Tenable: Just 3% of Vulnerabilities Pose Significant Exposure Risk

Tenable has released a research report titled “The Critical Few: How to Expose and Close the Threats that Matter” that identifies the key exposure points within organisations and outlines actionable steps to mitigate potential cyber threats that could endanger business operations.

Over the past two decades, Tenable has collected and analysed approximately 50 trillion data points related to over 240,000 vulnerabilities. From this extensive dataset, Tenable developed a methodology revealing that only 3% of these vulnerabilities frequently result in significant exposure risks.

With cybersecurity teams overwhelmed by vast amounts of fragmented threat intelligence and vulnerability data, Tenable conducted this study to help these teams shift toward a proactive defence strategy, focusing on eliminating the most dangerous threats.

The study leveraged the Vulnerability Priority Rating (VPR) model, which Tenable developed to reflect the current threat landscape. VPR values range from 0.1 to 10, with higher values indicating a greater likelihood of exploitation.

Vulnerabilities with a VPR above 9.0 are likely to be exploited if exposed, making them high-priority targets. In contrast, those with VPRs between 7.0 and 8.9 present a moderate risk, while medium and low categories (0.1 to 6.9) are less likely to be exploited.

For example, on June 2, 2024, the study analysed nearly 240,000 vulnerabilities and found that only 3.1% of them—fewer than 7,500—were classified as Critical or High.

“Context matters. Without the right context, cybersecurity teams will always be in reactive mode, trying to fix every single vulnerability, making it impossible to keep all systems updated and secure,” said Nigel Ng, Senior Vice President, Asia Pacific and Japan, Tenable. “Organisations have relied on the common vulnerability scoring system (CVSS) for a long time, which doesn’t offer a holistic picture of cyber risks and exposures. A proactive and preventive defence strategy requires exposure management, and a new metric to measure risk offering security professionals the much-needed context on which vulnerabilities and risk exposures to focus on,” he added.