The cybersecurity landscape is undergoing a radical transformation. Periodic system scans for vulnerabilities are no longer sufficient; attackers move in a matter of hours, and organizations must respond at the same pace. According to CrowdStrike data, 2025 is shaping up to be a record year for reported vulnerabilities: over 21,000 CVEs in the first half, equivalent to 133 new flaws each day. Each of these flaws represents a potential cost for businesses, and the window between detection and remediation has become a critical indicator of resilience.

The problem is not a lack of data, but data overload. Security teams are overwhelmed by alerts without context, while traditional periodic scanning models offer a static snapshot of a constantly changing environment. As Iratxe Vázquez, Senior Product Marketing Manager for Cybersecurity at WatchGuard Technologies, points out, “Between two assessments, new cloud services can be deployed, devices added, privileges modified, or unmanaged assets appear.” In other words, an analysis from a week ago may not reflect the current real exposure.

Automation and AI: Necessary Accelerators, but with Governance

Artificial intelligence and deepfakes are at the center of the debate. Álvaro del Hoyo, Technology Strategist for Southern Europe at CrowdStrike, distinguishes between external attacks (reconnaissance, social engineering) and those that occur within the network. “What used to be a BEC via email can now come through other channels, such as deepfakes that impersonate executives or partners,” he explains. The impact of these attacks is significant and demands agile response.

But AI is not only a threat; it is also part of the solution. Automation can take over repetitive tasks like triage and patching, as long as it is framed within clear control. Doris Seedorf, CEO of Sofftek for Spain, advocates for a “self-adjusting empirical ecosystem” where automation and AI operate under strict rules. “End-to-end automation is the only way to manage today’s complexity,” she states. However, Iratxe Vázquez qualifies: “Not all scenarios require the same speed; service stability sometimes demands human review.”

Prioritization: Beyond CVSS

One of the major challenges is correctly prioritizing. The CVSS score describes technical severity, but not the real risk for each organization. Iratxe Vázquez proposes combining four axes: severity, exploitability, exposure level, and business impact. “You need to understand whether the vulnerability is being actively exploited, whether a public exploit exists, whether the asset is accessible from the internet, what privileges it could grant, and what controls surround it,” she details. Sources like the CISA catalog or the EPSS model help, but they must be integrated with internal context.

Doris Seedorf goes a step further: “The conversation at the C-level is no longer about abstract technical metrics, but about economic responsibility and structural stability.” For her, the focus should shift from isolated technical severity to financial and operational impact. This directly connects with the redefinition of business risk that CISOs are undertaking.

Visibility: The Achilles' Heel

You cannot protect what you cannot see. Lack of visibility is not always a lack of data, but data scattered across tools that do not communicate. “The challenge is to connect the pieces, understand who is responsible for each asset, and transform data into quick operational decisions,” says Vázquez. Moreover, visibility is no longer limited to inventories; it must include asset behavior: unexpected communications, lateral movements, or anomalous activities. Technologies that analyze relationships between assets, identities, and communications are increasingly important.

Towards the CTEM Model: Continuous Threat Exposure Management

The transition from traditional vulnerability management to models like CTEM (Continuous Threat Exposure Management) is inevitable. Doris Seedorf considers it “irreversible in business strategy.” While the traditional model focused on lists of software flaws, CTEM understands security as a fundamental component of business design. Iratxe Vázquez explains: “Risk no longer depends only on what vulnerability exists, but on how it can be exploited within your specific architecture.” CTEM emphasizes real exposure, attack paths, and continuous validation, expanding vulnerability management with a more dynamic vision.

This paradigm shift aligns with other trends such as the integration of AI, quality, and cybersecurity in software development, or the democratization of AI in mid-sized companies. Real-time vulnerability management is not an option, but a necessity to maintain business resilience.

Original source: ComputerWorld. Analysis and adaptation by ForgeNEX.