The Vulnerability Management Crisis
This podcast episode challenges fundamental assumptions about vulnerability management, featuring Robert "RSnake" Hansen discussing his evidence-based research into what actually drives security losses. Hansen reveals that fewer than 10% of the 329,000+ CVEs in existence lead to actual business losses, with CISA's Known Exploited Vulnerabilities catalog containing only 1,300 entries — representing just 0.44% of all CVEs. The conversation explores why organizations continue treating vulnerability management and patch management as interchangeable practices, despite evidence showing that completionist approaches waste resources on vulnerabilities that adversaries never exploit. Hansen argues that current prioritization methods — including CVSS base scores and EPSS predictions — fail to align with adversarial behavior, leaving organizations focused on theoretical risks while missing the vulnerabilities actually being weaponized in the wild.
Where Adversaries Actually Attack
The discussion reveals critical patterns in how breaches actually occur, with 40-50% of all losses stemming from remotely exploitable CVEs in perimeter security devices — the very tools meant to protect organizations. Hansen explains that cyber insurers have identified that exposed management interfaces on firewalls, VPNs, and other perimeter devices represent the primary attack vector, with multi-factor authentication proving to be one of the few controls that demonstrably reduces losses. Interestingly, web application security — despite decades of investment and attention — shows virtually no correlation with business losses in actuarial data, suggesting the industry may have over-engineered this domain to the point where adversaries shifted to easier targets. The conversation also addresses the challenge of attribution, with DFIR teams able to identify initial access vectors in only 10% of non-ransomware cases, highlighting fundamental gaps in logging and forensic capabilities that prevent better actuarial understanding.
Moving Toward Evidence-Based Prioritization
Hansen introduces his company RID Evidence's approach to vulnerability management, which focuses on providing comprehensive intelligence rather than prescriptive prioritization. The methodology aggregates data from multiple vulnerability databases across different countries (which score the same CVEs differently), combines it with actuarial data from cyber insurers and DFIR teams, and presents organizations with evidence to make informed decisions based on their specific business context. This represents a philosophical shift from telling organizations what to fix to empowering them with data about what adversaries are actually exploiting, what's leading to losses, and what controls demonstrably reduce risk. The conversation acknowledges that while evidence-based prioritization is optimal, organizations must balance actuarial reality with compliance requirements, vendor mandates, and business constraints — making the goal not to eliminate subjectivity but to ensure subjective decisions are informed by objective data about adversarial behavior and real-world outcomes.
