Financial Services Company Replaces Kenna - Case Study
Outgrowing Kenna: A Financial Services Organization Evolves to Evidence-Based Exposure Management
As this financial services organization’s vulnerability management program matured, accuracy in risk prioritization became increasingly critical. Recognizing the limitations of Kenna and traditional RBVM, the team looked to evolve toward exposure-based risk management while preserving existing remediation workflows and operational ownership.
The Challenge: Prioritizing Real Risk Amid Noise and False Criticals
The organization had successfully used Kenna to reduce the overall number of vulnerabilities across its environment. However, over two years, major limitations emerged. The most significant issue was that end-of-life vulnerabilities were being scored as 0 out of 10, rather than receiving appropriately elevated risk scores.
This breakdown in risk accuracy, combined with contractual and cost frustrations, made the Kenna platform no longer viable for the customer’s needs.The security team needed a solution that could continue ingesting the full breadth of vulnerability data from across the environment, while reprioritizing those findings using reliable risk context and clearly communicating remediation priorities to both operators and leadership.
The Implementation
The Solution: Using Existing Defenses to Validate Risk and Eliminate Panic Patching
The organization selected Zafran to replace Kenna’s vulnerability prioritization capabilities while preserving existing remediation workflows. Zafran ingests vulnerability and asset data from the organization’s existing security stack and reprioritizes vulnerabilities using risk context beyond severity alone.
By incorporating internet exposure and runtime context, Zafran enabled the security team to differentiate theoretical risk from vulnerabilities that posed real operational impact. This helped focus remediation on issues that were both exposed and relevant, rather than reacting to false criticals.
Unlike Kenna, which lacked visibility into both end-of-life vulnerabilities and active mitigations, Zafran correlates vulnerabilities with existing security controls to determine whether issues are already mitigated and where remediation is truly required. This enabled the security team to distinguish theoretical findings from actionable risk, eliminating false criticals while ensuring unsupported systems received appropriate attention. By evaluating the real-world configurations of existing security controls, Zafran provided evidence-based validation of which exposures were effectively mitigated and which required remediation.
Zafran’s prioritized findings were used to drive remediation tickets in Jira, improving prioritization without disrupting existing workflows.
In just weeks, we migrated from Kenna to Zafran and immediately eliminated 90% of our CVSS critical vulnerabilities.
CISO, a major lending organization
The Results
The organization successfully replaced its prior platform without disrupting vulnerability remediation operations.
- 96% reduction of CVSS Critical/High vulnerabilities
- Restored accurate prioritization of end-of-life and high-risk vulnerabilities
- Unified vulnerability, asset, and mitigation data into a single platform
- Enhanced prioritization by incorporating internet exposure, runtime context, and mitigation-aware risk signals
- Preserved existing ticket-driven remediation workflows
- Increased confidence that remediation efforts are focused on real, validated risk
By replacing its previous vulnerability prioritization platform with Zafran, the organization preserved the operational strengths of its vulnerability management program while closing critical gaps in risk accuracy. With mitigation-aware prioritization and a unified view across existing security tools, the team now focuses remediation efforts on what truly matters, without panic patching or workflow disruption. This also gave leadership a clearer, continuously updated view of organizational risk exposure and how compensating controls reduced that risk over time.
Learn More
Zafran has redefined vulnerability management with a new operating model that transforms reactive patching into proactive risk reduction. Using your existing defenses and live risk context, Zafran helps you prove what’s truly exploitable, and mitigate it fast.
See why leading enterprises trust Zafran to focus on what actually matters. Discover the new operating model for vulnerability management.
Industry
Primary Use Cases
Key Outcome
96% reduction of CVSS Critical/High vulnerabilities
See Zafran in action
See Zafran in Action
Prioritize and fix what is truly exploitable using risk context from your existing security tools
