Backlogs packed with vulnerabilities, each clamoring for attention with an assigned severity score: Low, medium, high, or critical — that to date have been the backbone of defensive security strategies.
Today’s security tools operate on a foundation of arbitrary metrics. Vulnerabilities are categorized with severity scales based on known metrics lacking critical data points such as proof of exploitability, potential business impact and the unique technological and organizational contexts that shape risk, probability, complexity of exploitation, ease of remediation and more. It’s no wonder security teams drown in a sea of “high” and “critical” issues, unable to distinguish real threats from noise.
Yet, these labels often obscure more than they reveal. On this arbitrary scale of neatly categorized vulnerabilities — we’re left with the most critical question of all unanswered — which vulnerabilities truly deserve our immediate attention?!
Consider a common scenario: Tools in application security, cloud security, endpoint protection and more churn out millions of vulnerabilities, thousands of which are labeled as “high” or “critical.” It’s like everything in Eisenhower’s Urgent-Important matrix would be placed in the same category, requiring equal attention and demanding the same urgency, which makes this task impossible and unmanageable over time, as well as at scale.
The irony is, many of these are neither exploitable nor impactful. This ultimately leads to security teams going on wild goose chases of unexploitable vulnerabilities, rather than mitigating real risks.
This, on top of other plagues like false positives and duplications, which exacerbate the problem.
A recent conversation with the CISO of a Fortune 500 company highlighted this gap. After discovering a critical authentication vulnerability, I asked how it would be prioritized. The response was telling: It would simply join the backlog of hundreds of other critical issues.
My argument was simple: A verified, exploitable vulnerability cannot hold the same weight as one labeled critical without proof. Yet, the tools in use today fail to make any significant differentiation. I can’t say that an exploitable vulnerability should have a higher severity scale, but it most likely should be prioritized above a similar severity vulnerability with no validation and proof of exploitability.
Until today, the CVSS (Common Vulnerability Scoring System) was based on a few categories of metrics – Base, Temporal, and Environmental. Without diving into this too deeply, as there are many good posts on this topic – these essentially have different thresholds for the attack vectors, attack complexity, privileges required, user interaction, scope, maturity of exploit code, security requirements among others, that are weighted to derive a security score for a discovered vulnerability.
While this was an excellent system built for local, single machines running a single programming language, this model is having difficulty being relevant and applicable in modern, distributed systems at cloud fleet scale.
This is where proactive offensive security services like pen testing and red teaming step in. By mimicking an attacker’s perspective, these approaches can exploit vulnerabilities and provide proof of exploitability. While they, too, more often than not, lack the needed business context, their ability to validate vulnerabilities with real-world testing adds a vital data point to the prioritization arguments.
A good solution does not call for the elimination of severity scales but to revolutionize how they’re applied and reevaluate how vulnerabilities are eventually categorized so they are better aligned with today’s categories of risks. Vulnerabilities must be evaluated with a fresh lens, one that integrates proof of exploitability, business impact, unique context and the probability of exploitation.
By incorporating these factors, security teams can assign a new kind of risk score – one rooted in reality rather than arbitrary thresholds. With the diversity of stacks, polyglot development environments, the multiverse of clouds, it’s impossible not to be inundated with a constant barrage of high and critical vulnerabilities across your entire system with today’s vulnerability scoring methods. Imagine a world where validated vulnerabilities are given a higher priority, where teams are no longer buried under unverified noise but empowered to focus on what truly matters. This is not science fiction. It is possible. But, such an approach demands a shift in mindset: Rejecting the status quo and embracing a smarter, context-driven model of prioritization.
Security no longer has the luxury of lagging behind other technology domains. Attackers are evolving and becoming more sophisticated at the pace of the innovation of modern tooling, finding new and novel malicious applications as soon as new technologies are added to their arsenal.
Emerging technologies in offensive security offer an unprecedented opportunity to recalibrate our approach and are poised to deliver a more holistic and contextual view of an organization from an attacker’s point of view.
Placing the focus on trying to exploit the vulnerabilities with real business impact, will give us a much more accurate understanding of risk across the entire attack surface.
This promising approach of a new generation of Pentesting and Red Teaming solutions, is where we can achieve both, proof of exploitability and full context to assign a severity scale — but as with all technological evolutions, it’s never just a tooling shift alone, this will also require a cultural shift.
As these tools mature and integrate with broader security ecosystems, the potential to transform security posture and backlog management becomes tangible but also requires that security practitioners demand proof, context and validation before accepting assigned severity and requiring remediation.
We’ve reached a dystopian point in our security practice with staggering numbers of unmanageable vulnerabilities that are constantly growing with no clear standardized system for how to prioritize and remediate them. The holy grail isn’t a flood of remediations, it’s clarity amidst this chaos.
Let’s unlock a future with a smarter approach to security management.
It’s time to challenge the norms.
Let’s assign severity where it belongs, not based on arbitrary scales but on a foundation of proof and context. Only then can we navigate the complexities of modern cybersecurity with confidence and precision.
Originally posted on Security Boulevard, March 6th, 2025.
Secure your spot by leaving your email
.avif)