Picus launches tool for real-time validation of exploitable risks
The new feature, called Picus Exposure Validation, uses real-time attack simulations to provide evidence-based assessments of vulnerability risks within a specific organisation's environment. This approach aims to address the challenge of large numbers of vulnerabilities that are often identified but not all requiring immediate attention or remediation.
With more than 40,000 new Common Vulnerabilities and Exposures (CVEs) disclosed in 2024 - with 61% ranked as high or critical - security teams often struggle to respond effectively, as traditional vulnerability management methods can lead to inefficient allocation of resources. Picus Security says the new capability assists security teams in distinguishing between vulnerabilities that can actually be exploited in their unique systems and those that can be safely deprioritised.
Traditional vulnerability management is typically driven by severity metrics such as Common Vulnerability Scoring System (CVSS) and Exploit Prediction Scoring System (EPSS), which provide generalised risk indicators but may not account for an individual organisation's existing security controls and asset criticality. Picus Exposure Validation aims to fill this gap with the Picus Exposure Score, an evidence-based, context-aware metric intended to reflect actual risk, according to the company.
The system continuously tests security controls using real-world attack techniques to determine whether known vulnerabilities can be exploited given the organisation's current defences. The findings are automatically updated and presented in transparent reports, enabling quicker and more confident decision-making in response to new security threats.
Volkan Ertürk, Co-Founder and Chief Technology Officer at Picus Security, commented: "The challenge today isn't finding vulnerabilities, it's knowing which ones matter in your unique environment. CVSS, EPSS and KEV offer theoretical risk signals. Picus Exposure Validation delivers proof by testing threats against your production defenses in real time. It replaces assumptions with evidence so security teams can focus on vulnerabilities that are actually exploitable."
Key features highlighted by the company include the ability for security teams to more accurately prioritise remediation work, safely deprioritise less urgent vulnerabilities, and reduce manual workloads through the use of automated validation processes. The solution is said to include tailored recommendations to quickly improve the effectiveness of security controls, offering an alternative when immediate patching is not feasible.
A global industrial firm reported that, upon deploying Picus Exposure Validation, it was able to reduce its list of critical patches by 85%. Based solely on CVSS ratings, 63% of the vulnerabilities in the organisation's systems were initially classified as critical. However, after applying Picus Exposure Validation, it was found that only 9% of those were truly high risk and required prioritisation. This reduction reportedly saved the organisation thousands of hours on patching activity and allowed the security team to focus resources more efficiently.
The company positions Picus Exposure Validation as a new methodology for combining data about vulnerabilities with automated attack simulation to create an organisation-specific analysis of exploitability. This approach, according to Picus, offers security teams a more focused view on where to deploy efforts for mitigation and remediation and thereby enables more effective closing of security gaps.
The Picus Exposure Validation feature is now available to organisations seeking enhanced vulnerability validation for their own environments.
Follow us on:
Share on:
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
27-07-2025
- Techday NZ
Tenable adds AI to VPR for sharper, real-time risk detection
Tenable has announced enhancements to its Vulnerability Priority Rating (VPR), focusing on precise risk identification and remediation for security teams. The updated VPR, now driven by generative artificial intelligence, provides organisations with contextual threat intelligence and real-time prioritisation to highlight vulnerabilities that pose the most significant risk to business operations. The changes aim to address longstanding challenges in vulnerability management. Sharper risk focus The company's VPR was first introduced in 2019 as a counterpoint to the broad scoring provided by the Common Vulnerability Scoring System (CVSS). While CVSS designates approximately 60% of vulnerabilities as high or critical, the original VPR narrowed the focus to just 3%. With the latest enhancements, Tenable reports that only 1.6% of vulnerabilities are now marked as representing genuine business risk, supported by real-time data and improved analytics. Jorge Orchilles, Senior Director, Readiness and Proactive Security at Verizon, described the practical impact that targeted vulnerability data has had on operational efficacy. "Our biggest problem was noise. We had thousands of vulnerabilities, and no clear way to know which ones posed a genuine threat," said Orchilles. "Tenable VPR changed that by showing us what attackers are actually exploiting right now. It lets us focus our resources on the handful of issues that truly matter, which has made a real, measurable difference in how quickly we can get critical patches out." AI-driven insights and explainability The enhancements are underpinned by generative AI, which produces tailored threat summaries and remediation advice. VPR's AI-powered insights are designed to help users quickly interpret why a particular vulnerability matters, its weaponisation by threat actors, and what actions are immediately necessary to mitigate risk. The technology delivers instant clarity to enable faster remediation and more strategic use of resources. Eric Doerr, Chief Product Officer at Tenable, outlined the strategic value of these new capabilities for organisations managing cyber risk. "We're taking our game-changing Tenable VPR to the next level with these AI-powered enhancements," said Doerr. "Tenable VPR brings an unmatched precision and depth of threat intelligence, context and explainability to cyber operations. With these critical insights at their fingertips, organisations can clearly visualise why an exposure matters, where they are vulnerable and how to close their priority risks." Industry and regional context A key feature of the updated VPR is its ability to apply industry- and region-specific threat context. Enhanced filtering, querying and use of metadata enable organisations to refine vulnerability prioritisation by relevance to their sector or area of operation. This approach ensures that security teams can address the exposures most relevant to their business environment, rather than relying on generic risk scores. According to the company, these changes are expected to support reduced mean-time-to-remediation and more strategic alignment between cybersecurity efforts and broader organisational goals. By providing more precise, context-rich data, Tenable aims to help organisations allocate security resources where they have the greatest impact. The latest iteration of Tenable's VPR builds on its previous reputation for prioritising threats and reducing the noise associated with vulnerability management. Through the addition of AI-driven explainability and tailored risk measures, the update is intended to allow cybersecurity and risk management teams to respond faster and more effectively to emerging threats. Follow us on: Share on:
Techday NZ
24-07-2025
- Techday NZ
Tenable boosts vulnerability priority rating with advanced AI
Tenable has announced advancements to its Vulnerability Priority Rating (VPR), incorporating AI-powered capabilities for heightened precision in identifying and addressing critical cybersecurity risks. The updated Tenable VPR aims to help organisations clarify which vulnerabilities require urgent attention, leveraging generative AI, advanced threat intelligence, and context-aware scoring. By doing so, the solution seeks to facilitate an understanding of vulnerability impact, exploitation potential, and the steps necessary for remediation. Cutting through the noise A significant challenge for businesses is the high volume of reported vulnerabilities, making it difficult to determine which issues pose a genuine threat. According to the company, while the Common Vulnerability Scoring System (CVSS) previously classified around 60% of vulnerabilities as high or critical, the original VPR introduced in 2019 narrowed this number to 3%. With its latest AI enhancements, Tenable claims the VPR now focuses on just 1.6% of vulnerabilities that represent a material business risk. These improvements are designed to enable quicker remediation times, more efficient use of security resources, and alignment of security operations with key organisational priorities. Customer experience "Our biggest problem was noise. We had thousands of vulnerabilities, and no clear way to know which ones posed a genuine threat," said Jorge Orchilles, Senior Director, Readiness and Proactive Security at Verizon. "Tenable VPR changed that by showing us what attackers are actually exploiting right now. It lets us focus our resources on the handful of issues that truly matter, which has made a real, measurable difference in how quickly we can get critical patches out." Deeper insight and explainability The enhancements to VPR are underpinned by new AI-powered insights and explainability features. The company states that these improvements deliver instant clarity by providing users with detailed reasoning regarding the seriousness of a particular exposure, information on how threat actors have weaponised vulnerabilities, and actionable recommendations for mitigation. AI-generated threat summaries further aid users in understanding real-world risks and identifying appropriate next steps. Eric Doerr, Chief Product Officer at Tenable, commented, "We're taking our game-changing Tenable VPR to the next level with these AI-powered enhancements. Tenable VPR brings an unmatched precision and depth of threat intelligence, context and explainability to cyber operations. With these critical insights at their fingertips, organizations can clearly visualize why an exposure matters, where they are vulnerable and how to close their priority risks." Industry and regional context Tenable VPR now also includes enhanced filtering, querying, and metadata capabilities. These allow organisations to tailor their vulnerability management approach based on the threats most relevant to their specific industry sector and geographic location. The intent is to ensure that the vulnerabilities which present the greatest threat to a particular business are addressed first, improving risk posture in a targeted way. These features aim to assist organisations in tackling cyber threats more effectively by enabling clarity and prioritisation in patching and remediation efforts. The update is designed to give security teams more confidence in their decision-making processes and help them use time and resources more efficiently when addressing potential exposures. With these advancements, Tenable continues its focus on exposure management for organisations seeking to protect their assets from ongoing cyber risks. The company reports serving around 44,000 customers worldwide.
Techday NZ
06-06-2025
- Techday NZ
Cobalt unveils platform updates to streamline pentesting workflows
Cobalt has announced a series of product enhancements within its Offensive Security Platform intended to assist customers in scaling security testing with greater clarity, automation, and control. The platform centralises access to security services provided by a team of pentesters, enabling organisations to identify and address vulnerabilities more efficiently across their environments. Features offered include faster pentest launches, real-time collaboration with testers, continuous scanning, and integration with remediation workflows. According to the company, these processes aim to support security teams in identifying critical issues and accelerating the mitigation of risks. The latest updates seek to provide customers with clearer risk prioritisation. Each finding within the platform now comes with standardised CVSS v3.1 scores alongside OWASP ratings, offering a measurable and objective understanding of vulnerability severity. Users are expected to be able to concentrate their remediation efforts on the most critical security issues first, potentially saving time and resources while maintaining their security posture. CVSS data are accessible via reports, CSV exports, the public API, and integrations. Deeper insight and increased trust in pentest results is also a focus of these enhancements. Final pentest reports now include a detailed Coverage Checklist with associated findings. This addition is designed to provide a comprehensive overview of testing scope and methodology, linking individual findings directly to test activities. This approach is intended to make it easier for users to analyse results and take appropriate action. For organisations dealing with recurring or retested vulnerabilities, workflow simplification is addressed through a new configuration option. Users can automatically associate findings carried over from previous reports with existing tracking tickets or generate new tickets for separate tracking. This is intended to save time and reduce confusion in vulnerability management processes. The process of launching a pentest has also been redesigned. The platform now provides an intuitive flow in which users can select from a range of pentest options, customise requirements - such as requesting a debrief call - and place their order in a matter of minutes. Cobalt describes this as making launching a pentest as simple as ordering a pizza, with the goal of improving the user experience and accelerating the initiation of testing. Boris Diebold, Chief Technology Officer at HeyJobs, commented, "These updates are all about delivering more impactful and efficient testing. The clearer reporting and streamlined workflows help us understand and address our security risk with more confidence and speed." Discussing the direction of the platform, Jason Lamar, SVP of Product at Cobalt, said, "These innovations mark the next chapter in the evolution of offensive security services. We're building toward a future where pentesting is continuous, deeply integrated into development workflows, and backed by data that drives real security outcomes - not just compliance. The Cobalt Platform is redefining what it means to test smarter, not harder." The enhancements are intended to make pentesting more actionable and transparent, whether an organisation is launching a test in a short timeframe, integrating insights directly into development pipelines, or supporting compliance reporting. The platform continues to prioritise usability, integration capabilities, and the timely remediation of vulnerabilities, as it serves security and development operations teams dealing with changing and emerging security threats.
