Case Studies

How a Fortune 500 Insurer Built a Reachability Graph Its Board Could Trust

Primary Use Cases

Exploitability-Based Vulnerability Assessment
External Attack Surface Validation
Mitigation Using Existing Defenses

Industry

Financial Services

A Fortune 500 commercial insurance holding company was working to modernize a vulnerability management program built on legacy scanner output. With a public company's obligation to speak precisely about its top risks, the security team wanted to move past raw CVSS scores and build a program that could tell leadership, with evidence, what was actually exploitable.

The Challenge: CVSS Scores Without Context

The security team had strong tooling across endpoint, cloud, and network defenses, but vulnerability prioritization still ran on CVSS severity alone. That left no way to account for whether a vulnerable system sat behind an effective compensating control, whether it was reachable from the internet, or whether the vulnerable component was even running. Confirming exposure to a single critical vulnerability could take hours of manual cross-referencing between scanner data, network diagrams, and control configurations, work that did not scale against the volume of new findings.

Mapping the external attack surface added another layer of manual effort. The team needed a defensible way to trace the path from an internet-facing asset back into the internal network, something that today required significant manual validation and was, in the team's own words, “super difficult to do”. Ticketing and tracking ran through spreadsheets and a general-purpose GRC tool, with no mitigation strategy built into the process at all.

The Implementation

The Solution: Validated Exploitability Across the Attack Surface

The organization brought in Zafran to replace CVSS-only scoring with a risk-based model that accounts for real exposure, laying the foundation for a shift from traditional vulnerability management to Continuous Threat Exposure Management (CTEM). Zafran ingested findings from the company's existing vulnerability scanners, endpoint protection, cloud security, and network and web application firewalls, correlating them against live telemetry to determine which vulnerabilities were actually reachable, running, and unprotected, versus which were already neutralized by existing defenses.

A reachability graph mapping internet-facing assets back through the internal network, built on NAT analysis, became a turning point for the evaluation. It gave the team an evidence-backed view of how external-facing assets connect into the internal network, replacing manual tracing work and giving leadership a clear way to visualize exposure at the board level.

Zafran's control-gap analysis also surfaced a web application firewall misconfiguration that let traffic bypass the firewall entirely for a subset of internet-facing applications, exposing them to potential attacks the team believed were already blocked. On the runtime side, Zafran's detector distinguished vulnerable software that was actually loaded and running from software that was merely installed, sharpening the picture of true exposure for widely-flagged issues like a common Java logging vulnerability.

The team is integrating Zafran's findings into its existing ITSM-driven remediation workflow, using verified risk context to justify SLA assignments and mitigation decisions rather than defaulting to CVSS severity alone.

The Results

Using data from the organization's own environment, the evaluation produced concrete, verifiable outcomes:

  • Reduced 84% of CVSS critical vulnerabilities to low or medium criticality once verified compensating controls and exploitability context were applied
  • Identified more than 70 mitigations already available through existing security controls that would bring thousands of critical findings down to medium or low risk without new investment
  • Prevented operational downtime by analyzing runtime and reachability context for a widespread Java logging vulnerability, proving zero critical exposure and saving the team from unwarranted patching fire drills
  • Hardened defenses by identifying and remediating a critical WAF misconfiguration that allowed external bypass traffic to reach 125 internal hosts undetected
  • Closed visibility gaps by uncovering 240 assets missing recent scan coverage or endpoint protection that had gone unflagged by existing tools

These outcomes gave the security team a defensible, evidence-backed foundation to report exposure to leadership and the board, and a repeatable process for validating true risk as the program matures from vulnerability management toward full CTEM.

Learn More

Zafran is the only end-to-end AI-native Threat Exposure Management platform that combines continuous vulnerability detection with deep mapping of vulnerabilities to compensating controls to determine what is actually exploitable in your environment. 

See why leading enterprises trust Zafran to focus on what actually matters. Discover the new operating model for vulnerability management.

Discover how Zafran Security can streamline your vulnerability management processes.
Request a demo today and secure your organization’s digital infrastructure.
Request Demo

Industry

Financial Services

Primary Use Cases

Exploitability-Based Vulnerability Assessment
External Attack Surface Validation
Mitigation Using Existing Defenses

Key Outcome

70+

Unlocked mitigations hiding in existing security tools

See Zafran in action

Get a Demo

Learn More

Zafran partners with complex global organizations to help them move from reactive vulnerability patching to proactive risk reduction. With Zafran, security teams can focus on exposures that actually matter—based on live context from their own environment—and take immediate steps to mitigate risk.

We invite you to see what our customers already know. Come see the power of Zafran.

Financial Services
Zafran Team

Clarity Over Chaos: How a Fortune 500 Financial Institution Stopped “Panic Patching"

Zafran Team
May 14, 2026
Read More
This is the default text value
Healthcare
Zafran Team

How a Major Healthcare System Reduced Critical Vulnerabilities by 99% with Compensating Controls

Zafran Team
April 10, 2026
Read More
This is the default text value
Financial Services
Zafran Team

Financial Services Organization Outgrows Kenna and Adopts Evidence-Based Exposure Management

Zafran Team
January 8, 2026
Read More
This is the default text value

See Zafran in Action

Prioritize and fix what is truly exploitable using risk context from your existing security tools

Get a Demo