We do two very important and timely things in this report. We first explore ways to measure exploitability for individual vulnerabilities—and far more importantly—entire organizations. (more available)

Do exploit code releases help or harm defenders? We decided to put this hotly contested debate to the test. The seventh volume of the Prioritization to Prediction series produced in conjunction with the Cyentia Institute attacks this debate from all angles. (more available)

This sixth volume of the Prioritization to Prediction series combines vulnerability data from Kenna’s customers with additional intelligence from Fortinet and others. (more available)

An extension of the Prioritization to Prediction series, this report uses a sample of over 40 manufacturing sector firms to better understand the means and metrics of vulnerability management with the sector. (more available)

An extension of the Prioritization to Prediction series, this report uses a sample of approximately 30 healthcare sector firms to better understand the means and metrics of vulnerability management with the sector. (more available)

An extension of the Prioritization to Prediction series, this report uses a sample of approximately 100 finance sector firms to better understand the means and metrics of vulnerability management with the sector. (more available)

An extension of the Prioritization to Prediction series, this report uses a sample of approximately 70 technology services to better understand the means and metrics of vulnerability management with the sector. (more available)

P2P Volume 5 focuses on the differences between asset types (OS) and how vulnerabilities are treated on different platforms.

This research was commissioned by Kenna Security. Kenna collected and provided the remediation dataset to the Cyentia Institute for independent analysis and drafting of this report. (more available)

From the report, “The Prioritization to Prediction series is an ongoing research initiative between Kenna Security and the Cyentia Institute. The first volume proposed a model for predicting which of the numerous hardware and software vulnerabilities published each month were most likely to be exploited, and thus deserving of priority remediation. (more available)

From the report, ““Realized coverage & efficiency vary greatly among firms—over 50% between top and bottom performers—indicating different remediation strategies lead to very different outcomes. (more available)

From the report, “Business applications are critical business resources for companies of all sizes — and they’re increasingly under attack. To gain deeper insights into the state of application security, Cybersecurity Insiders conducted an in-depth study in partnership with the 400,000 member Information Security Community on LinkedIn. (more available)

This paper begins with a review of data sources available for building or improving decision models for vulnerability remediation. It then discusses the vulnerability lifecycle and examine timelines and triggers surrounding key milestones. (more available)

This is a good report to read if you are interested in learning how to properly, and succesfully, report risks and vulnerabilities to boardmembers and executives. (more available)