

EP246 From Scanners to AI: 25 Years of Vulnerability Management with Qualys CEO Sumedh Thakar
Oct 6, 2025
Sumedh Thakar, the President and CEO of Qualys, shares his extensive insights on the evolution of vulnerability management over the past 25 years. He discusses the need for prioritization beyond just CVSS scores, emphasizing the value of threat intelligence and business context in decision-making. Thakar highlights the transformative role of cloud in streamlining remediation and introduces the Risk Operations Center concept, which integrates data for informed prioritization. He also touches on practical AI applications, mitigating risks beyond patching, and the importance of communicating cyber risks to boards.
AI Snips
Chapters
Books
Transcript
Episode notes
Volume And Speed Are The New Reality
- Vulnerability management remains essential because exploit-driven breaches are rising fast.
- There are far more CVEs and attackers exploit them much faster than before.
Treat VM As A Financial Risk Decision
- Security is a business risk problem where budgets limit what you can fix.
- You must prioritize fixes to get the biggest risk reduction per dollar spent.
CVSS Alone Doesn’t Cut It
- Old prioritization methods like CVSS-only ranking no longer scale.
- Prioritization must include exploitability and business context to be effective.