In recent years, the security industry has treated visibility as the fix for vulnerability management. If teams could just see more—scan more assets, collect more signals, correlate more data—the rest would sort itself out.
That part mostly worked. Most enterprises now have no shortage of vulnerability data. What they still lack is confidence. They know weaknesses exist. However, they struggle to answer a much more important question: which of these can actually be used against us, right now?
“Most organizations don’t fail at vulnerability management because they’re unaware of their risks,” said Den Jones, founder and CEO of 909Cyber. “They fail because they can’t tell which issues are actually exploitable fast enough to act. Security teams are buried in findings, and without context, prioritization turns into educated guessing. The real challenge now is shortening the distance between knowing something exists and knowing it matters.”
Breaches don’t happen because organizations didn’t run enough scans. They happen because known issues didn’t get acted on in time—or because teams couldn’t tell which findings mattered before attackers did.
The Timeline Keeps Getting Shorter
One reason this problem is getting harder is that defenders are running out of time. The gap between vulnerability disclosure and active exploitation has been shrinking for years, and there’s little reason to expect that trend to reverse.
Attackers move fast because they can. Automation lowers the cost of reconnaissance and exploitation. In addition, AI-assisted tooling is starting to compress timelines even further. Meanwhile, defenders are still bound by change windows, ticket queues, ownership debates, and the reality that not everything can be patched immediately without breaking something important.
That mismatch matters. Even when teams know a vulnerability exists, validating whether it’s exploitable in their specific environment can take longer than the window attackers need.
From Counting Vulnerabilities to Understanding Exposure
This is why the conversation is shifting from vulnerability counts to exposure. A critical CVE doesn’t mean much on its own. Years ago—back in the days before CrowdStrike—George Kurtz helped sharpen my thinking on this point. He explained that a “critical” rating is, by necessity, a somewhat subjective label. A vendor may be right that a vulnerability can have catastrophic impact if exploited. However, whether it’s actually critical for a specific organization depends on a long list of factors that have nothing to do with the CVSS score.
What matters is whether the vulnerability is reachable, whether it can be chained with other weaknesses, and whether existing controls actually block the attack path. Context changes everything.
In practice, some high-severity findings turn out to be dead ends once real-world conditions are applied. Others that look less alarming on paper become far more dangerous when identity relationships, misconfigurations, or unintended access paths enter the picture. Traditional vulnerability management programs were never designed to reason through that context continuously, at scale. Moreover, that gap is becoming harder to ignore as timelines compress.
CTEM Helps Frame the Problem—Execution Is Still the Hard Part
Gartner’s Continuous Threat Exposure Management framework reflects this shift in thinking. CTEM pushes organizations to treat exposure reduction as an ongoing process tied to business risk, not a periodic clean-up exercise driven by scan results.
That framing is useful. But CTEM is not a solution by itself. It doesn’t validate exploitability, resolve ownership questions, or make remediation any faster. Those challenges still fall on teams that are already stretched thin.
Why Exploitability Validation Is Gaining Attention
To close that gap, security teams and vendors are putting more emphasis on exploitability validation—understanding whether a vulnerability can realistically be used in a given environment.
The goal isn’t perfect certainty. It’s speed and confidence. Teams want to know whether a finding is actionable now or something that can safely wait. Without that clarity, prioritization becomes guesswork, and guesswork doesn’t hold up when timelines are measured in days instead of months.
Patching Isn’t Always the First—or Fastest—Answer
Patching remains critical, but it’s not always the fastest way to reduce risk. In many environments, the quickest path to safety is a compensating control: a configuration change, a policy update, or a restriction that cuts off an attack path while a proper fix works its way through the patch cycle.
That approach comes with trade-offs. Changes made in haste can cause outages or unintended consequences if they aren’t carefully managed. The challenge is finding ways to apply mitigations quickly without introducing new operational risk.
Automation Enters the Equation, Carefully
These pressures have fueled interest in automation, including so-called agentic models that aim to investigate findings, apply context, and recommend actions with limited human involvement.
Supporters see these systems as a way to scale analyst-level reasoning without burning out teams. Critics worry about overreach—automation that moves faster than governance, or decisions that can’t be explained after the fact. Both concerns are valid. The technology is promising, but trust is earned through evidence, not ambition.
One Example of How Vendors Are Responding
Richard Stiennon, chief research analyst at IT-Harvest, shared, “A vulnerability by any other name is still a vulnerability. It was inevitable that vulnerability management would be addressed by AI which is good at tedious, repetitive tasks.”
Dux, a startup that recently emerged from stealth with a $9 million seed round, is one example of how vendors are trying to address these challenges. The company says its platform uses agentic AI to analyze exposure continuously, assess exploitability in context, and suggest mitigations when appropriate.
Dux argues that many scanner findings are not exploitable once real-world conditions are applied. Furthermore, automation can help teams focus their limited time on the issues that actually matter. Those claims align with broader industry sentiment, but like any approach in this space, their value will ultimately be determined by outcomes, not positioning.
Dux represents a growing category of tools attempting to operationalize exposure management concepts with deeper automation and reasoning. Whether these approaches become foundational will depend on how well they balance speed, accuracy, and operational safety.
What Matters Going Forward
As exposure management evolves, the signal to watch isn’t how loudly vendors talk about AI. It’s whether teams can show measurable reductions in exploitable risk, whether automated decisions are transparent and auditable, and whether remediation fits cleanly into how organizations actually operate.
The core problem hasn’t changed. Security teams still need to turn knowledge into action before attackers do. What’s changed is how little time they have—and how unforgiving the consequences are when clarity arrives too late.
