Grappling with a Post-CVE World


            Navigating Security Beyond Disclosure: Resilience, Response, and the Future of Cyber Defense

            By Tod Beardsley, VP Security Research, runZero



            When  most  people  think  of  vulnerability  management,  they  immediately  think  of  the  Common
            Vulnerabilities  and  Exposures  (CVE™)  program.  For  over  a  quarter  century,  CVE  identifiers  have
            become synonymous with tracking the enterprise’s cybersecurity stance, forming a foundational pillar of
            security programs worldwide.

            However, earlier this year, this fundamental bedrock of cybersecurity was shaken when MITRE’s National
            Security federally-funded research and development center (FFRDC) nearly lost the contract funding
            from the US Department of Homeland Security. A last hour intervention from the Cybersecurity and
            Infrastructure Security Agency (CISA) averted the worst-case scenario of shutting down CVE, but this
            crisis was a wake-up call for the cybersecurity industry.

            While the CVE Program’s continued operation remains critical to global cybersecurity efforts, and its
            closure would be a significant hit to tracking known vulnerabilities, we really need to come to terms with
            the fact that not all hacker tactics are described as CVEs. In fact, according to the 2025 Verizon DBIR,
            only about 20% of reported incidents can be traced to an exploited vulnerability for initial access.








            Cyber Defense eMagazine – September 2025 Edition                                                                                                                                                                                                          216
            Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.