Companies keep getting breached by vulnerabilities they already knew about

Scanning tools have gotten good at their work. Organizations now find more weaknesses across more of their systems than at any earlier point in the industry’s history. A survey from the security firm Vicarius points to a gap that opens after that discovery, in the work of assigning, approving, deploying, and confirming a fix.

vulnerability remediation gap

The company surveyed 300 IT and cybersecurity leaders in the United States and the United Kingdom, at organizations with 500 to 2,000 employees. On average, 58% of remediation activities require direct human intervention. Automated discovery, scanning, and reporting have become common across the sample. The work of deciding what to fix and pushing the change through still runs on people. Only a small share of organizations have removed people from the loop entirely, at 7%, and that pattern held steady across company sizes and industries.

The team that finds a vulnerability usually cannot fix it

Discovery and repair often sit with different groups. Most organizations cannot consistently remediate a weakness inside the team that spotted it, a share that reaches 82%. Remediation depends on handoffs, shared ownership, and workflows where responsibility moves from one group to the next. Each handoff adds delay.

Ownership itself is often undefined. More than a third of respondents say remediation ownership depends on the situation or remains ambiguous. When responsibility for a fix has no home, the work stalls as teams sort out who acts.

Discovery has become a handoff

The response to a critical vulnerability tends to start with paperwork. The most common first action is opening a ticket in a system such as Jira or ServiceNow, cited by 42% of respondents. A ticket tracks work. The vulnerability behind it still needs to be prioritized, assigned, approved, fixed, and confirmed.

Roughly a quarter of organizations deploy an automated remediation action straight from their platform. For everyone else, the moment of discovery hands the problem to a person who may lack the context, tooling, or authority to move quickly. Many teams have built strong systems for finding critical weaknesses. Fewer have built equally strong systems for responding to them.

The few who closed the loop look alike

A small group has taken people out of remediation altogether, and their profile is striking. Roi Cohen, CEO of Vicarius, said the 20 organizations in that group arrived by a single route. “This isn’t a group that got there through different paths. It’s the same path, taken by everyone who arrived,” he told Help Net Security.

Three traits ran through all of them. Each ran remediation through one platform from discovery to verification, against an average of three tools across the wider sample. Each gave its frontline team the authority to fix findings with no handoff for approval, a setup fewer than one in five organizations report. And each used the strictest definition of done, closing only on a verified rescan. Cohen described automation as the result of that groundwork. “It was what happens once you’ve already removed the friction that automation can’t fix on its own,” he said.

Known vulnerabilities keep turning into incidents

The sharpest finding concerns weaknesses that were already tracked. Most organizations experienced a security incident in the past year tied to a vulnerability that sat in their inventory before the event, at 79%. The detection worked. The response came too late.

About half of respondents say the vulnerability behind the incident had been known for 30 to 90 days. Attackers using automation and AI to find and exploit weaknesses faster keep finding room in that lag.

The definition of “fixed” predicts the breach

Definitions drift from one organization to the next. Half of respondents close a vulnerability only after a fix has been deployed and verified through a rescan. The other half rely on softer signals, such as a patch shipped with no confirmation, a ticket assigned, or a risk formally accepted by leadership.

That choice tracks with outcomes. Cohen grouped respondents by their definition of remediated, then checked each group against its known-vulnerability incident rate. Organizations requiring a verified rescan sat at 65.8%. Every looser definition clustered between 89% and 93%. By his measure, teams using the loosest definitions were nearly 40% more likely to be hit by a weakness they already knew was present. “We ran the statistics on this and the pattern is one of the more statistically decisive findings in the entire dataset,” he said.

Cohen tied both findings together in one line. “The difference between the organizations getting breached by vulnerabilities they already knew about and the ones that never are isn’t better detection. It’s whether ‘done’ means the exposure is gone, or just that someone wrote it down,” he said.

The obstacles are organizational

Friction in remediation tends to come from process. Nearly all respondents report some form of it. The most cited obstacle is competing priorities, in settings where remediation has no protected time and loses ground to outages, projects, and business demands. Approval and change-management steps rank next. Teams often know the fix and the method, and the delay comes from sign-offs and coordination.

Demo: Prophet Agentic AI SOC Platform transforms alert triage and investigation

Don't miss