealing how organizations are ignoring the majority of vulnerabilities while still improving security.

The research offers a real-life window into the environments of a dozen large companies. The findings are presented in Kenna’s new report, Prioritization to Prediction: Getting Real About Remediation.

Get Access to the Full Report

Key Finding

About one-third of all the published CVEs are ever seen in a live environment.

In fact, just 5% of published CVEs have known exploits developed against them and are observed in enterprise environments. Even that relatively small percentage of CVEs left a relatively large attack surface – over 544 million vulnerabilities with a known exploit were observed in this study. While this might seem like a large number, compared to the over three billion vulnerabilities observed in this study, this finding reinforces the need for organizations to prioritize remediation efforts.

Key Finding

Just one-third of vulnerabilities were remediated within 30 days of discovery, but that’s OK.

With Kenna’s predictive model, organizations can identify and focus on the riskiest vulnerabilities, improving operational efficiency and security. Despite the seemingly countless number of vulnerabilities in any organization’s environment, vulnerability management programs do matter and measurable improvements can be gained by making smarter remediation decisions.

Key Finding

Vulnerabilities impact a widely varying number of assets.

Just 3 percent of CVEs are observed across more than one million systems each. Eight percent of CVEs affected less than ten assets each. Understanding the distribution of vulnerabilities across the enterprise informs risk-based patching strategies, and is an important contributor to our understanding of the threat environment.

Key Finding

Organizations trade greater efficiency for the sake of greater security.

Organizations close 70 percent of the critical vulnerabilities on their systems, but they still aren’t as efficient as they could be. Choosing patches that fix more than one CVE are likely improving the efficiency and coverage of many organizations.

Organizations also appear to have the resources to remediate the vulnerabilities that pose the greatest immediate risk. Ultimately, it comes down to implementing remediation strategies that optimize resources to tackle all of the 544M high risk vulnerabilities first, moving on to the 2.9 billion lower risk ones afterwards.


In an ideal world, security teams would patch every vulnerability as soon as it was discovered. But that isn’t possible. There are more vulnerabilities than there are people, tools, and processes to fix them. Effective vulnerability management comes down to the ability to prioritize which threats present the most danger, and tackling those first.

Prioritization to Prediction: Getting Real About Remediation provides a rare window into the strategies of real companies tackling today’s cybersecurity challenges. The report compares the efforts of these companies, and begins to show how variations in vulnerability management strategies really do matter. A real, measurable improvement can be gained by making smarter remediation decisions, surpassing those of other commonly-used remediation strategies.

To learn more, please download the full report.