Why and How to Adopt a Risk-Based Vulnerability Management (RBVM) Approach

Risk-based vulnerability management is the latest recommended approach to adapt vulnerability assessment (VA) and vulnerability management (VM) to technological and threat landscape evolution and should be at the center of vulnerability prioritization technologies (VPTs) development. 

It introduces a switch in perspective from focusing on whether a system gets patched to whether the specific risk of a system vulnerability has been sufficiently mitigated. 

This post examines the logic behind that recommended switch in perspective and ways to put it in practice. 

The Risks of Relying Mainly on CVSS Scores 

Prioritizing patching schedules has traditionally focused on patching vulnerabilities with a high CVSS score first. Yet, a high CVSS score does not necessarily point to a high probability of exploitation. Sometimes, they are even downright inaccurate, as, for example, the CVE-2020-19909 that was published with a 9.8 severity score long after the issue had been fixed.  

In short, focusing primarily on severity scores might causes defenders to invest their too scarce time for little benefit.  

Remediation processes are unfortunately not instantaneous. According to the Infosec Institute, the average time to patch a vulnerability is between 60 and 150 days, and security and IT teams tend to take at least 38 days to push out a patch.  

For critical vulnerabilities that present immediate risk to the organization, 38 days is much too long of an exposure window. But 38 days or longer may be acceptable for vulnerabilities protected by compensating controls or face no imminent threat activity. 

To tackle this issue, Gartner and other thought leaders are now advocating the adoption of what they call risk-based vulnerability management (RBVM). 

What is a Risk-Based Vulnerability Management Approach? 

In an April 2023 report, Gartner asserted that “RBVM is different from traditional VM methodologies — namely, in its focus on applying risk quantification targeting to your specific threat landscape and advocating for a range of compensatory methods outside of just patching.”  

Practically, that means evaluating the vulnerabilities threat severity based on its exploitability in context. When compensating controls are reducing or eliminating the possibility to actually exploit a vulnerability, it can remove the urgency of remediating CVSS with a high severity score. Conversely, a lower scored CVE with a higher exploitability risk should be pushed higher in the prioritization schedule.

Implementing a Risk-Based Vulnerability Management (RBVM) Approach 

To encourage moving from a theoretical stance to a practical one, that Garner report highlighted “enabling technologies” to implement risk-based vulnerability management, such as: 

  • External attack surface management (EASM) 
  • Breach and attack simulation (BAS) 
  • Vulnerability prioritization technology (VPT)  

External Attack Surface Management 

As defined by Gartner, external attack surface management (EASM) is “the processes, technology and managed services deployed to discover internet-facing enterprise assets and systems and associated exposures.”  EASM thus enables a risk-based vulnerability management program based an overall visibility of assets and their respective risks.  

Increasingly, EASM is converging with vulnerability scanners to combine vulnerability assessments of both internal and external assets with identifying vulnerabilities and misconfigurations in on-prem, cloud, and hybrid environments. 

Cymulate Attack Surface Management can be a key enabler of a risk-based vulnerability management program’s assessment and prioritization. Cymulate ASM aids in the assessment by discovering vulnerabilities and misconfigurations to identify assets exposed to unapproved access, exploits, and other attacks. It scans domains, subdomains, IPs, ports, cloud platforms, configurations, devices, and privileges, and maps potential attack paths that could be used by threat actors to access sensitive systems and data. 

Breach and Attack Simulation 

Breach and Attack Simulation (BAS) automates the continuous testing of threat vectors to validate controls, assess the impact of emergent threats, and confirm threat exposure risk. Gartner asserts that BAS enables a risk-based vulnerability management program with their “demonstrable capability to proactively highlight how vulnerabilities — and the exploitation of vulnerabilities — will directly affect your environment.”  

Cymulate Breach and Attack Simulation (BAS) validates cybersecurity controls by safely conducting threat activities, tactics, techniques, and procedures in production environments. Cymulate BAS helps prioritize vulnerabilities by validating the security controls that are designed to prevent exploits of those vulnerabilities, such as a web application firewall protecting a web app’s vulnerabilities and weaknesses. 

Vulnerability Prioritization Technology 

Vulnerability prioritization technology (VPT) “streamlines a range of vulnerability telemetry sources into a single location — using intelligence sources, analytics, and visualizations and to efficiently provide prioritized, pragmatic recommendations on how best to perform critical remediation/mitigation activities.”  

Gartner indicates that VPTs could contribute to a risk-based vulnerability program if they were to “apply quantitative methods to drive the focus of your VM process so that the most pressing threats are addressed as the highest priority.” 

VPT vs. Cymulate Exposure Analytics 

While many vulnerability assessment tools are adding features to aid in prioritization, Cymulate takes a more holistic approach. It integrates an RBVM approach into the Cymulate Threat Exposure and Security Validation Platform as a feature of the Exposure Analytics solution.  

Exposure Analytics pulls data from vulnerability management platforms, asset inventories, clouds, security controls, and the IT infrastructure. By integrating with tools for breach and attack simulation and continuous automated red teaming, Cymulate Exposure Analytics creates a risk score that considers the exploitability and effectiveness of compensating security controls. 

The result is a contextualized vulnerability prioritization that correlates findings with both security findings severity and business priorities.  

Exposure Analytics increases the benefits of implementing an RBVM approach by offering the built-in capability of correlating findings with user-defined business priorities and offering the options of either using Cymulate ASM, BAS, and CART tools or integrating with external security validation processes.

  • Read more about CVM 
  • Watch the webinar about Getting Business Context into Exposure Management Programs 
Start a Free Trial

Related Resources

Keyboard Type

 data sheet

Cymulate Exposure Analytics​

Drive Continuous Threat Exposure Management with Insights and Data from across IT and Security Architecture​

Read More


Understanding the Ins and Outs of Cybersecurity Exposure Management

How to evolve from a classic reactive approach to proactive security by focusing on minimizing exposure

Read More


Getting Business Context into Exposure Management Programs

Finding a common language to communicate cyber risk in this expert webinar.

Watch Now

Was this post:

Helpful Interesting Insightful