2025
Zafran State of Threat Exposure Management
Inside: A Strategic Shift in How Security Teams Are Managing Risk and Mitigating Exposures
Security leaders and vulnerability management teams are united by a common challenge: too much noise, too little clarity, and increasing pressure to close risk gaps — fast. The 2025 Zafran State of Threat Exposure Management report reveals how leading organizations are moving beyond traditional patching methods and adopting a new operating model for threat and vulnerability management.
Based on insights from over 100 security leaders and data from millions of scanned assets, this report breaks down the critical trends redefining how teams identify, prioritize, and mitigate what really matters.
Insight 1
Only 1 in 50,000 vulnerabilities is truly critical
The volume is massive, but the real risk is rare.
Zafran’s analysis shows that just 0.002% of vulnerabilities actually pose critical risk to the business — meaning 1 in every 50,000 is worth urgent action.
Using signals like runtime presence, active threat campaigns, internet exposure, and security defenses already in place, Zafran filters out the noise to surface what actually matters.
Key context across environments:
- 1 in 3 vulnerabilities are present in runtime
- 1 in 20 are being actively exploited in the wild
- 1 in 100 are internet-facing
With this exposure context applied — including existing defenses — just 1 in 50,000 vulnerabilities meets the bar for critical risk.
.png)
“CVSS base scores are theoretical measures of severity that ignore real-world context. They're like measuring hurricane risk solely based on wind speed, while ignoring population density, infrastructure resilience, and historical patterns.”
Pete Chronis
CISO, Paramount (Retired)
.avif)
“The need for defenders to take fast, efficient action has never been more important. Attackers are exploiting vulnerabilities faster than ever, with recent data showing as little as five days from vulnerability discovery to exploitation.”
Nate Rollings
Field CISO, Zafran
Insight 2
39% of organizations are missing SLA targets for top-priority patching
This isn’t about lack of effort — it’s a scale problem. VM teams are buried under rising volumes of vulnerabilities and fragmented findings across cloud, AppSec, and on-prem tools. Reconciling duplicate alerts and coordinating fixes across teams adds even more friction.
The result? Missed SLAs, growing backlogs, and alert fatigue. It's not that teams aren't trying — it's that legacy processes can't keep up with the complexity.
Insight 3
Existing security defenses are THE most critical factor in prioritizing vulnerability remediation
In the survey, respondents identified the most critical factors for prioritizing remediation, ranking mitigations from existing security defenses as the top priority. VM teams are now working with security architects to better understand existing mitigations — and with CISOs to tie remediation to business impact. The result: higher impact fixes that consider the strength of your existing security defenses .
.png)
“Understanding the impact of your existing compensating controls is the biggest untapped lever for identifying the truly exploitable vulnerabilities in your own environment.”
Nate Rollings
Field CISO, Zafran
.png)
“Zafran has proven to be a force multiplier to mitigate the risks in our environment.”
Brett Wentworth
VP and Deputy CSO, Lumen Technologies
Insight 4
95% of organizations plan to adopt a new vulnerability or exposure management platform in the next 12 months
Security and VM leaders agree: the status quo isn’t enough. Teams are turning to platforms that deliver actionable risk context — combining real-time exposure insights with automation — so they can prioritize what matters most and take high-impact action at scale.
