"CVEs account for roughly 25% of the exposures that attackers exploit."
That stat, offered in a recent piece by Maya Malevich, frames a blunt question many security leaders already feel in their bones: closing hundreds of tickets and filling dashboards with green does not necessarily mean the organization is safer. The article — contributed by Malevich, Head of Product Marketing at XM Cyber — lays out why most exposure management platforms fall short and how to tell which ones actually connect remediation to real risk reduction.
Four platform architectures and the trade-offs they carry
Most exposure management platforms belong to one of four architectures, each with predictable limits. "Stitched portfolio" platforms are the aftermath of acquisitions: vendors bundle point products (cloud security, vulnerability scanners, identity analytics) but each product keeps its own data model and produces its own findings. The result looks integrated in a console but lacks genuine correlation.
"Data aggregation" platforms ingest findings from existing scanners and third-party tools, normalize them, and present a unified interface — but can only work with the inputs they receive, so disconnected findings remain disconnected. "Single-domain specialist" platforms go deep in one area (cloud misconfigurations, network vulnerabilities, identity exposures, external attack surface) but leave blind spots where exposures chain across domains. By contrast, "integrated" platforms are built to discover and correlate multiple exposure types in the same engine, creating a digital twin that maps how attackers can move laterally across on‑prem, cloud, and hybrid boundaries.
Five questions that reveal whether a platform is making you safer
Malevich proposes five practical evaluation questions that expose the consequences of architecture choices.
- How many exposure types can it discover — and how deeply? CVEs are only part of the picture. Misconfigurations, cached credentials, excessive permissions and identity weaknesses make up most exploitable exposures. Aggregators and stitched stacks are limited to what their components find; integrated platforms should natively cover both existing and emerging exposures (the article names "AI workloads and machine identities" as examples).
- Can it map attack paths across environments? Some stitched products show paths based on topology or connectivity alone; aggregators show no paths. The critical test is whether a platform can trace paths that cross environment boundaries — for example, an on‑prem capture of cloud credentials that then bypasses cloud-native defenses.
- Does it validate exploitability? True validation requires testing multiple conditions: is the vulnerable library loaded by a running process, is the port open and reachable, does a path to a critical asset actually exist? Platforms that rely on limited metadata often produce uncertain, assumptive outputs rather than binary answers grounded in the real environment.
- Does it factor in security controls? A high‑severity CVE blocked by a firewall is not usable for lateral movement; conversely, a moderate identity exposure with a direct path to a domain controller is an emergency. Platforms that ignore firewalls, MFA, EDR and segmentation can misdirect remediation efforts.
- How does it prioritize? Score‑based, asset‑tag or assumed‑path rankings miss the end goal: protecting critical assets. Effective prioritization starts from those assets and validates that an exposure is exploitable, reachable, and leads to something the business cannot afford to lose.
What this means for security teams, IT teams, and security leaders
Security teams: When a platform maps exploitable, validated paths and models controls, fixes that close choke points reduce multiple attack paths at once. Malevich notes that in large enterprises this can narrow the priority list to roughly 2% of all exposures.
IT teams: Stitched and aggregated platforms can create overhead — reconciling findings across tools, arguing about remediations that may not reduce risk, and chasing exposures that lead to dead ends. Single‑domain tools trade breadth for depth and can leave cross‑domain chains unaddressed.
Security leaders: The question asked in leadership meetings — "So, are we actually safer now?" — demands more than ticket counts and CVSS dashboards. A platform that validates exploitability, models controls and maps viable paths to critical assets lets leaders answer that question with an honest "yes."
Conclusion: the case for integration, and the trade-offs you accept
The architecture you choose determines both the visibility you have and how your team spends its time. Stitched and aggregated platforms can simplify vendor relationships but may leave uncharted gaps between domains. Single‑domain specialists deliver depth but no whole‑environment view. An integrated platform, as described by Malevich, correlates exposures into validated attack paths, factors in controls and identifies fixes that eliminate the most risk with the fewest actions — updating the graph in real time so priority queues reflect current risk.
That is the tight test the article leaves on the table: unless your exposure management platform can validate exploitability, model your controls and map every viable path to your critical assets, you cannot honestly claim the environment is safer simply because dashboards are green.
