Artificial intelligence is transforming cybersecurity at an unprecedented pace. While defenders are leveraging AI to strengthen security operations, adversaries are using the same technology to identify software vulnerabilities faster than ever before. The result is a dramatic increase in the volume of newly discovered vulnerabilities, creating a challenge that most organisations were already struggling to manage.
Traditional vulnerability management approaches are no longer sufficient. Just as organisations adopted Threat-Informed Defence to better understand and prioritise adversary behaviour, they must now embrace a new mindset for patching and remediation: Vulnerability-Informed Defence.
The Growing Vulnerability Crisis
The rapid acceleration of vulnerability discovery has created what many security teams describe as a “tsunami” of vulnerabilities. Security teams simply cannot patch everything immediately, nor should they attempt to.
As a result, organisations are increasingly adopting risk-based patch prioritisation frameworks. A notable example is the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Binding Operational Directive (BOD) 26-04, Prioritizing Security Updates Based on Risk. This framework allows agencies to focus remediation efforts on vulnerabilities that present the highest risk while deferring lower-priority updates.
The principle is simple: not all vulnerabilities deserve the same urgency.
What Is Vulnerability-Informed Defence?
A Vulnerability-Informed Defence focuses remediation efforts on vulnerabilities that exhibit the highest likelihood of causing significant organisational harm.
Priority should be given to vulnerabilities that demonstrate the following characteristics:
- Publicly exposed systems or services
- The ability for attackers to fully automate exploitation
- Exploitation that enables Remote Code Execution (RCE) or significant Denial of Service (DoS) impacts
- Evidence of real-world exploitation, such as:
- Published Proof-of-Concept (PoC) code
- Inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalogue
- Active threat intelligence reporting
Using this model, only the highest-risk vulnerabilities require emergency remediation within days. Lower-risk vulnerabilities can be addressed through standard maintenance cycles, allowing organisations to allocate limited resources more effectively.
Accelerating Response for Critical Vulnerabilities
When a vulnerability scores highly across these risk factors, remediation should begin immediately.
For critical vulnerabilities, organisations should consider pre-approved change management processes where the patch deployment itself does not require extensive approvals. Instead, management intervention should only be required if rollback becomes necessary.
This approach reduces delays during the narrow window between vulnerability disclosure and active exploitation—a period during which many organisations are compromised.
Returning to a Proven Defensive Mindset
In many ways, this approach represents a return to cybersecurity principles from 15 to 20 years ago, before the industry became heavily focused on concepts such as Zero Trust.
Historically, organisations adopted a siege mentality, concentrating their limited resources on keeping attackers outside the castle walls. While modern security architectures remain important, organisations must acknowledge that reducing exposure remains one of the most effective risk reduction strategies available.
Some may point out that this prioritisation model naturally focuses on vulnerabilities located at the network edge. That observation is correct.
For example, if a publicly accessible service is geofenced to only New Zealand and Australian IP addresses, exposure is significantly reduced (from 100% of the worlds IP addresses to 1.7%). While geofencing is not foolproof and can be bypassed, the goal is not to eliminate risk entirely—it is to reduce it.
Effective cybersecurity is about making attacks more difficult, more expensive, and less likely to succeed.
The Forgotten Foundations of Security
Every castle siege story shares a common theme: the defenders are ultimately defeated because of something small they overlooked.
Cybersecurity is no different.
A Vulnerability-Informed Defence must be supported by strong security fundamentals, including:
- Asset Inventory
- Least Privilege
- Network Segmentation
- Identity and Access Management (IAM)
- Backup and Recovery
- Security Monitoring (SIEM/EDR)
- Incident Response
Let’s examine each of these areas.
Asset Inventory
A common security principle states:
You cannot protect what you do not know exists.
Organisations must maintain visibility over:
- Hardware assets
- Software installations
- Firmware versions
- Cloud resources
- Open-source packages and dependencies within code repositories
It is equally important to accurately identify publicly exposed assets.
For example, if a website sits behind a load balancer, reverse proxy, and firewall, all of those components should be considered part of the public attack surface.
Similarly, laptops frequently used on hotel, airport, or public Wi-Fi networks should be treated as externally exposed devices.
Least Privilege
Least Privilege remains one of the most effective security controls available.
The principle is straightforward:
- Remove permissions users do not require.
- Disable services that are not needed.
- Reduce administrative access wherever possible.
Every unnecessary permission creates an additional opportunity for attackers.
Network Segmentation: Beyond VLANs
Many organisations mistakenly believe that VLANs alone provide meaningful security segmentation.
From a cybersecurity perspective, VLANs primarily limit broadcast domains. True segmentation requires Access Control Lists (ACLs) or firewall policies that restrict communication between network segments.
Retrofitting ACLs across an existing network can be challenging, but organisations can still achieve significant risk reduction by focusing on high-value areas such as:
- IoT networks
- Legacy systems
- Operational technology environments
- Service-specific network segments
Older systems often communicate using a limited set of protocols, making them ideal candidates for restrictive ACL policies.
Identity and Access Management
Identity remains a primary target for attackers.
Particular attention should be paid to service accounts, which often:
- Possess excessive privileges
- Have outdated passwords (as they were set 15 years ago)
- Lack modern security controls
- Operate with little visibility and sysadmins dont touch them as they have no idea what they do
Key IAM improvements include:
- Restricting where service accounts can log in from
- Reviewing group memberships regularly
- Removing unused groups
- Avoiding unnecessary nested groups
- Deleting disabled accounts rather than simply moving them to disabled organisational units
- Assigning managers to all user accounts
- Applying expiry dates to contractor accounts
Proper identity hygiene significantly reduces attack paths within an environment.
Backup and Recovery
Backups remain one of the simplest yet most critical security controls.
Organisations should ensure:
- Systems are regularly backed up
- Backup repositories are protected from attackers
- Recovery procedures are tested regularly
Creating backups is easy.
Restoring them successfully during a crisis is what matters.
As many system administrators know, no one loses sleep while a backup is running—but everyone does during a critical restore request.
SIEM and EDR Detection Capabilities
Prevention will eventually fail. Detection must be ready when it does.
Every organisation should implement basic monitoring for events such as:
- Interactive logins by service accounts
- Administrator RDP sessions between servers
- Brute-force authentication attempts
- Impossible travel or overseas logins
- Downloads of known malicious files (such as EICAR test files)
Once these detections are in place, organisations should perform regular purple-team exercises to validate that monitoring controls work as expected.
Only after foundational detections are operating effectively should teams focus on more advanced use cases.
Incident Response: The Ultimate Safety Net
No security programme is complete without a well-practised incident response capability.
Organisations should:
- Maintain a documented incident response plan
- Conduct regular tabletop and technical exercises
- Maintain current contact information for key staff and vendors
- Predefine containment actions for common scenarios
Examples include:
- Isolating a single endpoint
- Disabling multiple systems simultaneously
- Disconnecting a branch office or WAN site
- Performing large-scale password resets
Most importantly, organisations must understand how they will verify that an attacker has been completely removed from the environment.
Business pressure often drives rapid restoration efforts, but restoring systems before eradication is complete frequently leads to repeated compromise.
Conclusion
The cybersecurity landscape has fundamentally changed. AI-driven vulnerability discovery is increasing the volume and speed of security disclosures beyond what most organisations can realistically manage.
Attempting to patch everything immediately is no longer a sustainable strategy.
A Vulnerability-Informed Defence provides a practical framework for focusing resources where they matter most: vulnerabilities that are exposed, exploitable, impactful, and actively being used by adversaries.
Combined with strong security fundamentals—including asset management, least privilege, network segmentation, identity controls, monitoring, backups, and incident response—this approach allows organisations to reduce risk more effectively and build resilience against modern threats.
In a world where vulnerabilities are discovered faster than ever, success will belong to organisations that prioritise intelligently rather than simply patching endlessly.
About the Author
