‍

Vulnerable Doesn’t Mean Exploitable

Security teams are overwhelmed by the volume of vulnerability data.

But volume is not risk.

And risk is not exposure.

Understanding the differences among Vulnerability Management, Penetration Testing, and Continuous Threat Exposure Management (CTEM) directly affects breach probability, remediation efficiency, and executive decision-making.

‍

The Exploitation Reality

There are now over 300,000 published CVEs in the National Vulnerability Database.

The CISA Known Exploited Vulnerabilities (KEV) catalogue contains approximately 1,352 vulnerabilities confirmed as exploited in the wild.

That represents roughly 0.45% of all published vulnerabilities. More than 99% of disclosed vulnerabilities have never been formally confirmed as exploited.

‍

This does not mean they are irrelevant.

‍

It means that vulnerability volume alone is a poor proxy for real-world risk.

‍

Security teams spend significant time patching thousands of findings — yet only a fraction are:

• Actively exploited

• Reachable in their environment

• Chainable into privilege escalation

• Capable of causing material business impact

‍

The challenge is not discovering vulnerabilities.

The challenge is identifying which ones matter.

‍

Vulnerability Management

‍

Question: “What is theoretically vulnerable?”

VM provides:

• Broad asset coverage

• CVE identification

• Severity scoring (CVSS)

• Patch workflow support

• Compliance reporting

‍

It is foundational.

But it is inventory-centric — not attacker-centric.

‍

If your scan returns 5,000 critical findings, VM does not tell you which ones create a viable attack path.

Penetration Testing

‍

Question: “What is exploitable right now?”

Pen testing provides:

• Confirmed exploitable weaknesses

• Evidence-based attack chains

• Privilege escalation validation

• Business-impact narrative

‍

It translates technical exposure into executive language.

‍

But it is time-bound and scope-limited—a snapshot of risk at a given moment.

Continuous Threat Exposure Management (CTEM)

‍

Question: “Which exposures create a path to compromise?”

CTEM shifts the focus from vulnerabilities to exposure. It:

• Models attacker pathways

• Validates exploitability

• Tests lateral movement

• Assesses identity and control weaknesses

• Prioritisation based on business impact

‍

Rather than scoring vulnerabilities individually, CTEM identifies how they chain together — and whether they can actually compromise the organisation.

‍

Why This Distinction Matters

‍

If only 0.45% of vulnerabilities are confirmed exploited, then prioritisation is everything.

Organisations that optimise for vulnerability count optimise for compliance.

Organisations that optimise for validated exposure reduce the probability of breaches.

‍

This is the difference between:

• Reducing audit findings

• Reducing real-world compromise risk

Modern attackers log in rather than break in. They exploit identity, privilege, segmentation, and misconfiguration — not just CVSS scores. Exposure clarity is now a strategic requirement.

‍

The Cyber Vigilance Approach

‍

At Cyber Vigilance, we do not optimise for vulnerability volume. We optimise for validated exposure reduction.

‍

We combine:

• Continuous vulnerability visibility

• Real-world attack simulation

• Exploitable path validation

• Control and identity efficacy testing

‍

So, remediation efforts can be directed where they measurably reduce the likelihood of material compromise—not just where they reduce the number of open tickets.

‍

If your board is asking:

“Are we secure?”

‍

The better question is:

“Which exposures could actually compromise the business, and have we validated them?”

‍

That is the conversation we help organisations have. And that is where security maturity truly begins.

‍

‍

‍

‍

James Kavanagh

Chief Technology Officer

‍