From 8 000 “Criticals” to Fewer Than 200: Five Years of Pathway-Aware Risk Prioritisation in Enterprise Vulnerability Management

Abstract

Security operations teams are overwhelmed by alerts and routinely wrestle with backlogs of several thousand “critical” vulnerabilities, yet still experience serious incidents and rising analyst burnout. During the first years of the COVID-19 pandemic this became particularly visible: attack surfaces expanded overnight through remote access, while staffing levels and attention were under pressure. This article describes five years of experience with a pathway-oriented, open-standard risk prioritisation model deployed in several Tier-1 European organisations in financial and automotive sectors. Instead of relying primarily on scanner-provided severity (for example CVSS-based critical/high/medium/low buckets), the model ranks issues according to their role in concrete attacker pathways: how they enable entry, lateral movement and impact on critical assets. Our research offers three main contributions. First, we detail a natural experiment during the first COVID-19 wave where an automotive finance subsidiary, using shared infrastructure, reduced over 6,000 scanner-critical items on its remote-access estate to zero pathway-critical issues in under six months. This occurred despite increased remote-work exposure and attack volume, and without successful compromise, unlike branches on the same infrastructure using traditional CVSS prioritization, which suffered incidents. Second, we generalize this, showing five large organizations reduced top-priority items by over 90% (from ~8,000 to <200) without compromising security outcomes. Third, these reductions were achieved within formal governance frameworks (documented plans and architectures) that have since been formalized into open, vendor-neutral standards now being reused in Europe and African/EMEA markets.