All Posts
Vulnerability
5 min read

The Vulnerability Backlog Problem: Why Patching Faster Isn't the Answer

Published on
May 19, 2026
The Vulnerability Backlog Problem: how 206,000 findings became 94 real risks and 5 policy changes through attack-path validation

Your vulnerability backlog grew by 39% last year. Your team didn't.

That's not a staffing problem. It's a prioritization problem, and patching faster won't fix it.

This is the playbook for security leaders who are tired of the scanner spitting out 200,000 findings, the SOC drowning in "criticals," and the post-mortem that always ends with "we knew about this one but didn't get to it."

The short version of what changes:

  • Stop ranking by severity. CVSS was never a prioritization tool. It's a severity index. Treating it as a queue is how organizations end up patching 72% of "criticals" and still getting breached.
  • Start ranking by reachability. Whether a vulnerability is exploitable in your environment (your identity posture, your network segmentation, your compensating controls) matters more than the score the scanner assigned.
  • Compensating controls cut more risk than patches do, faster. One Tuskira customer reduced 206,000 vulnerabilities to 94 real risks, then closed those 94 with 5 policy changes. Not 200,000 patches. Five policy changes.
  • The choice between "fix the vulnerability" and "protect against the exploit" is a false dichotomy. You do both, but the order matters, and the order is determined by attack-path context. Not by what the scanner says is red.

If your team is patching 24/7 and the backlog still grows, the next 2,500 words are for you.

Why your backlog keeps growing (and patching can't save you)

The math has stopped working.

In 2024, the number of new CVEs disclosed grew 39% year-over-year. In 2025, it grew another 45%. In 2026, it's tracking another 33% on top. Compound that for three years and the volume of vulnerabilities your team is expected to triage has roughly tripled, while your headcount, your patch windows, and your change-management cadence are basically what they were when you started.

The exploitation side moved even faster. The window from public CVE disclosure to functional exploit in the wild used to be measured in days. For Log4j, it was hours. With frontier AI models now generating working exploit code at machine speed, that window is collapsing toward minutes. Anthropic's internal evaluations found that one model could autonomously discover and weaponize roughly 30% of the world's annual zero-day output in seven weeks.

So the choice is no longer "can we patch this?" It's "do we know what to patch fast enough to stop an attack?" For most organizations, the honest answer is no.

The Equifax breach is the canonical example: a known vulnerability in Apache Struts went unpatched for months, despite a fix being available, because the team couldn't distinguish the vulnerability that mattered from the noise. Hundreds of millions of records were compromised not because of detection failure (they had detection), but because of prioritization failure.

If you're reading this and thinking "we're better than Equifax," look at your dashboard. How many open "criticals" do you have right now? Now ask: which of those, specifically, can an attacker reach today, given your current network posture, identity model, and EDR coverage? If your scanner can't tell you, you're operating the same way Equifax was the week before the breach.

Related reading: The Silent Crisis in Vulnerability Management

Why CVSS scoring is the wrong lens

CVSS was built to classify, not prioritize. It's a severity index. A technical taxonomy. A way to describe what a vulnerability could do in a theoretical worst case. It was never designed to answer the question "what should I work on Monday morning?"

But the industry, hungry for a single number to put in a SLA, started treating CVSS as gospel. Dashboards got built on it. KPIs got set against it. Patching SLAs got tied to it. And it's been quietly failing every single security team that uses it for prioritization.

Here's what CVSS doesn't know about your environment:

  • Reachability. Is the vulnerable asset internet-exposed, or buried behind five layers of auth? CVSS doesn't care.
  • Identity posture. Is the affected service running as a low-privilege account, or as domain admin? CVSS doesn't care.
  • Compensating controls. Is there a WAF rule, EDR signature, or IAM policy that already blocks the exploit path? CVSS doesn't care.
  • Chainability. Can this "medium" vulnerability combine with an unmonitored misconfiguration and an overprivileged identity to produce a real attack path? CVSS doesn't care.
  • Business criticality. Is this on a tier-one revenue system or a forgotten dev box? CVSS doesn't care.

So you end up with a queue where a CVSS 9.8 on an air-gapped dev workstation sits ahead of a CVSS 6.5 on an internet-exposed customer-data API. The first one will never be exploited. The second one is a Tuesday-morning breach. CVSS sorted you wrong.

This isn't a bug in CVSS. It's a misuse of it. CVSS authors have said this publicly. The vulnerability management industry just kept building dashboards on top of it anyway.

Related reading: Why CVSS Scores Fail: Attackers Exploit Paths, Not Points

Attackers exploit paths, not points

Once you start thinking like an attacker, the whole prioritization problem reorganizes itself.

Attackers don't open the CVE database and pick the highest-scoring entry. They pick the path of least resistance. They look for:

  • Exposure. What's reachable from outside, or from a foothold they already have.
  • Privilege. What identities are available on the reachable assets, and what those identities can do.
  • Blind spots. Which controls aren't watching, or aren't tuned to catch the technique.
  • Chain potential. What one ordinary-looking weakness, combined with another ordinary-looking weakness, would produce a path to something worth stealing.

A low-severity CVE on a server that's internet-exposed, runs as a service account with read access to your customer database, and isn't covered by your EDR detection rules. That's an attack path. It will be exploited. CVSS will tell you it's a 4.3.

A "critical" CVSS 9.8 on a workstation that's behind your VPN, runs as a standard user, has EDR with the relevant rules deployed, and only the IT helpdesk ever logs into. That's not an attack path. It's a finding in your scanner. It will probably never be touched by anyone except you, patching it.

The shift is from finding count to path count. From "how many vulnerabilities did we resolve this quarter?" to "how many traversable paths to crown-jewel assets exist in our environment, right now, after accounting for what our controls actually block?"

That's the right question. And it's a question no scanner can answer alone. No scanner sees the controls layer.

Related reading: Cybersecurity: Fix Vulnerabilities or Protect Against Exploits?

The 5 false assumptions killing your VM program

If your vulnerability program isn't reducing real risk despite the effort you're putting into it, one or more of these is the reason:

1. "All vulnerabilities are created equal." The reliance on CVSS implies every "critical" is equally critical. They aren't. Exploitability and reachability vary by orders of magnitude across findings with the same score.

2. "Static environments need static solutions." This assumes the world your scanner looks at on Monday is the same world that exists on Friday. In a cloud or hybrid environment, that's not true. New assets, new identities, new exposed endpoints, new misconfigurations appear continuously.

3. "Vulnerabilities without known exploits are low risk." This ignores the gap between disclosure and weaponization, which, as discussed above, is collapsing toward minutes for AI-generated exploits.

4. "Visibility equals control." Identifying a vulnerability isn't the same as containing it. Fragmented tools and siloed teams produce visibility without action. The SolarWinds breach is the case study: scanners flagged issues; those signals weren't correlated with compensating controls; attackers walked through gaps the defenders technically knew about.

5. "Patching is the finish line." It isn't. Patches close one vector. Attackers exploit dependencies, related misconfigurations, and adjacent weaknesses around the patched component. Closing the path matters more than closing the finding.

Every vulnerability program that's drowning is built on at least three of these. Most are built on all five.

Related reading: Vulnerability Prioritization in 2025: From Noise to Actionable Insights

Fix or protect? Both, but stop pretending it's the same question

The most common version of the prioritization debate frames it as a binary: should we focus on fixing vulnerabilities (patching) or on protecting against the exploit (compensating controls)?

It's the wrong framing. The answer is both. But, and this is the part that gets skipped, the order matters, and the order is determined by attack-path context.

Here's how to think about it:

  • Patching is a long-term cleanup. It removes the underlying weakness from the environment. It's the right move for findings that are reachable, exploitable, and on critical systems where you have a change window. It's the right move for findings where compensating controls can't realistically be deployed in time.
  • Protecting is a now-now mitigation. A WAF rule, an EDR detection, an IAM policy, a network segmentation change, any of these can neutralize an exploit path in hours, while the patch waits for the change window. It's the right move when the path is real but the patch isn't deployable today.

The smart sequencing isn't "patch then protect." It's "identify the real path, neutralize it through whichever control breaks it fastest, then schedule the patch." Sometimes that means a 30-minute WAF rule plus a scheduled patch six weeks from now. Sometimes that means tightening an IAM policy and never patching the underlying CVE because the control change eliminated the path entirely.

The organizations still arguing "fix vs. protect" are the ones losing time. The ones winning have stopped treating it as a debate and started treating it as a workflow.

A real case: 206,000 vulnerabilities → 94 real risks → 5 policy changes

This is the number we want every security leader to internalize:

A security team running a complex stack, Wiz, SentinelOne, Cisco Meraki, was sitting on 206,000 open vulnerabilities. A compliance audit was looming. Two paths were available:

Path A: Manually patch 206,000 vulnerabilities. Impossible. Ignore the math, ignore the change windows, ignore the dependencies, there's no version of "patch faster" that lands this team in a healthy state inside the audit window.

Path B: Use attack-path validation to identify which of the 206,000 were actually reachable and exploitable, then close those through compensating control changes rather than patches.

They picked Path B. Here's what happened:

  • 99% noise reduction. 206,000 → 94. The Digital Twin (a live, AI-driven replica of the environment) validated which findings could actually be reached and exploited given current network, identity, and control posture. The remaining 99% were either not reachable, blocked by existing controls, or theoretical-only.
  • Attack simulation validated the 94. Each of the remaining 94 was confirmed exploitable, exposed, and undefended by an existing control. No theoretical risk in the final list, only real ones.
  • Automated policy-based remediation eliminated 80% of risk with 5 policy changes. Not 5 patches. Five policy changes. Adjustments to existing WAF, IAM, EDR, and network rules. Each one closed multiple paths at once because the paths shared underlying control gaps.
  • Audit pass with 55 total policy updates. The remaining residual risk was closed through another 50 policy updates. The compliance audit was passed without patching 206,000 vulnerabilities.

The number to remember is 5. Five policy changes eliminated 80% of risk on a stack of 206,000 findings. That's the kind of leverage you get when you stop ranking by severity and start ranking by exploitable attack path.

Related reading: How One Security Team Cut Through 206K Vulnerabilities with 5 Policy Changes

What good vulnerability management actually looks like

If you're rebuilding your VM program around what works in 2026, the playbook is:

1. Lead with context, not severity. Every finding gets enriched with reachability, identity posture, compensating-control coverage, and business criticality before it enters the queue. CVSS becomes one input among five, not the sole sort order.

2. Validate exploitability through simulation, not assumption. A Digital Twin (a live, virtual replica of the production environment) lets you test whether an exploit path is real before assigning a remediation ticket. This is the difference between "this CVE exists somewhere on our network" and "an attacker can walk from this CVE to our production database in three hops."

3. Treat compensating controls as first-class remediation. A WAF rule, an IAM tightening, an EDR detection update, a network segmentation change, any of these is a legitimate close-out for a finding, when validated to break the path. Stop treating "patched" as the only acceptable resolution state.

4. Unify the defense layer with the vulnerability layer. Scanners, WAFs, EDRs, IAM tools, and SIEMs need to share a single graph of "what's exposed, what's exploitable, what's defended, what's not." Most environments still run these tools as silos. That's the gap attackers walk through.

5. Measure attack-surface reduction, not patch counts. "Vulnerabilities resolved per quarter" is a vanity metric. "Reachable attack paths to crown-jewel assets, month-over-month" is the real one. The first one rewards patching the easy stuff. The second one rewards closing the dangerous stuff.

The teams getting this right are seeing 80-98% reductions in their effective backlog within months, not by patching faster, but by stopping the patching of things that were never exploitable in the first place.

Frequently asked questions

Why does CVSS fail at prioritization?

CVSS was designed as a severity index, not a prioritization tool. It scores what a vulnerability could theoretically do in a worst-case configuration, with no knowledge of your specific environment, your network exposure, identity posture, compensating controls, or which assets matter to your business. Two findings with identical CVSS scores can pose wildly different real-world risks depending on whether attackers can actually reach them. Treating CVSS as your queue is how organizations end up patching low-risk findings while real attack paths sit open.

What's the difference between a vulnerability and an exploitable attack path?

A vulnerability is a single weakness, a CVE, a misconfiguration, an exposed service. An attack path is a chain of weaknesses that, combined, gives an attacker traversable access from an entry point to a target asset. A "low-severity" vulnerability inside a chain that reaches your customer database is more dangerous than a "critical" vulnerability that has no reachable path to anything attackers want. Real attackers think in paths; effective defenders should too.

Should I patch the vulnerability or just protect against the exploit?

Both, but the order matters. Compensating controls (WAF rules, EDR detections, IAM tightening, network segmentation) can neutralize an exploit path in hours, while a patch may take weeks. The right sequence is usually: identify the real attack path, deploy the fastest control change that breaks it, then schedule the patch for the next change window. In some cases the control change eliminates the path so completely that patching the underlying CVE becomes optional.

How do I cut my vulnerability backlog without hiring more people?

By eliminating findings that aren't actually exploitable in your environment. Most "critical" findings in a typical scan aren't reachable, are already blocked by existing controls, or sit on assets attackers don't care about. Attack-path validation through a Digital Twin or similar simulation tool routinely reduces the active backlog by 80-99%, because the original number was inflated by findings that should never have been in the queue in the first place. You're not patching faster; you're patching less, because there's less that genuinely needs patching.

What is a Digital Twin for security?

A Digital Twin is a live, virtual replica of your production environment (assets, identities, network paths, control coverage, exposure state) built and continuously updated from your existing security telemetry. It lets defenders safely simulate exploit scenarios against the replica to confirm whether a given vulnerability is actually reachable and exploitable in their specific environment, before committing remediation effort. Tuskira's Digital Twin is the foundation of how Kairo (our breach-path detection and disruption capability) decides which findings are real risks and which are noise.

How fast are attackers exploiting newly disclosed vulnerabilities?

For high-impact vulnerabilities with publicly available exploit code, the window from disclosure to active exploitation is now measured in hours, sometimes minutes. Log4Shell was being exploited in the wild within hours of its public disclosure in December 2021. With frontier AI models now generating working exploits at machine speed, that window is collapsing further. The traditional "patch within 30 days" SLA, used by most enterprise VM programs, has become functionally meaningless for anything genuinely targeted.

Where this leaves you

If your team is patching as fast as it can and the backlog still grows, the problem isn't your team. It's the model: CVSS-based prioritization, severity-driven SLAs, finding-count metrics, and a defense layer that doesn't talk to the vulnerability layer.

Switching to reachability-based prioritization, attack-path validation, and compensating-control-first remediation isn't a small adjustment. It's a different operating model. But it's the model the organizations that aren't drowning have already adopted.

Tuskira's Agentic Threat Exposure Management and Kairo breach-path detection and disruption are built around exactly this model. Together they:

  • Validate every finding against your live environment, not theoretical worst case.
  • Compute the real attack paths an adversary could walk today, given your current control state.
  • Identify the single highest-leverage control or patch action that closes the most paths.
  • Re-validate continuously as the environment changes.

The customer earlier in this article ran 206,000 vulnerabilities through this model and emerged with 94 real risks and a 5-policy fix list. Your number won't be identical. The order of magnitude will be similar.

Request a demo to see this run against your environment, or talk to us about your backlog if the queue is what's keeping you up at night.

Blog Tag:
Vulnerability
Share
LinkedIn
Linkedin
Youtube
Blog
View all
Tuskira Launches Kario | Breach Modeling for Attack Surface Management
Defense

Tuskira Launches Kairo, an AI-Driven Breach Modeling Capability to Protect Against AI-Driven Threats

Explore
Tuskira Launches Kairo, an AI-Driven Breach Modeling Capability to Protect Against AI-Driven Threats
JPMorgan Just Made the Case for a New Security Operating Model
Defense

JPMorgan Just Made the Case for a New Security Operating Model

Explore
JPMorgan Just Made the Case for a New Security Operating Model
How Anthropic’s Mythos Preview Changes the Calculus of Cybersecurity, and Why Continuous Threat Exposure Management Is the Answer
Vulnerability

AI Just Learned to Hack, And Defenders Should Be Excited.

Explore
AI Just Learned to Hack, And Defenders Should Be Excited.
View all