Executive Summary

Prioritization to Prediction

Volume 5: In Search of Assets at Risk

Answering the timeless question, “what is the risk profile of the devices in my infrastructure?”

The neverending struggle to eliminate organizational risk is a multi-faceted challenge that requires deep insights grounded in data. Building on our body of research, Kenna Security and the Cyentia Institute have led the charge in applying data science to the vulnerability landscape in an effort to guide better technology, strategies, and decision making.

Prioritization to Prediction, Volume 5: In Search of Assets at Risk applies this approach to the various devices and underlying software that comprise the modern enterprise IT infrastructure to reveal for the first time, how vulnerable device categories are and understand how successful vendor and enterprise remediation efforts are in practice. 

Get Access to the Full Report


There is a massive range of devices being scanned in today’s technology-driven business.

  • The typical organization manages vulnerabilities across about 800 active assets, but 10% manage over 35,000. The full range of assets per firm extends from less than 10 to over 1M.


Windows dominates business

  • Windows dominates business and enterprises are fast at fixing these vulnerabilities, remediating half of all Windows vulnerabilities in 36 days. But the average Windows platform has 119 vulnerabilities detected in any given month, and 70% of Windows systems have at least 1 open vulnerability with known exploits.


Microsoft also has the highest percentage of closed high-risk vulnerabilities

  • Microsoft also has the highest percentage of closed high-risk vulnerabilities at 83%, followed closely by Apple OSX, with linux/unix, and network appliances/IoT devices lagging behind.


Vendor-led patching and updating impacts remediation velocity

  • Vendor-led automated patching and update programs have a major positive impact on remediation velocity, capacity, and overall performance. Microsoft is leading the charge here essentially multiplying the security and IT workforce of organizations leveraging these programs.


Fewer vulnerabilities do not necessarily mean a device is more secure.


In a world where a single high-risk vulnerability can have catastrophic consequences, effective patch prioritization and speed are the keys to security regardless of the type of device or software it sits on. Success requires us all to carefully consider all aspects of the risk equation. 


To learn more, please download the full report.

Catch up on our prior volumes:

Prioritization to Prediction, Volume 1: Analyzing Vulnerability Remediation Strategies

Prioritization to Prediction, Volume 2: Getting Real About Remediation

Prioritization to Prediction, Volume 3: Winning the Remediation Race

Prioritization to Prediction, Volume 4: Measuring What Matters in Remediation



Prioritization to Prediction, Volume 5: In Search of Assets at Risk looks at vulnerabilities through the lens of devices to help enterprises better understand and make data-driven decisions that can meaningfully increase the security of your technology infrastructure.