Ido Geffen, CEO and Co-founder, Novee Security.
AI-assisted vulnerability discovery is increasing the number of security findings across organizations, but more findings do not automatically translate into meaningful risk reduction. In fact, I believe the opposite is increasingly true. Organizations can close thousands of vulnerabilities without meaningfully changing how difficult they are to breach.
That disconnect is becoming harder to ignore as AI lowers the cost and speed of vulnerability discovery for both defenders and attackers. Security teams can now scan more systems, test more code paths and generate more findings than ever before. Meanwhile, attackers are using many of the same advances to identify exploitable weaknesses faster and on a larger scale. This has led to a growing industry tendency to confuse security activity with security improvement.
Faster does not always mean safer, and finding more vulnerabilities is not the same thing as reducing meaningful exposure. In many environments, most findings are unreachable, already mitigated by upstream controls or contingent on conditions that do not realistically exist in production. Without context, more findings simply create more backlog. And backlog is not security.
Security has a measurement problem.
For years, vulnerability management programs have relied on metrics that are easy to quantify (and easy to present): total findings, severity scores, backlog counts and scan coverage percentages. Those measurements certainly help organizations track operational activity, but they often fail to reflect how attacks actually happen.
Attackers do not prioritize vulnerabilities by severity score. They prioritize by path to the objective. They start with the outcome they want—data access, lateral movement, persistence or financial gain—and work backward to identify the fastest route to achieve it. Security teams, by contrast, often evaluate vulnerabilities in isolation, prioritizing whichever findings are based on the highest CVSS rating or the most internal pressure.
Two moderate vulnerabilities in the right locations can create a practical path to full compromise, while a standalone “critical” vulnerability in an isolated or unreachable system may have little operational relevance. Context determines reality more than the score itself.
AI is accelerating the noise.
Real risk lives at the intersection of exposure, exploitability and consequence. This disconnect existed long before AI-assisted discovery. AI is simply making it impossible to ignore, and it’s changing both the volume and nature of vulnerability discovery.
Modern tooling can continuously probe systems, recognize patterns across massive codebases and generate plausible exploit hypotheses at speeds no human team could match manually. But the increase in findings also increases noise. Organizations are seeing more legitimate vulnerabilities, as well as more false positives, redundant findings and theoretical risks with little practical exploitability.
That creates a dangerous operational imbalance. When organizations generate 10 times as many findings at the same false-positive rate, security teams spend more time triaging and less time reducing real exposure.
At the same time, attackers are becoming faster and more adaptive. Public vulnerabilities are increasingly weaponized within days (or even hours) of release. Attackers also rarely rely on a single catastrophic flaw anymore. Instead, they increasingly chain together smaller weaknesses that, individually, may appear manageable. A moderate identity misconfiguration combined with a reachable privilege-escalation flaw may create a far more practical attack path than a severe vulnerability buried inside an unreachable environment. This is one reason severity scores alone may fail to reflect how breaches materialize in practice.
In my experience, I’ve found that becoming genuinely safer does not mean generating the most findings. Instead, I recommend working toward the ability to quickly distinguish meaningful exposure from operational noise so you can act before attackers do.
You need to measure what actually matters.
Vulnerability management is still essential, but in a world where discovery is abundant, organizations need to rethink what security maturity actually looks like. Security leaders should place less emphasis on raw finding counts, severity-weighted backlogs and scan volume metrics alone. Those measurements can create the appearance of progress without necessarily reducing exploitable risk.
Instead, I believe organizations should prioritize metrics tied more directly to attacker reality:
• Time from risk introduction to verified remediation
• Whether vulnerabilities are actually reachable and exploitable
• Which business-critical workflows are continuously tested instead of periodically sampled
• Whether multistep exploit chains (not just isolated findings) are being validated and closed
The goal is to shift from counting findings to proving resilience, continuously testing your environments the way attackers do and identifying meaningful attack paths before adversaries can operationalize them. Because if closing a real exploit chain does not meaningfully improve your security metrics, then your metrics may not be measuring security at all.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
