
Blog
Zafran Team
Zafran Joins the Athena Coalition to Defend Against Frontier AI Attack Chains
July 7, 2026
Zafran data reveals less than 1 out of 20 CISA top priority findings are a critical risk

On June 10, 2026, CISA issued Binding Operational Directive 26-04 and made something explicit that the industry had been arguing for years: CVSS scores alone are not a sufficient basis for prioritization. Although the directive doesn't retire CVSS, it adds a mandatory decision layer on top of it, built around four questions:
Work through the tree and you get a decision point, itself translated into a remediation deadline - not a score. The most urgent combination gets three calendar days and a forensic triage. On the other hand, a vulnerability that does not align to every risk condition gets deferred to the next scheduled system upgrade. Everything else lands on a 14-day or 60-day clock in between.

This is a real step forward. The directive forces organizations to ask whether a CVE is actually exploitable in the wild, and whether the affected asset is reachable. That alone filters out most of the noise that has paralyzed vulnerability programs for years.
But the directive has a ceiling.
Zafran implements the BOD 26-04 decision tree natively, giving every customer an automatically computed SSVC tier for every finding: ACT (3-days deadline), ATTEND (14 days), TRACK (60 days), or DEFER (next upgrade).
This is implemented independently from Zafran's Applicable Scoring system, which assigns each finding a score based upon a broader range of contextual risk factors, from runtime presence to business criticality. More importantly, Zafran’s Applicable Score incorporates the presence of compensating controls already mitigating a vulnerability.
Analyzing these two systems together leads to some interesting insights.
Across Zafran's customer base, SSVC places fewer than 8% of all findings in ACT or ATTEND combined. The remaining 92% land in TRACK or DEFER. These are real CVEs, but that pose no immediate operational risk.
These numbers are striking. Out of every 200 vulnerability findings, only one requires urgent remediation within three days (0.49%), and fewer than fifteen need to be patched within fourteen days. Everything else can be handled at a more measured pace, with 77 out of every 100 findings not requiring a fix before the next planned upgrade.

These numbers alone reframe what BOD 26-04 makes possible. Organizations that previously treated every finding as a remediation candidate now have a defensible, model-driven answer to the question of what to de-prioritize. SSVC's decision tree is doing exactly what it was designed to do: eliminate the noise.
The harder problem starts inside the category of findings that must be dealt with urgently.
One would expect that a very high proportion of findings from the three-day tier - the most urgent bucket BOD 26-04 defines - represent vulnerabilities that are genuinely exploitable in real-world conditions. The data calls that assumption into question: less than one in twenty of them (4.4%) combine every risk factor (a high CVSS score, presence at runtime, threat association, absence of control mitigations, and placement on an internet-facing, business-critical asset).
This is what Zafran defines as a “critical” Applicable Risk to your environment. In the chart below, the healthcare sector illustrates this gap most sharply: healthcare customers should treat only 1.6% of their BOD 26-04 top priority findings as warranting the three-day deadline.
At the other end of the scale, deprioritized findings with no specific remediation deadline (tagged as DEFER) actually corroborate Zafran's own risk assessment. The pattern is especially stark among financial sector customers: almost 97% of their DEFER vulnerabilities also get low priorities on Zafran, meaning they de facto lack significant risk factors and are barely exploitable in the customer's environment.

The directive's four variables describe the vulnerability and the asset's network posture. They don't describe what's happening inside the environment - whether a compensating control already blocks the attack path, whether the vulnerable component is actually loaded at runtime, or what the blast radius would be for this specific organization if the asset were compromised.
That context is not a refinement. It is what separates a finding that needs to be fixed in 72 hours from one that is already effectively mitigated and can be handled in the next patch cycle without meaningful additional risk.
BOD 26-04 is a strong signal that the industry is moving in the right direction. Exploitability-based prioritization is the correct foundation. The three-day clock for the highest-risk tier reflects how fast the threat environment moves, especially in the post-Mythos era.
But the data shows what happens at the implementation level. Without context, the directive delivers a prioritized list of findings - it cannot deliver an ordered remediation queue. Knowing which ACT findings to fix first, which ones are already covered by controls in place, and which ATTEND findings actually carry the urgency of an ACT finding requires the layer BOD 26-04 was never designed to provide.
The executive order gets organizations to the right 8%. What they do with that 8% still depends on what they know about their own environment.
Traditional vulnerability management must change. So many are drowning in detections, and still lack insights. The time-to-exploit window sits at 5 days. Implementing a Continuous Threat Exposure Management (CTEM) program is the path forward. Moving from vulnerability management to CTEM doesn't have to be complicated. This guide outlines steps you can take to begin, continue, or refine your CTEM journey.
