From Exposed to Empowered: Fixing Fatal Flaws in Vulnerability Management

Vulnerability management has long been a staple of modern cyber security strategies. But as HD Moore, founder of the Metasploit Project and CEO of runZero, made clear in our recent Secon Cyber webinar, the industry’s traditional approach is no longer fit for purpose.

Watch the webinar recording below:

In an era where attackers move faster than most tools can respond, and where the majority of assets in a typical organisation are either unknown, unmanaged, or unscannable, it is time to re-evaluate how we understand and prioritise exposure.

Here are the key takeaways from the session.

The Core Problem with Vulnerability Management: Incomplete Visibility and False Confidence.

Despite decades of investment in vulnerability scanning tools, many organisations are operating under a false sense of security. HD Moore highlighted several critical failings in the legacy vulnerability management approach:

• A significant proportion of assets, up to 25%, remain completely unknown to security and IT teams.
• Over 60% of assets cannot support authenticated scanning due to their configuration, management model, or placement within the network.
• 90% of vulnerability checks require agents or credentials, limiting their effectiveness across fragmented infrastructures.

Most importantly, even when scans succeed, they often generate overwhelming volumes of alerts, many of which lack context or prioritisation. Meanwhile, the most dangerous exposures frequently go undetected altogether.

The Flawed Dependence on CVEs.

One of the most striking insights from the webinar was the extent to which current models depend on CVE (Common Vulnerabilities and Exposures) identifiers and CVSS scores to prioritise risk. HD presented several challenges with this approach:

• Many high-risk exposures, such as default credentials, unsupported systems, or misconfigurations, are not assigned CVEs.
• The average time from discovery to CVE assignment is approximately 23 days. During this window, attackers often exploit the gap.
• Relying on KEV (Known Exploited Vulnerabilities) data as a prioritisation signal is inherently reactive. By the time a CVE appears in KEV, real-world exploitation is already well underway.

The result is a strategy that is both incomplete and lagging behind the pace of real threats.

Visibility First: A New Model for Vulnerability Management and Modern Risk.

Rather than continuing to build on outdated assumptions, Moore advocated for a model that places asset visibility and technology exposure at the centre of vulnerability management.

This approach involves:

1. Comprehensive Discovery
The foundation of effective exposure management is knowing what you have. Solutions such as runZero enable deep, unauthenticated asset discovery across internal, external, IT, OT, cloud, and mobile environments, without agents or credentials. This helps uncover shadow IT, vendor-managed systems, and devices missed by traditional scanners.

2. Technology-Based Risk Identification
Instead of waiting for CVE data to become available, a technology-first approach enables organisations to detect exposure the moment a vulnerability is announced. By identifying the presence of specific software or hardware, even before patch guidance is available, security teams can act more quickly and decisively.

3. Contextual Prioritisation
Once assets are identified, real-world context becomes key. Is the asset externally exposed? Does it lack EDR coverage? Is it end-of-life? By applying these factors, organisations can prioritise based on actual risk rather than theoretical scores.

4. A Combined Strategy
HD recommends combining traditional bottom-up scanning (useful for hygiene and compliance) with top-down, exposure-led prioritisation. This dual approach helps bridge the gap between patch management and real-world attack surface reduction.

Real-World Lessons from Recent Exploits.

To illustrate the impact of these limitations, HD shared a review of how leading vulnerability management vendors responded to recent high-profile vulnerabilities. These included issues affecting VPNs, firewalls, and security appliances.

The findings were sobering:

• Many vendors failed to deliver unauthenticated detection in a timely manner, or at all.
• Free and open-source tools outperformed commercial platforms in responsiveness and coverage in several cases.
• Detection often depended on configurations not enabled by default, or available only through premium subscriptions.

The conclusion was clear: tools built to operate in ideal conditions struggle in real-world environments, where visibility is fragmented and speed is critical.

What You Can Do Next.

If this session challenged your current assumptions, you are not alone. Many organisations are now rethinking their approach to vulnerability management, and moving towards visibility-first strategies that drive real results.

Now it’s your turn.

• Explore your own environment with a free trial of runZero.
  Quickly identify unmanaged, unknown, or misconfigured assets, without agents or credentials.
• Or speak to Secon.
  Whether you need help understanding your current exposure, modernising your approach, or selecting the right tools, we’re here to support you with expert, practical guidance.

Clarity starts with action. Let’s find what matters, together.