Vulnerability Management (VM)

Events

Views Navigation

Event Views Navigation

Today

    • AppSec vs. Developer Velocity: Ending the Cold War Between Security and Engineering

    More than half of development teams report that application security testing slows their release pipeline. On the other side, security teams point to the 81% of organizations that knowingly shipped vulnerable code in the past year. Both sides have legitimate concerns, and the friction between them is getting worse as release cadences accelerate and AI-generated code enters production. The result is a standoff where developers route around security controls and AppSec teams lose influence over the code that actually ships.

    The path forward is not about one side winning. It is about removing the friction that makes security feel like an obstacle. That means fewer low-value alerts landing on developer desks, clearer ownership of findings, risk-based prioritization that respects engineering time, and tooling that works inside the developer workflow rather than beside it.

    Resolving this tension requires alignment across testing, prioritization, and runtime protection approaches – from SAST, DAST, and SCA to API security, container security, and developer-native security tooling embedded directly into CI/CD pipelines.

    Topics include:

    • Why AppSec noise (not AppSec itself) is driving the friction with engineering
    • Embedding security into CI/CD pipelines without creating unplanned developer work
    • Shifting from “fix everything” to prioritizing the 2–5% of findings that carry real risk

    Learn how security and engineering teams are resolving friction and building AppSec programs that move at the speed of development.

    Topics:
    , , , , , , ,

    You’re Patching the Wrong Vulnerabilities. Exploit Intelligence Says So.

    With more than 40,000 new CVEs published in the past year alone and projections exceeding 50,000 for 2025, patching everything is impossible. Most organizations prioritize remediation by CVSS severity scores, but severity does not equal exploitability. Research shows that 32% of reported security issues have a low probability of exploitation, while some moderate-severity vulnerabilities sit on active exploit chains right now.

    The shift from vulnerability management to exposure management reflects a growing recognition that context matters more than volume. Organizations need to know not just what is vulnerable but whether a vulnerability is reachable from the internet, whether an exploit exists in the wild, what business-critical assets sit in the blast radius, and how quickly an attacker could leverage it.

    Operationalizing this shift requires coordination across vulnerability management, attack surface visibility, penetration testing, and exposure intelligence platforms to prioritize what attackers can actually use.

    Topics include:

    • Using exploit intelligence and business context to prioritize remediation over CVSS scores alone
    • Mapping the gap between what is vulnerable and what is actually exploitable
    • Operationalizing continuous threat exposure management across hybrid environments

    Explore how leading organizations are replacing volume-based patching with risk-informed remediation that focuses on what attackers can actually use.

    Topics:
    , , , , ,

    • AI-generated Code Is Shipping to Production. Is Your AppSec Pipeline Ready for What Comes Next?

    Eighty-one percent of organizations knowingly shipped vulnerable code in the past year. That number is about to get harder to manage. AI-assisted coding tools are accelerating output across engineering teams, and Gartner projects that by 2027, at least 30% of AppSec exposures will result from AI-driven "vibe coding" practices. The code patterns are different, the release cadences are faster, and the security assumptions baked into traditional testing tooling were not built for what AI produces. Organizations are deploying AI-generated code at a pace that outstrips their ability to review it.

    The challenge is not whether to allow AI-generated code. That decision has already been made by most engineering teams, with or without security's blessing. Addressing this requires rethinking how static and dynamic testing, software supply chain security, runtime protection, API security, and developer-native tooling work together across an AI-accelerated pipeline. Security teams that do not adapt their tooling and processes now will spend the next two years in reactive mode.

    Topics include:

    • New vulnerability patterns introduced by AI-generated and AI-assisted code
    • Adapting AppSec pipelines to handle accelerated release cycles without creating bottlenecks
    • Securing the AI-driven software supply chain, from dependencies and secrets to runtime behavior

    Explore how AppSec teams are retooling their programs to keep pace with AI-accelerated development before the gap becomes unmanageable.

    Topics:
    , , , , , , , ,

    Your OT Network Wasn't Built for Cyberthreats. Attackers Know That Better Than You Do.

    Ransomware attempts against industrial operators jumped 46% in a single quarter. New threat groups are specifically targeting operational technology environments, and OT-specific malware is being sold on dark web forums with multi-protocol support and anti-forensics capabilities. The uncomfortable truth is that most OT and ICS environments were engineered for reliability and uptime, not cybersecurity. Legacy systems run outdated operating systems that cannot be patched, use protocols that lack encryption or authentication, and were never intended to be connected to enterprise IT networks or the internet.

    That isolation is gone. Digital transformation, IT/OT convergence, and the need for real-time data from the plant floor have connected these systems to corporate networks and cloud platforms. Dual IT/OT attacks now average $4.56 million per incident, and plant managers routinely bypass patching windows to meet production targets. Addressing this requires coordination across network visibility, segmentation, threat detection, and OT-specific vulnerability and asset management platforms to reduce cyber risk without introducing operational disruption or safety hazards. Security teams responsible for these environments need approaches built for the constraints of industrial operations, not IT playbooks adapted after the fact.

    Topics include:

    • Building comprehensive asset visibility in converged IT/OT environments
    • Deploying segmentation and threat detection tuned for OT protocols and operational baselines
    • Addressing legacy ICS vulnerabilities through compensating controls and risk-based prioritization

    Learn how industrial organizations are building cybersecurity programs that protect operational technology without compromising the uptime and safety these systems were designed to deliver.

    Topics:
    , , , ,

    From 570,000 Alerts to 202 That Matter: Risk-based AppSec Prioritization in Practice

    Benchmark data across 178 organizations found an average of 570,000 AppSec alerts per organization. Of those, 202 represented true critical issues that required action. That means 95-98% of findings generated by AppSec scanners are noise: redundant, irrelevant, or low-risk items that consume engineering time without reducing actual exposure. Security teams assign developers thousands of findings to fix. Developers lose trust in the process. The findings that actually matter get buried alongside the ones that do not.

    The cost of this noise is not just wasted time. It is the erosion of the relationship between security and engineering. When developers are handed a list of 3,000 findings and told everything is critical, they stop treating anything as critical. Addressing this requires coordination across ASPM, SAST, DAST, SCA, runtime protection, and vulnerability management platforms to correlate findings with exploit intelligence, runtime context, reachability analysis, and business impact. A missing authorization check on an internal-only endpoint is a different risk than the same flaw on an internet-facing API handling payment data. Tools that can make that distinction let security teams send developers a short, high-confidence list instead of a spreadsheet full of theoretical risk.

    Topics include:

    • Reducing AppSec alert noise through risk-based prioritization and reachability analysis
    • Correlating code-level findings with runtime context and exploit intelligence for accurate risk scoring
    • Rebuilding developer trust by sending fewer, higher-confidence findings that warrant action

    Learn how AppSec teams are cutting through the noise to focus remediation on the 2-5% of findings that represent genuine risk.

    Topics:
    , , , , ,

    The Assets You Don't Know About Are the Ones Getting Breached. Solving the Visibility-first Problem.

    Most organizations cannot produce a complete, accurate inventory of their external-facing assets. Shadow IT, forgotten cloud instances, unmonitored APIs, development environments left exposed, and acquired company infrastructure that was never integrated into security tooling all create blind spots. Attackers do not need to find a zero-day when a staging server with default credentials is sitting on a public IP. The assets that security teams do not know about are, by definition, the ones that are not being monitored, patched, or protected.

    Attack surface management starts with a premise that most vulnerability management programs skip: you cannot secure what you have not discovered. Addressing this requires coordination across ASM, CTEM, vulnerability management, penetration testing, and cloud security platforms to build a continuous view of the external attack surface as an attacker sees it, not as the asset inventory says it should look. The gap between those two views is where breaches happen. Organizations that have adopted this approach report finding assets they did not know existed, exposures that had persisted for months, and risk concentrations in areas their existing tools were not scanning.

    Topics include:

    • Continuously discovering and attributing external-facing assets beyond the known inventory
    • Identifying shadow IT, orphaned cloud resources, and unmonitored development environments
    • Prioritizing discovered exposures based on exploitability, business context, and attacker perspective

    Discover how organizations are closing the gap between what they think their attack surface looks like and what it actually is.

    Topics:
    , , , , ,