Why Vulnerability Scanning And Patching Alone No Longer Work
SC Media, Friday, May 16th, 2025
George Kurtz, founder and CEO of CrowdStrike, has been credited with inventing vulnerability management. In the more than 20 years since the term was coined and the category created, the practice has come to consume a considerable amount of time and budget for security teams.
Despite both the discipline and the tooling maturing considerably, defenders still struggle to manage vulnerabilities by most objective measures.
Indeed, according to the 2025 Verizon Data Breach Investigations Report (DBIR), 20% of the nearly 10,000 breaches in their analysis were the result of vulnerability exploitation-putting vulnerabilities on par with credential abuse and ahead of phishing in terms of initial access vectors. Mandiant also found exploitation the primary initial access method in one-third of its incident response engagements, making it the leading vector.