By Nagomi Security
The 2026 Verizon Data Breach Investigations Report (DBIR) describes an issue well known to most security practitioners: The industry lacks neither data nor visibility into data. What’s lacking is the ability to positively execute security outcomes with what the data tells.
The DBIR’s headline statistic says it all: Over the last 12 months, vulnerability exploitation became the leading initial access vector in breaches, rising to 31% and surpassing credential abuse, which fell to 13%. The more important story is actually the subheading; organizations aren’t struggling with vulnerability identification. They struggle to operationalize remediation quickly enough to matter.
The focus on execution and rapid remediation is changing how security leaders think about vulnerabilities, namely, managing vulnerabilities is myopic.
For years, the industry viewed vulnerability management as a discovery problem. Security programs invested heavily in scanners, asset inventories, SIEMs, EDR platforms, cloud posture tools, and threat intelligence feeds because the assumption was straightforward: better visibility would produce better security outcomes. The old: “You can’t manage what you don’t see.”
The DBIR suggests the industry has left that model in the dust. Or needs to.
According to the report, organizations faced ~50% more critical vulnerabilities requiring remediation in 2025 than the prior year. At the same time, median remediation timelines increased from 32 days to 43 days. Highly concerning, considering adversaries are speeding their pace with AI.
Even more problematic, organizations reported that only 26% of CISA KEV vulnerabilities were fully remediated, down from 38% the previous year. The correlation between more identified vulnerabilities and the inability to remediate them should be a huge red flag. We can conclude that security programs aren’t lacking awareness. They are, quite simply, operating beyond sustainable remediation capacity.
Prioritization Alone Does Not Solve the Execution Problem
The security industry still tends to frame vulnerability management as a prioritization exercise. The assumption is that if teams can score vulnerabilities more accurately, remediation naturally improves.
But the DBIR data suggests the problem is more operational than mathematical.
In practice, most large organizations already know they can’t remediate everything (nor do they have to). The real challenge is determining which exposures materially increase breach likelihood inside their specific environment and then coordinating action across infrastructure, cloud, identity, endpoint, and operations teams before attackers exploit those conditions.
This is important because, while prioritization is key to effective risk management, understanding what to fix first doesn’t mitigate risk. Executing against prioritized risk does.
These days, security teams spend enormous amounts of time validating findings, gathering context, checking exploitability, confirming ownership, evaluating compensating controls, and determining whether remediation effort meaningfully reduces risk. Much of that work still happens manually across disconnected tools and teams.
Why CVSS Scores Do Not Measure Operational Exposure
The root of the problem: CVSS, still highly used by many vulnerability management teams (and certainly by the vulnerability scanning products) remains a measure of technical severity, but CVSS wasn’t built to evaluate operational exposure. It can’t determine whether a vulnerable asset is internet-facing, if compensating controls already reduce exploitability, if the asset supports critical business functions, or if the vulnerability aligns with active adversary behavior.
That’s why exposure management has started to evolve away from vulnerability enumeration and toward contextualized operational analysis. The security operations teams that can consistently distinguish between theoretical exposure and materially exploitable conditions are the ones that will see positive risk improvement over time.
The teams that fail to evolve (and thus lose the battle to increasing numbers of raw vulnerabilities) will continue to evaluate exposures as isolated technical conditions. In context, it’s clear to see why the old model doesn’t work.
Example: A vulnerability on a segmented internal asset protected by mature endpoint controls versus a vulnerability on an internet-facing system with weak identity protections and incomplete defensive coverage.
The operational risk of these two scenarios is obviously not equivalent.
The Operational Issue: Traditional workflows flatten those distinct use cases into identical remediation tickets, forcing vulnerability management and SecOps teams into one of two situations:
- Take the time to manually correlate all signals to understand the context in the specific environment; or
- Treat both scenarios equally, thereby creating more work for the team without improving efficacy and accuracy.
Without business context, a controls assessment, exploit activity, and environmental exposure, teams can’t expect to make sound operational decisions (much less execute) at the pace of the threat landscape.
More succinctly, managing organizational risk today requires far more environmental context than traditional vulnerability management workflows were built to provide.
Further, given the speed and velocity of the threat landscape in the age of automation and AI, teams must put a moratorium on the manual, human-led analysis that allows them to arrive at operational decisions.
What is Agentic Exposure Operations and How it Closes the Remediation Gap
The most important implication of the data reported by the DBIR isn’t the staggering growth of vulnerabilities (identified or managed). It’s the mismatch between human operational capacity and the scale of modern exposure analysis.
Security teams can’t possibly expect to manually investigate every finding with the level of contextual depth required to determine true organizational risk. The economics no longer work.
Analysts already spend substantial portions of their time gathering context across asset inventories, threat intelligence feeds, control telemetry, cloud environments, ticketing systems, and remediation workflows before meaningful action even begins. As environments continue to expand, the investigative burden grows faster than teams can realistically staff.
This is where agentic exposure management becomes strategically important.
For clarity’s sake: Agentic exposure operations uses AI agents to continuously identify, investigate, prioritize, remediate, and verify security exposures.
Rather than simply generating findings, agentic exposure ops analyzes vulnerabilities, controls, asset criticality, and threat intelligence to determine which exposures represent real breach risk and therefore require action. The goal is to reduce the time from exposure discovery to verified risk reduction while minimizing manual investigation and triage.
Importantly, AI doesn’t replace analysts. What it does is allow investigative and validation workflows that previously required extensive manual correlation to operate continuously and at machine scale.
That changes the operational model, and it means analysts don’t have to suffer the tedium and burnout associated with this type of investigation.
Instead of human analysts spending hours validating whether a finding matters, systems continuously evaluate exploitability, business context, control effectiveness, threat activity, ownership, and environmental relationships before surfacing materially relevant exposures for human review. Agents complete the low-level work while humans focus on operationalizing findings.
In aggregate, agentic exposure operations allow organizations to move toward continuous operational exposure analysis. The result is that exposure conditions can be continuously identified and reassessed as environments change, controls drift, assets move, or threat intelligence evolves.
This matters because exposure management is less about finding problems and more about maintaining confidence that defensive conditions still hold under changing operational realities.
Continuous Exposure Management: How Organizations Move From Visibility to Verified Remediation
The DBIR makes one thing abundantly clear: the industry’s challenge is no longer finding exposures. It’s executing against them.
Organizations have more visibility, more tooling, and more vulnerability data than at any point in history. Yet exploitation rates continue to rise while remediation timelines trail. The gap isn’t awareness; it’s the ability to consistently transform security findings into security outcomes.
This is why exposure management is evolving beyond vulnerability identification and toward operational execution. Security teams need a way to continuously determine what matters, validate it in context, and drive remediation before adversaries can capitalize.
In that sense, the execution problem isn’t really a vulnerability problem at all. It’s a scale problem. Human-driven investigation, prioritization, and validation can no longer keep pace with modern attack surfaces, threat velocity, and remediation demands.
The organizations that solve that problem will be the ones that operationalize exposure reduction as a continuous discipline rather than a periodic exercise. Visibility tells teams where risk exists. Execution determines whether that risk becomes a breach.
See Nagomi in action at nagomisecurity.com
