Vulnerability Management | Breaking Cybersecurity News | The Hacker News

Continuous Threat Exposure Management (CTEM) has moved well past buzzword status. We've talked about this before . It's true that in the past years, Gartner has been making these grand predictions about its benefits: organizations prioritizing CTEM investments will suffer two-thirds fewer breaches by 2026 … Well, we're now in 2026 and, in reality, SOC teams are still facing the same dilemma: more exposure data than they can act on, and no reliable way to decide what actually matters. 96% of security teams face challenges trying to validate whether their security risks are exploitable, while 2 in 3 state that they don't have a consolidated view of their cyber risk exposure. - Filigran-comissioned third-party market survey on exposure validation  It's pretty clear now that to actually benefit from CTEM, organizations needs to first utilize their cyber threat intelligence better. It is not just about better asset, vulnerability management or dealing with a single CTI provider, b...

Vulnerability management is the continuous process of identifying, assessing, prioritizing, and addressing security weaknesses across systems, applications, and infrastructure. It extends beyond periodic scanning; it includes validating findings, understanding exposure in real-world environments, and tracking remediation over time. Effective vulnerability management combines asset visibility, vulnerability intelligence, and operational context to determine which flaws present actual risk rather than theoretical exposure. Modern IT environments further complicate the process of vulnerability management. Hybrid IT infrastructure, third-party dependencies, and internet-facing services increase the attack surface while generating large volumes of vulnerability data. Security teams must balance operational constraints, such as out-of-support legacy systems and uptime requirements, with the need to quickly reduce exposure. As a result, vulnerability management is no longer limited to coun...

Most application security (AppSec) teams know their OWASP Top 10, the industry-standard list of the most critical software security risks. Fewer know which of those categories their organization actually fixes. In conversations with security teams, I hear the same story: "We prioritize criticals, so the important stuff gets handled." The data tells a different story. Fix rates vary dramatically by OWASP vulnerability class, and not in the ways most teams expect. The data comes from Semgrep's Remediation at Scale report , which analyzed anonymized remediation patterns across 50,000+ repositories and hundreds of organizations during 2025. The methodology is straightforward: group organizations into two cohorts by fix rate (top 15% as "leaders," remaining 85% as "field"), then compare what each group actually does differently. The gap between leaders and the field isn't about detection quality or prioritization frameworks. Both cohorts apply the s...

When Shai-Hulud 2.0 hit in late 2025, it was a brutal, expensive wake-up call for DevSecOps teams. It showed that the industry's direction of shifting left, where teams pass security onto developers, wasn't the silver bullet everyone hoped for. Pushing that responsibility was fine in theory, but it crumbled quickly because the foundation it was built on was inherently flimsy. As we move further into 2026, we need a more definitive fix to the structural weakness in the pipelines in light of a potential Shai-Hulud 3.0. A major lesson from 2.0 was that internal CI/CD runners were easily hijacked and turned into attack botnets. Teams need to take that finding and come back with a truly proactive defense. A curated catalog is a way for security teams to control exactly what code and components enter their environment, while still giving engineering teams a fast, secure way to build - it is the key to creating a sustainable solution. More on a curated catalog later. The Anatomy o...

In most security operations centers, CVSS quietly dictates remediation priorities. Dashboards are sorted by severity. "Critical" vulnerabilities float to the top. Quarterly summaries celebrate how many 9.0+ findings were closed. On paper, it looks rational. In practice, it's often wrong. CVSS was designed to standardize how vulnerabilities are scored. Its origins and main purpose have been to measure technical severity, including exploit complexity, required privileges, impact on confidentiality, integrity, and availability. It provides a shared language. But where it has perpetually struggled is measuring context within, like whether the asset is internet-facing, how critical it is to the business, and whether attackers are actively exploiting the vulnerability. And context is where real risk lives. How Abstract Scores Turn Vulnerability Management Into "Severity Theater" A vulnerability scored 9.8 in a non-production environment with no external access may demand immediate atten...

Security teams have never had more telemetry. They have also never been more behind. In 2025, organizations faced an average of 1,968 cyber attacks per week , an 18% YoY increase, and nearly a 70% increase since 2023 . That's not just "more noise." It's a signal that attacker throughput is scaling faster than human response models can. At the same time, the attacker playbook shifted in ways that punish slow cycles. Social engineering moved beyond email into multi-channel, cross-platform operations, including new interaction-led techniques like ClickFix, which manipulates users into executing the attack themselves. ClickFix activity increased by roughly 500% and appeared in nearly half of documented malware campaigns. And while humans remain a primary target, attackers are finding even easier traction in unpatched, unmanaged, and inherited exposures. These gaps give adversaries durable footholds long before exposure remediation is implemented. Couple that with automation, and expo...

Why reporting, delivery, and validation have become just as critical as testing itself Pentesting has undergone a fundamental shift over the last 5 years. While the core objective of identifying exploitable weaknesses remains the same, the way results are managed, delivered, and validated has become just as important as the testing itself. Security leaders no longer view penetration tests as one-off engagements that end with a PDF. They expect timely, actionable results that feed into their broader vulnerability management and remediation programs. For pentest teams, this shift has exposed a growing gap between how testing is performed and how outcomes are operationalized. Why Traditional Pentest Delivery Is Breaking Down Historically, pentest results have been delivered as static reports, often disconnected from vulnerability scanners, ticketing systems, and remediation workflows. This creates a challenge as the data becomes siloed from other security data and is not aligned int...

For decades, organizations operated under the assumption that vulnerability management could be slotted into predictable maintenance windows. Monthly patch cycles, quarterly review periods, and planned outages became the standard rhythm of IT operations. Yet, in today's environment, where exploit code emerges within hours of a disclosure and attackers weaponize vulnerabilities on an industrial scale, those rhythms are dangerously outdated. The modern reality is that continuous patch management and end-to-end vulnerability lifecycle governance are no longer aspirational, they are the bare minimum. Security must be measured not by the comfort of predictability, but by the ability to remediate as close to real time as possible. The Problem with Periodic Maintenance Windows Exploitation Outpaces Response: exploits are increasingly released at or before vendor patch availability. A monthly or even bi-weekly patch cadence leaves systems exposed during the critical first days when atta...