CISOs Are Ditching Severity Scores for Exploitability-First VM

Security leaders across the Sagetap community are retiring scanner-and-spreadsheet programs, primarily because the underlying logic cannot produce the outcomes boards now expect. The model of enumerating everything, scoring it, and handing it to engineering generates backlogs rather than protection.

What's replacing it is a fundamentally different operating model. The programs gaining traction treat exposure as a continuous data problem, ingesting signals across the full attack surface, correlating against real network topology and business context, isolating what is genuinely exploitable, and closing the gap automatically wherever possible.

Why This Matters Beyond Vulnerability Management

The backlog problem creates downstream failures across the security stack. Poor exploitability context and unresolved findings affect every team that depends on VM output, including:

• ‍Threat Detection & Response: Scanner output floods SIEM and EDR pipelines with findings that lack exploitability context, forcing analysts to separate real risk from noise that VM tools should have resolved upstream.‍
• Cloud Security: CNAPP and CSPM tools surface misconfigurations and exposures across cloud environments. But without attack path analysis, security teams have no principled way to prioritize what to fix first.‍
• Identity & Access Management: Identity exposure (over-permissioned service accounts, lateral movement paths through privileged credentials) is a prioritization input that most VM programs don't model or surface.‍
• Risk Management & Compliance: Boards are demanding breach cost in financial terms instead of CVE counts. VM programs that can't translate backlog size into probable dollar exposure can't support executive decision-making.‍
• Data Protection & Privacy: Unpatched vulnerabilities create the access paths that enable data exfiltration, including the AI prompt-based exfiltration that legacy DLP controls can't see.‍
• Application Security: AI coding assistants are introducing vulnerable dependencies buried deep in software supply chains that traditional scanners miss, expanding the attack surface faster than existing programs were built to handle.

The exploitability gap is a shared problem, and top security leaders across all of these domains are treating it that way.

Inside the Initiatives: How Sages Are Rebuilding VM Programs

Four active projects show what this shift looks like in practice. One has reached POC with a vendor. The others are tackling attack surface expansion, RBVM standardization, and multi-cloud exposure consolidation at global enterprise scale.

Expanding the Attack Surface Map Beyond Traditional Scans

A CISO Sage at a very large civil engineering organization is running an active POC as part of a multi-year shift toward proactive and predictive vulnerability management. The program has addressed traditional OS and network infrastructure and is now expanding into attack surfaces that have historically been deprioritized. The CISO wants to surface blind spots in less-monitored parts of the environment (areas where a weakness, if exploited, would carry outsized impact).

Cutting Through the Defender Noise

A security leader at a financial services firm is running an active initiative to move beyond what Microsoft Defender alone can deliver. The volume of findings has made meaningful prioritization nearly impossible — everything flags, so nothing is actionable. The initiative targets exploitability-aware triage: incorporating attack paths, identity exposure context, and real-world threat activity to isolate the vulnerabilities that could materially affect critical systems and sensitive data.

Standardizing an Enterprise-Wide RBVM Lifecycle

An IT security executive at a major hospital and health care organization has launched an initiative to standardize vulnerability management across the enterprise using a risk-based framework, replacing Automox. The program targets the full remediation lifecycle anchored to real-world threat intelligence and asset criticality rather than raw counts.

Risk-Based Vulnerability Management (RBVM)

Date Started Apr 21, 2026

Target Completion November, 2026

Speak with Sage

Tool Being Replaced

Automox

Standardizing an enterprise-wide lifecycle for identifying, prioritizing, and remediating security weaknesses using real-world threat intelligence and asset criticality. I am specifically looking for Risk-Based Vulnerability Management (RBVM).

Products Considering: Backline

Consolidating a Fragmented Multi-Cloud Exposure Stack

A security risk leader at a very large manufacturing organization is leading an initiative to retire overlapping scanning tools and replace fragmented, volume-driven reporting with unified, business-aligned prioritization. The environment spans multiple cloud platforms, containerized workloads, and on-premise infrastructure. Required capabilities include aggregation of exposure signals, attack path visibility, CTEM-aligned reassessment, and executive-ready reporting tied to asset criticality.

Top VM Vendors Sages Have Evaluated Recently

Three vendors have appeared most frequently across recent vulnerability management evaluations. Their traction reflects specific capabilities that legacy scanning platforms don't provide.

Astelia is an AI-native exposure management platform that maps real network topology and applies agentic AI to analyze exploit prerequisites for each vulnerability. By correlating exploitability with reachability and attack paths, it surfaces the fraction of findings that represent genuine exposure and delivers environment-specific remediation guidance beyond patching.

What Sages evaluated it for: Identifying reachable and exploitable vulnerabilities across hybrid and multi-cloud environments, visualizing attack paths to critical assets, aggregating vulnerability and asset context for business-aligned prioritization, and replacing volume-driven scanning programs with exploitability-first triage.

Backline is an autonomous security remediation platform that deploys a fleet of AI agents to fix vulnerabilities and misconfigurations at enterprise scale. Agents analyze findings, determine the optimal fix, implement code and configuration changes, and test the results end-to-end — integrating with existing scanners while giving teams full control over automation.

What Sages evaluated it for: Automated remediation at scale for vulnerability backlogs, real-time vulnerability detection with asset identification and tagging, consolidating fragmented scanner output into a unified remediation workflow, and reducing MTTR without proportional headcount growth.

Maze is an autonomous vulnerability management platform built from scratch around AI reasoning, not retrofitted with it. Each agent ingests telemetry from cloud environments and scanners, replicates the workflow of a security engineer, and determines exploitability by evaluating network configurations, exploit availability, IAM permissions, and confidentiality ratings.

What Sages evaluated it for: AI-powered attack path analysis and exploitability determination for cloud-native environments, filtering non-exploitable vulnerabilities at scale to eliminate scanner noise, and augmenting or replacing existing VM tools that produce findings without resolution.

Sages' Key Consideration Factors

When evaluating new VM tools, security leaders are prioritizing features, price, and support. The market has moved past vendor familiarity as a selection criterion.

• ‍Exploitability Over Severity Scores: Volume-based triage is no longer defensible. Sages are demanding context-aware engines that factor in attack paths, identity exposure, and asset criticality — so remediation effort goes toward vulnerabilities that can actually be weaponized.
• ‍Remediation as a Core Capability: The evaluation bar has shifted from detection to resolution. Security executives are disqualifying platforms that stop at finding, prioritizing those that close the loop with automated remediation, clear ownership mapping, and ticketing integrations.
• ‍Unified Visibility Across the Full Attack Surface: Separate tools for cloud, endpoints, and external assets create prioritization gaps that adversaries exploit. Security leaders are consolidating onto platforms that aggregate exposure signals across hybrid environments, including surfaces legacy programs have historically undercovered.

Bottom Line

Vulnerability management was once a scanning problem, but it's now an engineering one. The programs gaining ground in 2026 are the ones treating remediation as the outcome and building coverage across an attack surface that extends well beyond what legacy tools were designed to see.

Want access to the specific requirements and evaluations for your peers' vulnerability management initiatives?