In this article:- Traditional vs. Risk-Based Vulnerability Management: Traditional vulnerability management relies on universal severity scores (like CVEs), but RBVM prioritizes flaws based on an organization’s specific risks, business model, and infrastructure. However, RBVM often still depends on theoretical assessments rather than proven exploitability.
- Importance of Exploit Validation: Penetration testing and automated exploit validation tools (such as Horizon3.ai’s NodeZero) help distinguish between flaws that are exploitable and those that are not. This makes patching more efficient, verifies remediation, and prevents wasted effort on irrelevant vulnerabilities.
- Modern Challenges and Expanded Scope: With cloud services, remote work, SaaS apps, and AI systems, organizations face larger attack surfaces beyond software flaws. Exploit validation, continuous testing, and tools like NodeZero’s Vulnerability Management Hub, High-Value Targeting, and MCP server integration make RBVM more effective by confirming what truly matters and ensuring patches actually work.
As the limitations of traditional vulnerability management become more apparent, and as the sheer volume of vulnerabilities becomes unmanageable, many organizations have turned to risk-based vulnerability management (RBVM).
While regular
vulnerability management uses a universal severity score for each vulnerability, RBVM categorizes vulnerabilities and other weaknesses according to the threats they pose to individuals organizations, based on an organization's business model, network architecture and security posture.
The organization can then prioritize each vulnerability so that the most critical ones get fixed first, and the least critical ones may not get fixed at all.
In many cases, however,
risk-based vulnerability management is still a guessing game. Vulnerabilities and other weaknesses are categorized according to their theoretical risk, and many flaws that don't pose any actual threat get remediated while more serious ones are pushed to the back burner.
That's why RBVM is best augmented by mechanisms like
penetration testing that try to exploit discovered vulnerabilities to prove they pose real threats. Some flaws deemed critical may turn out to be impossible to exploit, thanks to impenetrable network architectures or security safeguards. Others that seem less threatening may pose grave risk.
"Just because it's vulnerable does not mean it is exploitable," says Stephen Gates, Principal Security Subject-Matter Expert at Horizon3.ai, which makes an automated pen-testing tool called NodeZero. "It's all based upon how it's deployed, where it's deployed, what's protecting it."
Not only can validating the exploitability of discovered flaws make vulnerability management more efficient in its patching priorities, but the same methods can be used after the mitigation process to verify that patched vulnerabilities have truly been fixed.
The problems with vulnerability management, risk-based or not
Vulnerability management evolved from patch management, the IT process that updates software and fixes bugs regardless of whether they're security-related. Vulnerability management focuses on security and goes beyond updating software; it scans for undiscovered flaws, categorizes what it finds, and provides a way to fix or at least mitigate those flaws.
Many of these steps can be automated, and most VM platforms ingest data from vulnerability scoring systems like the Common Vulnerabilities and Exposure (CVE) framework to prioritize which flaws to fix first.
But traditional vulnerability management works best when an organization has wired networks, its endpoints stay in the workplace, and its software is installed directly. It isn't as well suited to organizations that have many remote workers, keep some or most of their assets in the
cloud, use software-as-a-service applications, or have implemented in-house
AI agents.
More modern workplaces have much larger attack surfaces. Their weak spots go far beyond software flaws.
There aren't any CVE scores for
cloud misconfigurations, compromised SaaS accounts, weak or compromised access credentials, excessive permissions, unauthorized devices or software, and most recently, vulnerable AI models or protocols. Yet each can pose just as much of a threat as a critical software bug.
In fact, it's now next to impossible for many large organizations to ever mitigate all their software vulnerabilities and other weaknesses. Yet many still try, driving their security teams to exhaustion as they try to chase a never-ending flood of alerts and potential threats.
"The hardest part of the job as a CIO/CISO was deciding what NOT to fix," wrote Horizon3.ai Co-Founder and CEO
Snehal Antani in a recent post on LinkedIn. "I'd have to ask coworkers to skip their kid's basketball game or their family dinner to stay late and patch servers for CVEs we knew were irrelevant and unexploitable."
This is where risk-based vulnerability management can make a big difference. It catalogues, classifies and triages flaws in order of most to least risk, referencing not only CVE scores but also to how much of a threat each poses to the organization in question.
A vulnerability is rated in terms of how exploitable it may be and how much of an impact its exploitation would have on the organization. The biggest threats will be dealt with first; the smallest may never be mitigated.
Yet sometimes what seems like a big threat isn't really. It may not be exploitable, or its exploitation may have little impact. And the only way to make sure is to try to exploit the flaw yourself.
"In practice, most [vulnerability management] programs still just patch what scores the highest," writes Gates in
a recent blog post. "Risk is inferred, not proven. Fixes are assumed to work. And security teams are left guessing what actually matters."
How verifying flaws improves vulnerability management
Implementing penetration tests or similar forms of exploit validation can determine which perceived threats are paper tigers, and which are worse than they initially seem.
When pen-testing was a mostly manual process and could take days or even weeks, taking the time to field-test flaws was cumbersome and often dangerous because it gave attackers a greater window to exploit those same vulnerabilities.
Exploit verification is now a lot easier. Automated pen-testing tools like Horizon3ai's NodeZero platform can scan entire systems in a matter of minutes, providing security teams valuable intelligence on which threats are real, and which can be ignored.
Because of this rapid pen-testing ability, potential threats can be verified or discarded as not exploitable. Mitigation becomes more efficient, and the organization's security posture improves as the biggest issues are fixed.
Horizon3.ai's NodeZero platform can find, categorize and validate vulnerabilities and other weaknesses, including misconfigurations and compromised credentials, but it can't fix them. It complements rather than replaces the vulnerability-management tools that perform the remediation.
Once that remediation is done, automated pen-testing tools like NodeZero can go back in and make sure that what the VM tools said was fixed really has been. That makes the entire process even more efficient.
"Traditional RBVM treats remediation as the finish line, assuming a patch was applied and calling the risk resolved," writes Gates. "But assumptions don't stop attackers."
What NodeZero brings to the table
Gates touts several new aspects of the NodeZero platform, the most significant of which is a Vulnerability Management Hub which presents verified flaws and weaknesses on a dashboard, along with each flaw's history and what it affects.
Vulnerabilities can be sorted by their severity and their mitigation status. When a weakness is marked as mitigated, the hub operator can click a button to run another exploitation attempt along the same attack path and see if it's truly been fixed.
"If the issue is still exploitable, it stays open," Gates writes. "If not, the fix is confirmed, with full visibility and time-stamped proof."
There's also a function called Endpoint Security Effectiveness that checks the performance and effectiveness of endpoint detection and remediation (EDR) tools to see how well they protect your systems during attacks.
Two other functions, High-Value Targeting and Advanced Data Pilfering, respectively map out potential attack paths to crown-jewels data or highly privileged user accounts and verify the exposure of
sensitive data.
"High-Value Targeting provides prioritization of the actual risk to the business," says Gates. "And then the Advanced Data Pilfering provides what's inside of the actual data that we weren't able to gain access to."
A fifth new function, Threat Actor Intelligence, correlates attack findings with the tactics, techniques and procedures of
known attacker groups, potentially adding context to the risk score and potential defense measures, although Horizon3.ai is careful to note that correlation does not mean attribution.
Finally, NodeZero now includes a
Model Context Protocol (MCP) server so that it can connect to and feed data to the client's in-house AI agent for faster remediation of detected threats and vulnerabilities.
"The NodeZero MCP Server turns your AI into a security operator with the attacker's perspective," reads a Horizon3.ai
blog post explaining how the MCP server works. "Instead of drowning in endless CVEs and theoretical risks, your AI agents and workflows can now focus on what's real, exploitable, and urgent — and take action."
Overall, Gates says, automated pen-testing and its associated functions are designed to make vulnerability management, risk-based or not, easier, less time-consuming and more efficient.
"Organizations penetration-testing their networks every single day or once a week or once a month with our technology, and bringing these new features to bear, will allow them to gain even more rapid intelligence," he says.
"They'll be able to say, 'Look, today's Monday, I've walked in the door. Here are my three top things that I need to resolve right now because we ran a penetration test with NodeZero over the weekend. Here are the results.'"