SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States
International Women’s Day
391 opinions Read now

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Soc cisos overwhelmed by red alerts few highlighted in focus
#
Firewalls
#
DevOps
#
Digital Transformation

Cyber firms face 'verification crisis' on real risk

Wed, 11th Feb 2026
Author image
By Joseph Gabriel Lagonsin, News Editor

Research by cybersecurity company Hadrian found that 70% of organisations struggle to keep up with fixing the growing number of security vulnerabilities. Security teams also face difficulty distinguishing which issues are genuinely exploitable and urgent.

The findings point to what Hadrian calls a "verification crisis". Security tools are producing more data and flagging more potential weaknesses, but many organisations lack practical ways to confirm which findings translate into real-world risk. As a result, investment in monitoring and assessment tools does not necessarily reduce exposure to attack.

In the survey, 95% of security leaders reported dissatisfaction with their ability to prioritise remediation based on real-world risk. Many organisations have improved visibility across their external attack surface in recent years, particularly through tools that track internet-facing systems. However, the research indicates that increased visibility has not led to greater confidence in decision-making.

Measuring outcomes

Hadrian argues that measurement choices are central to the problem. Continuous Threat Exposure Management, commonly referred to as CTEM, has become more widely adopted as a way to structure security work around an organisation's exposure to attack. Even so, only 33% of organisations measure whether exploitable risk is actually reduced over time, according to the report.

Instead, most programmes continue to track metrics focused on discovery and volume, such as coverage gaps, asset counts and alert volume. These measures can show rising activity and expanding scope, but they do not necessarily show whether the organisation has reduced the likelihood of a successful attack.

"Security programs keep adding tools and expanding scope, but outcomes aren't improving," said Rogier Fischer, CEO and co-founder of Hadrian.

"Teams are measuring how much they find, not how much real risk they remove. Without exploitability verification, more data doesn't lead to faster remediation; it leads to paralysis," Fischer said.

Remediation patterns

The report draws on verified risk data gathered during the 2025 calendar year from more than 300 organisations across the US, UK, the Netherlands, Germany, France and Italy. It combines this with survey research, a focus group of 34 CISOs and senior security operations leaders, and cross-validation between platform telemetry, observed attacker behaviour and executive insights.

One headline finding is that only 0.47% of vulnerability scanner results proved exploitable in real environments. This suggests security teams may spend significant time triaging and responding to findings that never present a practical route for an attacker.

The research also points to a divergence between typical and average remediation times for serious vulnerabilities. The median remediation time for critical vulnerabilities was four days, and the median for high-severity issues was 22 days. However, the mean remediation time rose to 64 days for critical vulnerabilities and 139 days for high-severity issues.

The gap between median and mean suggests a consistent pattern across organisations. Teams often act quickly when a vulnerability is clearly urgent or operationally straightforward. At the same time, a subset of issues persists much longer, extending the period during which an organisation remains exposed.

Long tail risk

The report highlights the "long tail" of unresolved vulnerabilities. The slowest 10% of critical vulnerabilities remained open for more than four months, while high-severity issues in the same segment persisted for more than a year.

According to the report, these vulnerabilities were not unknown. They were identified and recorded, but competed for attention as security teams dealt with new alerts, new tickets and the ongoing output of multiple tools. In organisations with complex technology estates, this can create a persistent backlog in which older issues remain unresolved while new potential risks continue to surface.

"Security teams can move fast, but too many tools and unverified alerts make it difficult to maintain focus on what actually matters," Fischer said.

The report calls for earlier validation of exploitability and success measures that focus on reducing real exposure rather than the number of findings generated. It also argues that security leaders will face continued pressure to demonstrate risk reduction as vulnerability volumes rise and automated scanning and detection tools become more widely used.

Related stories
Bitdefender unmasks global Meta investment scam ads
Radware's Alteon Protect brings cloud-scale ADC security
SailPoint adds AI agent tools to identity security
Claroty named Gartner Leader again for CPS protection
Why the next endpoint and SASE disruption will not come from a security vendor

Top stories

Nvidia survey shows AI driving revenue, cuts & spend
Datadog launches MCP Server to link AI with telemetry
AvePoint launches AgentPulse to govern cloud AI agents
Microsoft unveils 365 E7 suite & Agent 365 for AI control
iProov unveils biometric suite to combat deepfake fraud