Root Evidence

CVSS labels 49% of all vulnerabilities "High" or "Critical," yet 96% of those "Critical" CVEs have never been confirmed exploited in the wild. Security teams are doing what they’re supposed to do: prioritizing based on the signals available to them, but those signals don’t always reflect real-world impact. Financial loss and real-world incidents follow a different pattern, and until recently, that pattern has been difficult to measure at scale. Cyber insurers have been measuring it for years. Claims data and breach investigations show which vulnerabilities consistently appear before payout events, which attack paths lead to the most costly outcomes. Evidence Scan is built on that type of signal. When it flags a vulnerability, the reasoning ties back to documented breach and claims history. The result is a prioritization set that is smaller, easier to justify, and more aligned with how insurers evaluate risk. Learn more at: https://lnkd.in/gjNEGh6N When most of the “Critical” backlog has no record of leading to real-world harm, the question becomes how to better distinguish the vulnerabilities that actually drive loss. For practitioners running VM programs: how are you explaining prioritization in financial terms beyond severity scores? What approaches have worked?

A few moments from RSA last week with the Evidence team. Always time well spent connecting with others in the industry. Robert Hansen Greg Reber

43,424 new CVEs were published in 2025, yet less than 1% have ever been linked to documented financial loss. Most VM programs are built to manage the 99%. CVSS approximates theoretical severity, remediation expectations create urgency without context, and dashboards track activity, but none of it answers the question boards and insurers actually care about: are you clear of the vulnerabilities that matter? When 49% of CVEs are rated "High" or "Critical" but under 1% have been tied to real-world financial loss, the gap isn't in the tools. It's in the class of evidence teams have access to. Proxies can't replace observed outcomes. The question most VM programs still can't answer clearly is "Are we clear of every vulnerability that has historically led to financial loss?" 🔥 Evidence Scan is built to answer that question, grounded in breach data, claims activity, and documented adversary behavior. The goal isn't a shorter backlog, but a defensible position: clear of every vulnerability that has historically caused a breach, and able to prove it to the board. Learn more here: https://lnkd.in/gysk4nsd For practitioners running VM programs: how are you currently defending prioritization decisions in financial terms? What does that conversation look like for your team?

A lot of people seem to be struggling with the idea that not every vulnerability needs attention. If it did require your attention it would mean that attackers attack everything uniformly, companies have unlimited patch capacity, and that the sum of attacks will cost you more than the sum of scanning/patching does. None of those things are correct. So it’s been a real challenge at parties. RSA will be rough. Lol

Navigating the Future of Cybersecurity in the AI Era - 👉 Watch the full discussion on YouTube: https://lnkd.in/g8HNwe56 Jeremiah Grossman and Robert Hansen have spent decades predicting cybersecurity's next phases. Their insights reveal how attackers shift strategies to stay ahead, whether it’s from firewalls to application security, identity-based attacks, or now, AI. But here’s the core insight: the adversary’s response frames the game. If defenses rise, attackers innovate by leapfrogging or shifting targets. If defense stalls, they might stop, but that’s rare. Today, with AI agents everywhere, this model remains relevant. The key isn’t just about new tech, it's about understanding that attackers will exploit new vulnerabilities if it’s profitable, regardless of AI. The game is less about the tech itself and more about adversary incentives and defense agility. And perhaps most importantly: forcing the adversary to innovate rather than scale is the way forward. That’s the real battleground. Maybe that’s the point. Worth thinking about.👉 Watch the full discussion on YouTube: https://lnkd.in/g8HNwe56 #cybersecurity #AI

Most companies are buried in vulnerabilities, but they still get insured. That should make you pause. Insurers aren’t counting CVEs. They’re pricing risk based on what actually leads to financial loss. And the data is clear: only a tiny fraction of vulnerabilities ever make it that far. So why are VM teams we still prioritizing as if they all matter? Jeremiah Grossman breaks this down in his latest blog. Read it below.

In case you missed it, Evidence Scan just dropped. Here's what it actually changes in VM. Vulnerability management has always had an evidence problem, not a discipline problem. The signals we've relied on (CVSS, KEV, exploit predictions) are reasonable proxies, but what they don't tell you is which vulnerabilities have historically appeared in breach investigations and insurance claims. That's the gap Evidence Scan closes. Instead of a backlog of thousands, it surfaces FIREs (Financial Risk Exposures), which are vulnerabilities that are publicly exploitable and historically tied to real financial loss. The signal is binary. You have it or you don't. No scores, no confidence intervals, no maybes. Most vulnerabilities in your environment have never caused a breach. Evidence Scan focuses on the small fraction that repeatedly have. The Enterprise Preview for Evidence Scan is now open to a limited number of organizations. If you manage a VM program and want to see what the historical claims data shows in your environment, apply here: preview.rootevidence.com

Security teams are drowning in vulnerabilities, but only a small fraction ever lead to real financial loss. 🔥 We call those FIREs: Financial Risk Exposures. Evidence Scan turns vulnerability management on its head. Instead of handing you a to-do list of thousands of bugs, it surfaces the FIREs you actually need to put out: ✅ Publicly Exploitable: If an attacker can’t reach it from the internet, it’s not a FIRE. ✅ Proven With Claim Data: If insurers haven’t seen it cause a loss, it’s not a FIRE. ✅ Binary Signals: You either have this vulnerability or you don't. No scores, no confidence intervals, no maybes. We’re opening the Enterprise Preview of Evidence Scan to a small number of organizations. If you want to focus on the vulnerabilities that actually cause loss, apply to try Evidence Scan today. Apply here: https://lnkd.in/gjNEGh6N

Security teams are overwhelmed by vulnerability noise. Most scanners are designed to find everything, including issues that have never led to real-world loss. Evidence Scan was built to focus only on the vulnerabilities that actually matter. The result is a scanner that: ✅ Scales to scan entire enterprise environments ✅ Surfaces only vulnerabilities linked to real financial loss ✅ Reduces noise so teams can focus on what actually matters We’ve opened the Enterprise Preview of Evidence Scan and are sharing how and why we built it this way. If your team wants to try Evidence Scan, apply here: https://lnkd.in/gjNEGh6N