Vulnerability management rarely fails for lack of scanners. It fails because of prioritisation: too many findings, ranked by raw severity, worked through in the wrong order. The organisations that reduce real risk are the ones that decide what to fix first using exploitation, exposure, asset criticality and — the part most people miss — compromised credentials.
At a glance
- The real problem: prioritisation, not detection.
- The signals that matter: known exploitation, exposure, asset value and compromised credentials.
- The fix: rank by probability of compromise, not by severity in isolation.
Why many companies do vulnerability management badly
Four patterns recur: prioritising by CVSS rather than context; ignoring real exposure; having no reliable inventory; and treating vulnerabilities and identity as separate problems. Each quietly inflates the backlog while leaving the genuinely dangerous issues buried.
The right prioritisation: probability of compromise, not isolated severity
A useful ranking combines several factors: known exploitation (is it being used in the wild — see KEV and EPSS); exposure (is it reachable); asset criticality; capacity for lateral movement or escalation; and any compensating controls. A "critical" nobody can reach matters less than a "high" being actively exploited on an internet-facing service.
Why compromised credentials change the technical priority
A vulnerability behind a login is one thing; the same vulnerability when the attacker already holds valid credentials is another. Exposed credentials — harvested by infostealers and traded on criminal markets — collapse the effort an attacker needs, so they should pull the associated assets up the queue. Vulnerability and identity are one risk, not two.
Which assets belong at the front of any serious backlog
Some assets earn priority almost regardless of the specific finding: edge and remote-access devices; identity and access control; cloud and Microsoft 365; exposed applications and APIs; and business-critical systems. These are where exploitation is fastest and blast radius largest.
A practical prioritisation model
In practice, score each finding on exploitation, exposure, asset criticality, value to an attacker, compensating controls and any signal of compromised credentials. It does not need to be complex — it needs to be consistent, so the same logic decides order every time. An attack-surface view and IAM posture review feed it directly.
Metrics that help, and ones that mislead
Useful metrics track flow: time to remediate by severity, age of open critical findings, share of exposed assets covered. Misleading ones count raw totals — the number of findings tells you how noisy the scanner is, not how safe you are.
Where remediation usually breaks
The failure points are organisational: business dependencies that block patching, no clear ownership, incomplete inventory, an overwhelming volume of findings, and no interim mitigations when an immediate fix is impossible. Tooling rarely fixes these; process and ownership do.
What a company should do, in order of urgency
Prioritise, do not schedule for its own sake. First, get honest visibility of assets and exposure. Then re-order the backlog by probability of compromise. Then bring identity and credential exposure into the ranking. Finally, tighten how you verify closure. A managed SOC and, when something is already being exploited, incident response turn that sequence into sustained risk reduction. To discuss it, get in touch.