Financial Services Leader Reduces Patch Stress and Aligns Remediation with Actual Risk
Sallie Mae is a leading private lender in the US, specializing in education financing and personal loans with a strong focus on risk management and regulatory compliance.
The Challenge
Prioritization & Remediation Workflow Efficiency
Before Zafran, Sallie Mae relied heavily on scanner-generated CVSS and EPSS scores to drive prioritization. However, these metrics didn’t reflect the effectiveness of existing security controls—leading to panic patching, stress, and friction between security and remediation teams. Vulnerabilities on well-defended systems were treated as critical, and patch exceptions lacked structured, risk-based justification. The team needed a way to quantify Applicable Risk™ using the security investments they already had in place.
The Solution
Sallie Mae implemented Zafran to redefine how risk was assessed across their environment. By integrating with the organization’s vulnerability scanners, network controls, endpoint defenses, and change management system, Zafran provided a more complete picture of actual exploitability.
Zafran enabled the security team to deprioritize vulnerabilities based on live control presence—such as exploit blocks in EDR or network segmentation—and highlight cases where remediation truly mattered. Risk-based context was used to validate patch exceptions and manage expectations between teams. Zafran also supported workflows for CISA KEVs and zero-day tracking, helping Sallie Mae focus attention when threats were credible and urgent.
Implementation
The initial rollout focused on integrating Zafran with existing tools. Sallie Mae prioritized key security systems and quickly began tuning risk models to reflect internal policy and control coverage. Zafran’s flexibility allowed the team to expand integration coverage as new tools were onboarded. Zafran’s support team was highly responsive to feature requests and actively collaborated to meet Sallie Mae’s requirements.
We are able to see the real risk of a vulnerability in our environment. We don't have to 'panic patch' for high CVSS/EPSS vulnerabilities.
VP of Information Security, 1K+ employees
Results
Reclassified high CVSS/EPSS vulnerabilities based on real control coverage, reducing unnecessary urgency
Enabled structured exception workflows tied to actual exploitability, improving patch governance
Reduced pressure on remediation teams by aligning SLAs to true risk
Zafran now enables Sallie Mae to scale its vulnerability management program without overwhelming teams or overstating risk. The platform’s automated analysis of risk context revealed the most pressing vulnerabilities, cutting CVSS Critical severity noise by 76%. By mapping real-world security posture to patch decisions, Zafran has become a cornerstone of Sallie Mae’s risk-based remediation strategy—reducing friction, increasing maturity, and building trust across teams.
Sallie Mae is a leading private lender in the US, specializing in education financing and personal loans with a strong focus on risk management and regulatory compliance.
Industry
Primary Use Cases
Key Outcome
76%
reduction in CVSS Criticals at Sallie Mae with Zafran
See Zafran in action
Learn More
Zafran works closely with its customers, to transform exposure management to remain ahead of adversaries, to know with confidence what is most exploitable in their environment, and to rapidly remediate the risk. We invite you to see what our customers already know. Come see the power of Zafran.
See Zafran in Action
Prioritize and fix what is truly exploitable using risk context from your existing security tools
