Vulnerable ≠ Exploitable

Criticality = ƒ(Exploitability, Impact)

The hardest part of cyber security is deciding what NOT to do.

Spending valuable and scarce time and effort on remediating weaknesses that are not exploitable or do not represent a substantial business impact is itself a risk. At the very least, you should be able to trust that the findings from your security tools and services will appropriately guide your remediation and staffing decisions.

We’ve all been there – some vulnerability scanner or penetration test report identifies a critical security finding, and as we scramble to understand the attack vector, we realize that it was a false positive, or worse, exploitation requires some obtuse, highly unlikely set of conditions. Regardless, the most experienced people on the team just wasted hours digging into the finding and will waste many more hours trying to explain to superiors that it’s a non-issue. That time could have been used fixing real attack vectors that could make you the next news headline. Being vulnerable doesn’t mean you’re exploitable, and if we want to improve our security posture, we need to continuously find, fix, and verify exploitable attack vectors.

Learn more about our experiences and methodology for assessing exploitability, and how NodeZero provides the proof and path of exploitation, so you can confidently inform your team of what’s real and what’s BS.