EP254 Escaping 1990s Vulnerability Management: From Unauthenticated Scans to AI-Driven Mitigation

Guest:

• Caleb Hoch, Consulting Manager on Security Transformation Team, Mandiant, Google Cloud

Topics:

• How has vulnerability management (VM) evolved beyond basic scanning and reporting, and what are the biggest gaps between modern practices and what organizations are actually doing?
• Why are so many organizations stuck with 1990s VM practices?
• Why mitigation planning is still hard for so many?
• Why do many organizations, including large ones, still rely on unauthenticated scans despite the known importance of authenticated scanning for accurate results?
• What constitutes a "gold standard" vulnerability prioritization process in 2025 that moves beyond CVSS scores to incorporate threat intelligence, asset criticality, and other contextual factors?
• What are the primary human and organizational challenges in vulnerability management, and how can issues like unclear governance, lack of accountability, and fear of system crashes be overcome?
• How is AI impacting vulnerability management, and does the shift to cloud environments fundamentally change VM practices?

Resources:

• EP109 How Google Does Vulnerability Management: The Not So Secret Secrets!
• EP246 From Scanners to AI: 25 Years of Vulnerability Management with Qualys CEO Sumedh Thakar
• EP248 Cloud IR Tabletop Wins: How to Stop Playing Security Theater and Start Practicing
• How Low Can You Go? An Analysis of 2023 Time-to-Exploit Trends
• Mandiant M Trends 2025
• EP204 Beyond PCAST: Phil Venables on the Future of Resilience and Leading Indicators
• Mandiant Vulnerability Management