Healthcare
How a Major Healthcare System Reduced Critical Vulnerabilities by 99% with Compensating Controls
This is the default text value
Clarity Over Chaos: How a Fortune 500 Financial Institution Stopped “Panic Patching"
When every vulnerability comes back marked critical, the word stops meaning anything. For a Fortune 500 financial institution, that was the daily reality. With a security team responsible for protecting complex infrastructure spanning on-premise and cloud systems, the organization needed a way to move beyond scanner-generated severity scores and make vulnerability prioritization credible, evidence-backed, and defensible to stay in step with their remediation team.
The Challenge: Patch Urgency Driven by Scanner Scores Instead of Real Attack Paths
Before Zafran, prioritization relied on scanner-generated CVSS and EPSS scores. But these scores had no way of knowing whether a vulnerable system sat behind layers of compensating controls, whether the asset was even reachable from the internet, or whether the relevant code was running at all. This led to well-defended systems flagged as critical, patch exceptions piling up without clear justification, and growing friction between security and remediation teams. Without a way to measure actual exposure in context, there was no defensible basis for saying "this one actually matters."
The Implementation
The Solution: Prioritizing Vulnerabilities Based on Control Coverage and Exposure
The customer implemented Zafran to assess the true applicable risk of vulnerabilities across their environment. By integrating with existing vulnerability scanners, security controls, and service management systems, Zafran delivered a unified, contextual view of risk across on-prem and cloud environments.
Using live telemetry from tools like EDR, WAF, and NGFW, Zafran identified when assets were already protected by controls that actively blocked exploits. That meant the team could deprioritize low-risk vulnerabilities with confidence and validate patch exceptions against real data.
This integrated approach plugged directly into existing change control processes, making remediation workflows faster, coordinated, and auditable. With a clear, contextual picture of actual exposure, the friction between security and remediation teams eased. Focus sharpened on credible threats like zero-days and CISA KEVs, and the team had the foundation for a scalable, risk-based vulnerability management framework.
The Results
Using Zafran's contextual risk analysis, the customer transformed how vulnerabilities were prioritized and managed:
- Reclassified over 50,000 "Critical" CVSS findings as medium or low based on verified control coverage, removing unnecessary urgency from the queue
- Identified 23,000 vulnerabilities that could be mitigated immediately by reconfiguring existing compensating controls
- Cut false-critical noise by 96%, giving teams the focus to act on vulnerabilities that actually carried risk
- Used real-time signals from EDR, WAF, and NGFW to confirm when defenses were already blocking exploit attempts, avoiding unnecessary emergency patching
Together, these outcomes gave the customer the precision and confidence to scale vulnerability management, with Zafran as the foundation for risk-based remediation.
Discover how Zafran Security can streamline your vulnerability management processes.
Request a demo today and secure your organization’s digital infrastructure.
Request a demo today and secure your organization’s digital infrastructure.
Industry
Financial Services
Primary Use Cases
Proactive Exposure Hunting
Risk Mitigation Using Existing Defenses
RemOps & Workflow Optimization
Key Outcome
96%
reduction in CVSS Criticals
See Zafran in action
See Zafran in Action
Prioritize and fix what is truly exploitable using risk context from your existing security tools