Fragmented tooling slows vulnerability management

Security leaders know vulnerability backlogs are rising, but new data shows how quickly the gap between exposures and available resources is widening, according to a new report by Hackuity.

Fragmented detection and slow remediation

Organizations use a formalized approach to manage vulnerabilities, but their tooling remains fragmented. Respondents rely on an average of four detection tools, and cloud or container configuration audits are the most common at 85%. This mix suggests broad coverage, but it also explains why teams struggle with visibility, correlation of findings, and consistent prioritization.

Mean time to remediate (MTTR) for critical issues averages four weeks. Organizations with formal workflows and higher automation move faster, but many still rely on manual cycles that depend on heavy triage work.

Over half assign remediation to cybersecurity or SOC teams. This structure tends to produce faster response times because these teams are closer to active threats and can interpret findings with more context than infrastructure groups. Organizations with shorter MTTR often follow this model.

97% of organizations have remediation Ser vice Level Agreements (SLAs) linked to severity levels, and most say they meet them. These SLAs show structure and expectations, but actual remediation times reveal how hard it is to keep pace with the volume of issues.

The push toward better prioritization

Prioritization practices vary. 43% still follow compliance driven models because they are easy to measure and often required. A third use risk based approaches that weigh exploitability, asset value, and business impact.

Threat intelligence has become a key factor. Four in five organizations enrich their decisions with external data such as active exploits or CERT alerts. The strongest use of threat intelligence appears in organizations with higher automation and well defined workflows.

Automation continues to separate faster moving organizations from slower ones. 56% say they have automated vulnerability management, while the rest rely on moderate or basic levels. High automation correlates with faster remediation, fewer false positives, and more confidence in scaling operations.

“We know that teams are feeling the pressure right now – but what’s most concerning is the knock-on effect this is having on organisations and on the team’s well-being. From missed alerts to fines, there are consequences at play when vulnerabilities aren’t managed in a way that’s making the best use of team’s time and expertise,” said Sylvain Cortes VP Strategy at Hackuity.

Teams with limited automation spend extra time validating findings, often worry about wasted effort, and report higher burnout risk. Rising vulnerability volume makes it difficult for manual workflows to keep up.

Adoption of CTEM and VOC models

65% have fully adopted Continuous Threat Exposure Management (CTEM), and very few have no plans to consider it. Larger organizations and those with higher automation are further ahead with continuous assessment and real time prioritization.

The shift to vulnerability operations centre (VOC) models is less advanced. Slightly more than half say they have fully implemented a VOC based approach, while others are still transitioning. Organizations with formalized and automated workflows show the strongest progress.

Respondents cite increased automation and improved prioritization as the key benefits of advanced vulnerability management or CTEM platforms. Real time visibility and continuous assessment follow closely.

The cost of rising volume

Rising vulnerability volume is putting pressure on security operations. 56% report added strain on staff resources, and others point to difficulty prioritizing issues, time lost to false positives, and slower incident response.

The business feels the effect as well. Half of the organizations are upgrading security tools in response to higher exposure levels, and a similar share say leadership is taking a closer look at internal processes. This suggests that vulnerability management is gaining attention at senior levels.

Security leaders face practical constraints when trying to improve vulnerability management. Operational limitations and budget pressures top the list at 43% and 41%. Technology complexity, resistance to change, and skills shortages create additional challenges.

Even though respondents agree that automation reduces human error and improves efficiency, a large share say progress remains slow because resources are limited. 60% also admit that vulnerability management does not receive the same level of attention as other security initiatives. This lack of prioritization limits investment in processes and tools.