
Financial Services
Clarity Over Chaos: How a Fortune 500 Financial Institution Stopped “Panic Patching"
This is the default text value
A Fortune 500 commercial insurance holding company was working to modernize a vulnerability management program built on legacy scanner output. With a public company's obligation to speak precisely about its top risks, the security team wanted to move past raw CVSS scores and build a program that could tell leadership, with evidence, what was actually exploitable.
The security team had strong tooling across endpoint, cloud, and network defenses, but vulnerability prioritization still ran on CVSS severity alone. That left no way to account for whether a vulnerable system sat behind an effective compensating control, whether it was reachable from the internet, or whether the vulnerable component was even running. Confirming exposure to a single critical vulnerability could take hours of manual cross-referencing between scanner data, network diagrams, and control configurations, work that did not scale against the volume of new findings.
Mapping the external attack surface added another layer of manual effort. The team needed a defensible way to trace the path from an internet-facing asset back into the internal network, something that today required significant manual validation and was, in the team's own words, “super difficult to do”. Ticketing and tracking ran through spreadsheets and a general-purpose GRC tool, with no mitigation strategy built into the process at all.
The organization brought in Zafran to replace CVSS-only scoring with a risk-based model that accounts for real exposure, laying the foundation for a shift from traditional vulnerability management to Continuous Threat Exposure Management (CTEM). Zafran ingested findings from the company's existing vulnerability scanners, endpoint protection, cloud security, and network and web application firewalls, correlating them against live telemetry to determine which vulnerabilities were actually reachable, running, and unprotected, versus which were already neutralized by existing defenses.
A reachability graph mapping internet-facing assets back through the internal network, built on NAT analysis, became a turning point for the evaluation. It gave the team an evidence-backed view of how external-facing assets connect into the internal network, replacing manual tracing work and giving leadership a clear way to visualize exposure at the board level.
Zafran's control-gap analysis also surfaced a web application firewall misconfiguration that let traffic bypass the firewall entirely for a subset of internet-facing applications, exposing them to potential attacks the team believed were already blocked. On the runtime side, Zafran's detector distinguished vulnerable software that was actually loaded and running from software that was merely installed, sharpening the picture of true exposure for widely-flagged issues like a common Java logging vulnerability.
The team is integrating Zafran's findings into its existing ITSM-driven remediation workflow, using verified risk context to justify SLA assignments and mitigation decisions rather than defaulting to CVSS severity alone.
Using data from the organization's own environment, the evaluation produced concrete, verifiable outcomes:
These outcomes gave the security team a defensible, evidence-backed foundation to report exposure to leadership and the board, and a repeatable process for validating true risk as the program matures from vulnerability management toward full CTEM.
Zafran is the only end-to-end AI-native Threat Exposure Management platform that combines continuous vulnerability detection with deep mapping of vulnerabilities to compensating controls to determine what is actually exploitable in your environment.
See why leading enterprises trust Zafran to focus on what actually matters. Discover the new operating model for vulnerability management.
Unlocked mitigations hiding in existing security tools
See Zafran in action
See Zafran in Action
Prioritize and fix what is truly exploitable using risk context from your existing security tools