en

Our 30-day patch cycle versus their 5-day exploit: why current vulnerability management is broken

Automation
Cybersecurity
Engineering

As cyber threats grow in scale and complexity, companies face increasing pressure to defend their digital assets. Vulnerability management is a proactive, continuous process of identifying, evaluating, and mitigating security weaknesses and has become not just a best practice, but a business imperative. The average cost of a data breach in European organization exceeds 4 million euros in 2024 , and this figure excludes regulatory penalties and the harder-to-quantify reputational damage that follows. This means that vulnerability management transforms from an IT concern to a business priority.

Authors: Dave Diependaal en Harmen aan het Rot

04 September 2025 minute read

Key takeaways about Vulnerability management

Vulnerability management is essential to reduce security risks, protect data, and ensure business continuity.

  • Unpatched vulnerabilities are one of the top attack vectors used by cybercriminals.
  • Proactive management helps avoid costly breaches and compliance penalties.
  • Automation and prioritization are key to managing growing threat landscapes.
  • It’s not a one-time fix, it’s a continuous, evolving discipline, imbedded in daily operations.

      The current state: stuck in yesterday's paradigm

      Walk into most enterprise IT departments today and you find a scene that hasn't changed much since 2010. Security teams still run their monthly patch cycles. System administrators guard their change control boards like medieval fortresses. Vulnerability scanners churn out reports that nobody fully reads. We go through the motions, check the boxes, update the dashboards. Meanwhile, real threats are moving at high speed.

      The traditional approach follows a predictable pattern. Organizations conduct annual security assessments to maintain ISO certifications. They implement vulnerability scanning tools that generate overwhelming lists of potential issues. IT teams schedule maintenance windows weeks in advance. Patches get tested, re-tested, and eventually deployed, to make sure they don't break critical systems. Meanwhile, security becomes a checkbox exercise rather than embedded in the organization's DNA.

      This manual mindset made sense when vulnerabilities were discovered monthly, and exploits took years to develop. But that world no longer exists. The fundamental disconnect between threat and response capability has created a crisis that traditional approaches simply cannot address.

      The challenge: the growing risk landscape


      In 2023 alone, 28.831 new vulnerabilities were disclosed in the National Vulnerability Database (NVD), marking a record high in reported software flaws . This averaged 80 published vulnerabilities per day. Then 2024 shattered every record: the NVD recorded 40.009 new CVEs (Common Vulnerabilities and Exposures), a 38% increase. This surge means 2024 accounted for over 15% of all CVEs ever published, with an average of 108 new vulnerabilities disclosed daily.

      And it is not only the volume, even more so it is the velocity. In 2024, the average time from vulnerability disclosure to active exploitation dropped down to just 5,5 days . When monthly patch cycles meet sub-weekly exploitation windows, organizations operate at a significant disadvantage.

      As a result, 60% of breaches in the past two years were linked to known but unpatched vulnerabilities . These aren't zero-day attacks requiring advanced resources. They're preventable incidents that succeed because organizations maintain outdated processes while adversaries adopt new technologies.

      Regulatory requirements add another dimension. GDPR, NIS2, BIO2, and emerging frameworks require continuous risk reduction. Non-compliance brings security incidents, legal consequences, regulatory penalties, and potentially personal liability for senior management.

      The rise of AI introduces even more complexity to this challenge. Threat actors leverage AI to quickly design and deploy large-scale attacks that exploit known vulnerabilities. Interestingly, in contrast, AI also offers potential for defenders with automated patching, intelligent prioritization, and predictive threat modeling. But only for organizations willing to embrace automation and adapt their control processes.

      Facts & Figures

      0
      new vulnerabilities were discovered on average in software every day in 2024
      0,5
      days is the average time from vulnerabilities disclosure to active exploitation
      0%
      of breaches in the past two years were linked to known but unpatched vulnerabilities

      Solution: a risk-based, continuous approach

      Effective vulnerability management requires a shift from periodic assessment to continuous improvement. Modern programs follow a risk-based model with five interconnected phases. This represents a continuous cycle that improves with each iteration. Organizations that implement this approach don't just respond faster; they shift their security posture from reactive to proactive.


      1. Discovery
        Organizations cannot protect assets they don't know exist. The challenge is clear: modern IT environments change constantly. Cloud instances scale automatically, containers exist for hours, and shadow IT operates outside traditional oversight. Continuous discovery must integrate with cloud platforms, container orchestrators, and network monitoring tools to maintain real-time visibility. Beyond finding assets, discovery needs to capture business context: who owns it, what data it processes, which regulations apply, and how critical the assets are for the business. Without this foundation, every subsequent step becomes guesswork.
      2. Assessment
        Traditional quarterly scans no longer suffice. Modern assessment layers multiple approaches. Authenticated vulnerability scans examine configurations, web application testing identifies code flaws, container scanning catches issues before deployment, and cloud posture management spots misconfigurations. The critical addition is threat intelligence. When a new vulnerability emerges, organizations need immediate answers: Does exploit code exist? Are attacks happening? Are we likely targets? This intelligence transforms overwhelming vulnerability lists into prioritized action items.
      3. Prioritization
        Not all vulnerabilities require equal attention. A medium-severity vulnerability in payment processing systems poses greater risk than critical flaws in isolated test environments. Smart prioritization combines technical severity with business reality. Modern frameworks incorporate CVSS base scores, EPSS probability predictions, the KEV catalog of actively exploited vulnerabilities, and actual business impact. Organizations that master prioritization dramatically reduce their workload while actually improving security outcomes, proving that intelligent focus beats exhaustive effort.
      4. Remediation
        Different assets demand different strategies. Standard endpoints and servers benefit from automated patching. Production systems require careful staged deployments. Legacy systems often need compensating controls when patches aren't available. The difference between success and failure lies in preparation: pre-defined processes, clear ownership through internal service level agreements, and orchestration platforms that handle the entire workflow. While many organizations still operate on monthly patch cycles, leaders have shifted to continuous remediation that addresses critical vulnerabilities within days, not weeks.
      5. Verification and reporting
        Patches can fail silently, get rolled back by other changes, or introduce new problems. Automated rescanning catches these issues before attackers do. But verification extends beyond technical validation. Strategic reporting transforms raw data into business intelligence: executive dashboards reveal risk trends, operational reports expose systemic weaknesses, and compliance documentation proves regulatory adherence. Each cycle generates insights that improve the next, gradually transforming vulnerability management from reactive firefighting to proactive risk reduction.


      The angle: think strategically, not just technically


      Transforming vulnerability management requires rethinking how security integrates with business operations. Successful organizations recognize that this involves people and processes as much as technology.

      Automation should become the default rather than the exception. Manual processes create bottlenecks that adversaries exploit. Modern vulnerability management platforms can scan, prioritize, and remediate thousands of vulnerabilities without human intervention. The question is not whether to automate but how quickly organizations can transition from manual processes to automated systems.

      Integration connects security tools into a unified defense platform. When vulnerability data flows into asset management systems, CMDBs, and SIEMs, security teams gain comprehensive visibility. This integration enables rapid decision-making and ensures security context informs operational decisions. It also reduces the silos between IT, DevOps, and security teams. When DevOps teams deploy code, security scans should occur automatically. When new vulnerabilities emerge, affected systems should be identified immediately. Organizations implementing these practices reduce their exposure with lower effort than organizations that don’t.

      The most significant transformation occurs when security becomes integrated into organizational processes rather than added as an afterthought. Security considerations should shape architecture decisions, influence project timelines, and drive investment priorities. Every team member, from the board to developers, needs to understand their role in maintaining security posture, especially in organizations with a high digital footprint.

      Most compelling of all, the strategic benefits compound over time, and the return on investment extends beyond avoiding breach costs. Organizations with mature vulnerability management report faster development cycles, improved system stability, and increased customer trust. They spend less time responding to incidents and more time on strategic initiatives. Vulnerability management becomes a competitive advantage rather than a ‘expensive’ IT cost center.



      Bruce Schneier, Security Technologist

      "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology"

      Conclusion: the time for transformation is now


      The vulnerability management challenge is present and growing. Each day of delay widens the gap between defensive capabilities and attack sophistication. The 5,5-day exploitation window represents the new reality organizations must address.

      This challenge presents an opportunity. Organizations that embrace automated, continuous vulnerability management can build effective defenses against evolving threats. They can turn regulatory compliance into a framework for operational excellence and transform security from a barrier into an enabler of business innovation.

      The choice is clear. Continue with manual processes and accept increased risk, or embrace transformation and build security resilience that adapts to threat evolution. The technology exists. The frameworks are proven. The question is whether organizations will adapt their processes and mindset to meet current challenges.

      With three new vulnerabilities published every hour, the pace of change continues to accelerate. Organizations need to match this pace with equally rapid defensive capabilities.

      Sources:

      1. IBM Cost of a Data Breach Report 2024; Statista: Average cost of a data breach worldwide by country 
      2. NVD Vulnerability Trends 
      3. Rapid7 2024 Vulnerability Intelligence Report 
      4. Ponemon Institute: State of Vulnerability Management




        Maarten Vervoorn CTO