The traditional model of vulnerability management—scan, wait, patch—was built for a world that no longer exists. Today’s adversaries move at machine speed, automating reconnaissance and exploiting exposures within hours of disclosure.
In this environment the bottleneck isn’t finding vulnerabilities, it’s fixing them fast. Most organizations detect thousands of vulnerabilities every month but only a fraction are remediated before attackers take advantage.
From Reactive Defense to Preemptive Exposure Management
That reality isn’t new. At the same time, the impact of it has more serious implications as threat actors embrace AI-based tools that accelerate the pace and scale of attacks. I reached out to some industry experts to get some insight on what it will take to close the exposure gap and take a more proactive approach to security.
Roi Cohen, co-founder and CEO of Vicarius, frames the solution as “preemptive exposure management”—a strategy designed to anticipate and neutralize threats before they’re weaponized. That means continuous visibility across assets, contextual scoring to highlight what truly matters and automation to shrink remediation timelines from weeks to minutes. “Preemptive exposure management shifts the model entirely,” he explains. “It means anticipating and neutralizing threats before they’re weaponized, not waiting for a CVE to be exploited before taking action.”
Michelle Abraham, research director for security and trust at IDC, echoes the urgency of this shift. “Proactive security seems to have taken a back seat to reactive security at many organizations. IDC research highlights that few organizations track all their IT assets which is the critical first step towards visibility of the full digital estate. Once assets and exposures are identified, security teams are often overwhelmed by the volume of findings, underscoring the need for risk-based prioritization,” she says.
Context Beats Volume
Flat severity scores like CVSS don’t tell you whether an issue is being exploited in the wild or whether it lives on a revenue-critical system. Cohen emphasizes the need to focus on context—blending exploit intelligence, asset criticality and business impact. That’s what separates noise from meaningful risk.
Abraham adds that less than half of organizations use exposure prioritization algorithms at all and siloed operations between security and IT create dangerous delays. “By integrating visibility, prioritization and remediation, organizations can streamline processes, reduce patching delays and fortify their defenses against evolving threats,” she notes.
AI’s Double Edge
Artificial intelligence adds complexity. On one hand, attackers are already using AI to scale phishing, mutate malware and identify weaknesses. On the other, defenders can use AI to automate detection, prioritize intelligently and generate remediation playbooks at machine speed.
Cohen believes AI is essential: “In a threat landscape that moves faster than any analyst can, remediation has to be autonomous, contextual and immediate and that’s what preemptive strategy delivers.”
But not everyone is convinced. Richard Stiennon, chief research analyst at IT-Harvest, offers a dissenting view: “Most organizations have mature vulnerability management programs that have identified problems in critical systems that are years old. There is always some reason not to patch or otherwise fix a vulnerability. Sprinkling AI pixie dust on the problem will not make it go away. Even the best AI vulnerability discovery and remediation solution cannot overcome corporate lethargy.”
His skepticism highlights a key point: technology alone won’t overcome cultural or organizational inertia.
Trusting Automation
Even when organizations embrace automation, skepticism remains. A single mistimed patch can take down a business-critical system. There is some consensus that automation should be treated like onboarding a new team member: start with low-risk actions, enforce guardrails and provide transparency. Over time, trust grows as automated workflows prove consistent and safe.
Lawrence Pingree of Dispersive argues that defenders must lean harder into prevention. “We have to be more preemptive in all activities, this even means the way that vendors build their backend signatures and systems to deliver prevention. Detection and response is failing us and we’re being shot behind the line.”
Compliance as a Stopwatch
The regulatory environment is shifting too. Frameworks like NIST CSF 2.0 and ISO 27001 increasingly emphasize speed to remediate, not just whether a vulnerability was logged. Compliance is less about checkboxes and more about demonstrating how quickly and effectively risks were reduced with evidence to back it up.
A Practical Path Forward
The advice across experts is consistent:
- Unify workflows so detection, prioritization and remediation aren’t siloed
- Automate the obvious fixes and build guardrails for trust
- Prioritize by context—exploitability, asset value and business impact
- Protect the patch gap with runtime controls and compensating defenses
Cohen sums it up simply: security teams don’t need to find more vulnerabilities—they need to shorten the gap between detection and mitigation.
With attackers moving at machine speed, the only way forward is a preemptive strategy that blends human judgment with automated execution.
