The Vulnerability Management Paradox

After a decade of working in offensive security and now building the Spektion platform that exposes vulnerabilities at runtime, I’ve come to a frustrating but familiar truth: the way most of the industry approaches vulnerability management is still lagging behind the problem it claims to address.

Despite a recent wave of new entrants into the vulnerability management space, many still lean on an outdated playbook. Most solutions remain anchored to CVEs and known exploitation in the wild. This backward-looking model isn’t just reactive, it’s misaligned with how real attackers operate.

By the Time a CVE Hits the Wire, It’s Too Late

The typical lifecycle of a vulnerability looks something like this: discovery, disclosure, CVE assignment, analysis, threat intel updates, and, in some cases, exploit detection in the wild. But by the time a CVE gets an ID and makes it onto a dashboard, the damage path has often already been mapped out.

Attackers don’t wait for official confirmation. They exploit the opportunity the moment it appears, sometimes even before the vendor is aware that a problem exists.

The gap we’re supposed to be closing? It’s already widened.

The Real Risk Exists Before the CVE

The vulnerabilities that lead to real-world compromise don’t become a risk the moment they receive a CVE. They exist in software behavior long before researchers document them in a blog post, before embargoes are lifted, and before software vendors even acknowledge the issue. This is the window, often overlooked, where risk is both real and actionable, but not reported or tracked due to the lack of an associated CVE.

The Paradox

Here’s the paradox: despite branding themselves as “next-gen,” most modern vulnerability management tools are still firmly reliant on the CVE system. What gets labeled as innovation is usually just optimization. These are things like prioritization algorithms, exploitability scores, or machine learning classifiers, all applied to a dataset that arrives too late.

Some vendors promise better triage. Others offer agentic workflows to automate tedious processes. But making an ineffective process faster doesn’t make it effective. No matter how many people, agents, or clever prioritization schemes you add to the mix, you are still just executing a model that cannot practically deliver meaningful risk reduction at scale. These tools continue to assess the severity of known issues after disclosure, rather than uncovering the risky behaviors in software that lead to exploited vulnerabilities in the first place.

It is a form of out-of-the-box thinking that refuses to step outside the box.

The result is a wave of “new” solutions that are mostly repackaged versions of old ones. Faster ticketing. Prettier dashboards. Smarter scoring. But underneath it all, they still assume that CVEs mark the beginning of risk. In reality, a CVE usually shows up only after the opportunity to prevent the risk has already passed, and even then, it’s only for the subset of your software that is subject to vulnerability research.

At Spektion, we expand vulnerability reporting to cover the entire window of real risk, both before a CVE exists and for software that will never receive one.

Our platform doesn’t rely on external indicators to flag risk. Instead, we observe software as it runs, identifying the exact behaviors that skilled attackers look for: insecure execution paths, improper memory access, misused privileges, and other signs of demonstrated risk that enable lateral movement, privilege escalation, or arbitrary code execution—even in the absence of a known exploit.

That’s exactly the kind of deep, real-time visibility that leads our customers like NielsenIQ (NIQ) to partner with us.

“To enhance our ability to manage vulnerabilities, NIQ recognized the need to fully understand our software landscape. Spektion goes beyond basic vulnerability reporting to provide deep context of NIQ’s software inventory with comprehensive visibility into risks beyond CVEs, helping us identify and prioritize the most critical opportunities to reduce cyber risk.”

— Jasper Ossentjuk, Chief Security Officer, NielsenIQ

Not Signatures. Not Hunches. Just Reality.

This isn’t speculative, and it’s not signature-based. It’s grounded in how exploitation actually works. We use lightweight runtime instrumentation to analyze how software behaves in practice, not how it’s supposed to behave on paper. This eliminates many of the hypothetical risks captured as CVEs that lack any evidence of exploitability. It also captures the risk in software that is internal or outside of the scope of vulnerability research.

As a result, we find vulnerabilities before they’re named, tracked, or surfaced by traditional tools. We’re not chasing CVEs, we’re catching the root causes that create them.

This Approach Is Harder. But It Matters More.

Runtime analysis requires real technical depth. It’s harder to build, harder to explain, and often less visible, until it prevents something catastrophic. But in my view, that’s the only kind of security work that actually matters. Rather than subscribe to the paradox, we sought to shift the paradigm to focus on what enables scalable, proactive vulnerability management.

The industry doesn’t need another dashboard telling you what you already know, after you needed to know it. It needs tools that surface the weaknesses attackers would exploit, before they get the chance to strike.

###

Want to stay ahead of risk instead of reacting to it?

• Join us at Black Hat in our poolside, air-conditioned bungalow, and let’s talk security.
• Get a demo of Spektion and see what your scanners are missing.