In the past, the classic vulnerability assessment (VA) was considered one of the most important methods for evaluating a company's IT security. In combination with the Common Vulnerability Scoring System (CVSS), vulnerabilities could be identified and prioritized. But in today's threat landscape, this method is no longer sufficient.
Attackers are increasingly using sophisticated techniques, and a purely technical assessment approach falls short. Modern cyberattacks not only exploit software vulnerabilities, but also misconfigurations, third-party attack vectors, and human error. This article explains why companies need to go beyond traditional VA methods and what modern security strategies are necessary.
The Limits of Vulnerability Assessment and CVSS
The focus on known vulnerabilities
A classic vulnerability assessment is based on a database of known vulnerabilities (e.g. CVE databases). However, attackers not only exploit these documented gaps, but also:
Zero-day exploits : vulnerabilities that have not yet been disclosed or patched.
Configuration errors : Incorrect or insecure system settings that do not have a CVE.
Third-party attack vectors : suppliers and service providers with unsecured systems.
Social engineering : manipulating employees to steal login credentials.
A pure VA cannot adequately cover these risks.
CVSS assessment as an insufficient risk factor
The CVSS system rates vulnerabilities on a scale of 0 to 10, but there are significant weaknesses:
Failure to take into account the reality of the attack : A CVSS 9.8 vulnerability may be irrelevant in practice, while a CVSS 4.0 vulnerability is critical.
No contextual assessment : A CVSS score does not take into account whether a company is actually affected by a vulnerability.
Lack of prioritization by threat model : CVSS focuses on technical severity, not actual exploitability in the current environment.
Lack of consideration of exploitability and attacker tactics
Not every theoretical vulnerability is exploited in practice. A modern attacker combines:
Living off the Land Binaries (LOLBins) : Abuse of legitimate system tools for attacks.
Initial Access Broker (IAB) : Criminals sell access data for corporate networks.
Advanced Persistent Threats (APT) : Long-term, targeted attacks that are not detected by standard VA.
Modern security approaches as a supplement
Threat Intelligence & Context Analysis
Instead of just looking at CVSS scores, organizations should consider threat data from multiple sources:
Dark Web Monitoring : Observation of cybercriminals trading corporate data or exploits.
Attack Surface Management (ASM) : Identification and monitoring of the external attack surface.
Threat Intelligence Feeds : Analyze current attack patterns to derive prioritized protection measures.
Red Teaming & Breach Simulations
While a VA only lists vulnerabilities, a red teaming approach goes further:
Simulated attacks test how real threats behave against a company.
Breach and Attack Simulation (BAS) checks whether security measures are actually effective.
Purple Teaming combines offense and defense to expose weaknesses in the defense.
Zero Trust & Adaptive Security
Traditional security models rely on perimeter protection. Modern companies need:
Zero Trust Architecture (ZTA) : No system, user or device is automatically trusted.
Adaptive Security : Security measures are dynamically adapted to threat situations.
Continuous Threat Exposure Management (CTEM) : Continuous review and adaptation of protective measures.
Conclusion: A paradigm shift is necessary
A pure vulnerability assessment with CVSS rating is no longer sufficient to effectively combat modern threats. Companies must:
Include contextual threat analysis.
Consider attack vectors outside of classic CVEs.
Conduct simulated attacks to uncover real vulnerabilities.
Implement modern security strategies such as Zero Trust and Adaptive Security.
A comprehensive, proactive approach is key to staying one step ahead of cybercriminals. Those who continue to rely solely on CVSS and classic vulnerability assessments run the risk of missing the next major security vulnerability.