Security teams have never been busier. Dashboards are full of activity – patch counts climbing, remediation tickets being closed week after week. On paper, organisations are doing the work. And yet the teams running these processes will tell you something uncomfortable: the threat landscape is outpacing them.
This is a measurement problem more than a resources problem, though resources are certainly stretched. The way organisations track vulnerability management success – volume processed, compliance boxes ticked – tells a compelling story of productivity. What it fails to capture is whether any of that activity is reducing real-world exposure.
Hackuity’s latest vulnerability management research, backs up this observation. Nearly half of respondents (46%) reported that rising vulnerability volumes have placed additional strain on their security teams. A comparable share (42%) flagged false positives as a significant drain on their time. Meanwhile, 38% reported team burnout as a direct consequence.
Put simply, these figures show that teams are not always directing their efforts to where they can have the most impact.
Drowning in detection
The survey found that organisations use an average of four different detection tools – cloud configuration audits, penetration testing, application assessments, breach simulation platforms and more besides. In theory, layered detection sounds robust. In practice, the more tools you add without a unified way to correlate and prioritise their output, the more noise you introduce into the system. And when multiple tools flag different issues with different severity scores and no shared context, security teams end up triaging the noise rather than addressing the threat that matters.
This feeds directly into the false positive problem. Teams without full automation reported significantly higher concern about wasted effort – 49% flagged it as an issue compared with 36% among those with comprehensive automation in place. Each tool is doing its individual job, and the system they form together is not best serving the people who rely on it.
The compliance comfort zone
This is where the false sense of security really takes hold. When asked how they prioritise vulnerabilities, 43% of organisations said they follow a compliance-driven approach, dictated by frameworks such as PCI-DSS or ISO standards. However, only around a third use a risk-based method that factors in asset criticality, exploitability and genuine business impact.
Compliance-driven prioritisation has its place. Regulatory requirements exist for good reason, and organisations that ignore them create a different set of problems entirely. But compliance frameworks are designed around minimum standards, not around the specific threat profile of any given organisation. A vulnerability that doesn’t trigger a compliance flag can still represent a critical exposure. One that does trigger a flag might pose very little risk in the context of your actual environment.
Nearly all the organisations surveyed have defined remediation Service Level Agreements based on vulnerability severity. This is reassuring, as it suggests teams have clear expectations and timelines. But SLAs measure speed of response, not quality of targeting. You can remediate quickly and consistently while still spending the bulk of your effort on threats that were never going to materialise.
The metrics organisations rely on reward activity. Risk reduction is harder to measure, and so it gets quietly deprioritised. The result is teams that look productive on paper but remain exposed in practice.
From activity to impact
So, what does it look like when organisations get this right? The research offers some clear signals.
Organisations that have fully automated their vulnerability management processes achieve a mean time to remediation of 3.5 weeks for critical vulnerabilities. Those without full automation take on average 4.5 weeks. That’s a meaningful gap. Automation surfaces the most urgent exposures faster, which means human effort gets directed where it counts – and that speed advantage shows up directly in remediation times.
Continuous threat exposure management (CTEM) is gaining ground, with 65% of organisations reporting full adoption. Those that have implemented it tend to be the same ones with higher automation levels and faster remediation times. The connection makes sense. CTEM shifts the model from periodic scanning to continuous assessment, which means the picture of an organisation’s exposure is constantly being refreshed rather than captured in snapshots.
The move toward vulnerability operations centres (VOCs) follows a similar pattern. Our research shows that 53% of organisations have fully implemented a VOC-based approach, with another 40% actively in the process of transitioning. VOCs consolidate vulnerability management into a single operational model, removing the fragmentation that causes so much of the noise described above.
The organisations pulling ahead share a common thread. They have consolidated their detection, automated their triage, and shifted prioritisation toward real-world risk.
Indeed, this shows the technology is there and that the frameworks are maturing. What’s holding progress back is how organisations choose to measure and reward their security teams’ work.
What leaders need to change
One of the issues may relate back to the attention and resources that vulnerability management programmes are given when there are so many other pressing issues for organisations to deal with. We found that 60% of respondents reported that vulnerability management does not receive the same focus as other IT security projects within their organisations.
And the disconnect is telling. Security leaders broadly understand the value of automation and risk-based approaches, but vulnerability management keeps slipping down the priority list, squeezed by budget constraints and operational pressures.
Closing this gap doesn’t require reinventing security operations from scratch. Instead, it can be achieved through a deliberate shift in what organisations choose to measure. Patch counts and compliance checklists will always have a role, but they shouldn’t be the primary lens through which vulnerability management success is judged. The organisations that are reducing their exposure are measuring attack surface reduction and the proportion of remediation effort directed at exploitable threats.
What is certain is that the volume of vulnerabilities will keep growing. The teams trying to manage them are already stretched. Better targeting is the lever that matters – and pulling it starts with being honest about what the current metrics are and aren’t telling us.
