CIO Influence
CIO Influence News Machine Learning Security

Root Evidence Research Finds Only 1.4% of Vulnerabilities Are Known to Be Exploited in Real-World Attacks

by Business Wire
Root Evidence Research Finds Only 1.4% of Vulnerabilities Are Known to Be Exploited in Real-World Attacks

New Q1 2026 analysis challenges the industry’s reliance on CVSS scores and volume-based remediation strategies

Root Evidence, the cybersecurity startup championing evidence-based security, released new research showing that the cybersecurity industry’s current approach to vulnerability management is overwhelmingly focused on the wrong problems. The report, Stop Counting CVEs: What Actually Mattered in Q1 2026, analyzed publicly available vulnerability and exploitation data from Q1 2026 and found that only a small fraction of vulnerabilities are actually tied to real-world exploitation and breaches.

Also Read: CIO Influence Interview with Kyle Wickert, Field CTO at AlgoSec

The findings challenge long-standing assumptions that more visibility, more scanning, and more remediation volume automatically lead to better security outcomes.

The findings challenge long-standing assumptions that more visibility, more scanning, and more remediation volume automatically lead to better security outcomes.

“Security teams have spent years drowning in dashboards, critical severity scores, and endless remediation queues, but breaches continue to happen because the industry has confused activity with risk reduction,” said Robert Hansen, CTO at Root Evidence. “The data shows that exploitation is highly concentrated and measurable. Organizations should prioritize what attackers actually use, not every theoretical vulnerability equally.”

The report analyzed approximately 4,920 publicly known exploited vulnerabilities (KEVs) made available from CVEdata.com and compared them against common industry prioritization signals, including CVSS, EPSS, exploit code availability, Metasploit modules, and Nuclei templates.

Among the report’s key findings:

Only approximately 1.4% of publicly disclosed vulnerabilities are known to be exploited in real-world attacks, suggesting that the industry’s “patch everything” approach creates massive inefficiency with limited measurable risk reduction.

  • Exploitation activity is heavily concentrated around a relatively small subset of vulnerabilities, many of them years old, as attackers prioritize reliability and scale over novelty.
  • Commonly used prioritization signals perform poorly as indicators of real-world exploitation. The research found weak correlation between KEV data and exploit proof-of-concept availability, Metasploit modules, and Nuclei templates.
  • CVSS severity scores alone are insufficient predictors of operational risk, as many exploited vulnerabilities fall below the “critical” threshold commonly used in enterprise remediation programs.
  • Attack surface exposure matters more than severity. Exploited vulnerabilities disproportionately affect widely deployed edge technologies, VPNs, firewalls, client-side applications, and injection-based weaknesses.
  • Threat intelligence and risk models are often misaligned with financial reality, focusing heavily on nation-state activity while underrepresenting financially motivated criminal actors responsible for the majority of material losses.

The report argues that vulnerability management programs should move away from volume-based remediation models and toward evidence-based prioritization grounded in real-world exploitation patterns, actuarial data, and observed attacker behavior.

“CVSS base score isn’t broken because it’s inaccurate; it’s broken because organizations treat it like a business risk predictor when it was never designed to be one,” said Hansen. “The organizations that shift from counting vulnerabilities to measuring evidence-based risk reduction will operate more efficiently and will arguably be more secure.”

Root Evidence recommends organizations:

  • Prioritize vulnerabilities with demonstrated exploitation or evidence-based indicators tied to attacker behavior.
  • Treat CVSS as one signal among many rather than a standalone decision-making framework.
  • Focus remediation resources on concentrated areas of measurable risk exposure.
  • Measure success through risk reduction outcomes instead of remediation volume or ticket closure metrics.
  • Incorporate business exposure and attack surface context into prioritization decisions.

The report concludes that organizations continuing to optimize for remediation volume instead of evidence-driven outcomes are likely overspending resources while leaving genuinely dangerous exposures unresolved.

Catch more CIO Insights: The CIO as a Value Creator: Moving Beyond Cost Centers to Revenue Drivers

[To share your insights with us, please write to psen@itechseries.com ]

Business Wire, a Berkshire Hathaway company, is the global leader in press release distribution and regulatory disclosure. Public relations, investor relations, public policy and marketing professionals rely on Business Wire for secure and accurate distribution of market-moving news and multimedia. Founded in 1961, Business Wire is a trusted source for news organizations, journalists, investment professionals and regulatory authorities, delivering news directly into editorial systems and leading online news sources via its multi-patented NX network. Business Wire’s global newsrooms are available to meet the needs of communications professionals and news media worldwide.

Related posts

Snyk Unveils Evo Continuous Offensive Security to Bring AI-Native Pentesting to the Enterprise

GlobeNewswire

Saviynt Selected for Microsoft Security Copilot Partner Private Preview

Business Wire

WiMi Hologram Cloud Proposes A New Lightweight Decentralized Application Technical Solution Based on IPFS

PR Newswire