Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Fortra:Why Vulnerability Count Doesn't Predict Breach Risk

Fortra
07/10/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


I mean, these things are just littered with vulnerabilities. You just kick a rock and you've hit a vulnerability with these companies, but they've never been compromised, or if they have been compromised, they've never noticed. It's never affected their business. They're still in business. So why does it matter that you have 300,000 or 300 million vulnerabilities or 400 million vulnerabilities? Why does that matter? It turns out it doesn't really correlate with loss or even breach, which is a lower bar. And so I'm not saying they're free of vulnerability and those vulnerabilities aren't real things that could be used to break in. But I am saying that if you're going to patch, clearly, that's not the way to do it. Clearly, that is not having the most impact on breaches and losses. And so that's kind of where I like to draw the line and where the breach and loss informs your patch management.

TL;DR

  • Many large organizations carry hundreds of millions of vulnerabilities and have still never experienced a material breach or measurable business loss.
  • Raw vulnerability counts do not meaningfully correlate with breach likelihood or financial loss, making them an unreliable prioritization metric.
  • RSnake argues that patch management strategy should be driven by breach probability and business impact rather than total vulnerability volume.

Summary

In this short clip from The Art of Security podcast, cybersecurity expert Robert "RSnake" Hansen challenges one of the most deeply held assumptions in vulnerability management: that a high vulnerability count signals high risk. Hansen points out that many large organizations carry tens or even hundreds of millions of vulnerabilities in their environments — and yet have never suffered a material breach or measurable business loss. His central argument is that raw vulnerability counts simply do not correlate with actual breach likelihood or financial impact, making them a poor basis for prioritizing remediation efforts. Rather than chasing every CVE in the queue, Hansen advocates for a risk-based patching strategy grounded in breach probability and business impact. The implication for security teams is significant: patch management should be informed by what actually drives losses, not by what inflates a vulnerability dashboard. This clip serves as a provocative entry point into a longer episode exploring how organizations can rethink their approach to vulnerability management in a world where perfect remediation is impossible.

Chapters

0:00 - The Vulnerability Overload Reality
0:19 - Does Volume Actually Matter?
0:28 - No Correlation with Loss or Breach
0:41 - Rethinking Patch Prioritization

Key Quotes

0:00 "Many companies now that have over 10 million vulnerabilities and up to hundreds of millions of vulnerabilities — these things are just littered with vulnerabilities."
0:28 "It turns out it doesn't really correlate with loss or even breach, which is a lower bar."
0:41 "If you're going to patch, clearly, that's not the way to do it. Clearly, that is not having the most impact on breaches and losses."
0:51 "That's kind of where I like to draw the line and where the breach and loss informs your patch management."

FAQ

Does having millions of vulnerabilities mean a company is at high risk of being breached?

Not necessarily, according to RSnake. He notes that many companies with over 100 million vulnerabilities have never been compromised or suffered business impact, suggesting vulnerability count alone is a poor predictor of breach risk.

What should drive patch management decisions if not vulnerability count?

RSnake argues that breach likelihood and business loss should be the primary inputs — patching should focus on vulnerabilities most likely to result in an actual compromise or measurable financial harm.


Categories:
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Vulnerability Management
  • Threat Intelligence
  • Security Operations
  • Best Practices
  • Thought Leadership
  • short_form
  • Risk-Based Patching
  • Patch Prioritization
  • Breach Likelihood
  • CVE Overload
  • Security Risk Quantification
  • Cybersecurity Strategy
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Fortra:Why Vulnerability Count Doesn't Predict Breach Risk

              Upcoming Webinar Calendar

              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting a Championship-Worthy Security Team for Unmatched Defense
                https://www.truthinit.com/index.php/channel/2025/crafting-a-championship-worthy-security-team-for-unmatched-defense/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-safeguarding-ai-accessible-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Strategies for Effective Data Privacy and Protection
                https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-for-effective-data-privacy-and-protection/
              • 07/22/2026
                01:00 PM
                07/22/2026
                Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue
                https://www.truthinit.com/index.php/channel/2029/insights-from-attackers-during-the-fifa-world-cup-a-human-dialogue/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 07/29/2026
                12:00 PM
                07/29/2026
                Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
              • 07/29/2026
                01:00 PM
                07/29/2026
                Ask Your Cloud Anything: Unlocking Governance Silos in your Environments
                https://www.truthinit.com/index.php/channel/2048/ask-your-cloud-anything-unlocking-governance-silos-in-your-environments/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                14

                Crafting a Championship-Worthy Security Team for Unmatched Defense

                07/14/202601:00 PM ET
                • Jul
                  14

                  Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data

                  07/14/202602:00 PM ET
                  • Jul
                    21

                    Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                    07/21/202604:00 AM ET
                    • Jul
                      22

                      Insights and Strategies for Effective Data Privacy and Protection

                      07/22/202606:30 AM ET
                      • Jul
                        22

                        Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue

                        07/22/202601:00 PM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version