Tenable research reveals that only 3% of vulnerabilities pose a significant cybersecurity risk

Tenable®, an exposure management company, has released the report “The Critical Few: How to Expose and Close the Threats that Matter,” which identifies key exposure points within organizations and shows how to mitigate potential cyber threats that could jeopardize business operations.

Over the past two decades, Tenable has collected and analyzed approximately 50 trillion data points related to more than 240,000 vulnerabilities. From this extensive database, the company has developed a methodology that indicates that of these, only 3% frequently result in significant exposure risks.

With cybersecurity teams overwhelmed by vast amounts of fragmented threat and vulnerability intelligence data, Tenable conducted this study to help them shift to a proactive defense strategy, focusing on eliminating the most dangerous threats.

The study calculated the Vulnerability Priority Rating (VPR) model, which Tenable developed to reflect the current threat landscape. VPR values range from 0.1 to 10, with higher values indicating a higher likelihood of exploitation. See the table below.

Vulnerabilities with a VPR above 9.0 are likely to be exploited if exposed, making them high-priority targets. In contrast, those with VPRs between 7.0 and 8.9 pose a moderate risk, while medium and low categories (0.1 to 6.9) are less likely to be exploited.

For example, as of June 2, 2024, the study analyzed nearly 240,000 vulnerabilities and found that only 3.1% of them—fewer than 7,500—were rated Critical or High.

"Without context, every vulnerability, patch, and update becomes a priority, making it nearly impossible to keep all systems up to date," said Arthur Capella, Country Manager, Tenable Brazil. "It's essential to implement exposure management to clearly prioritize what truly poses a risk to the business. All stakeholders must understand these risks and focus on actively preventing those that could lead to exploitation," he added.

The full report, “The Critical Few: How to Expose and Close the Threats that Matter,” is available here.