Down the Security Rabbithole Podcast (DtSR) DtSR Episode 679 - Wasting Time Patching
11 snips
Nov 11, 2025 
In this discussion, Robert "RSnake" Hansen, a renowned security researcher, critiques traditional vulnerability management. He argues that most patching efforts over the last two decades have been futile, as the majority of reported vulnerabilities never get exploited. Hansen reveals that vendor incentives hinder real change and examines the economic motivations behind attacks. He suggests focusing on monetary risk metrics and reevaluating what truly secures systems, emphasizing that the industry's current approach has inflated costs for defenders without impacting attackers.
AI Snips
Chapters
Transcript
Episode notes
Most Reported Vulns Aren't Attacked
- Most vulnerabilities catalogued by vendors are never exploited in the wild.
- Robert "RSnake" Hansen found only hundreds of exploited CVEs versus tens of thousands listed, so lists poorly correlate with real attacker activity.
Vulnerability Feeds Rarely Agree
- Different vulnerability scoring and intel sources show very poor correlation.
- Hansen spent a year aggregating CVSS, EPSS, KEV, ExploitDB and found the lists don't overlap meaningfully.
Prioritize By Dollars And Cents
- Translate security findings into dollars to make decisions defensible to CFOs.
- Use cost-to-fix versus potential loss to prioritize fixes and get budget buy-in, Hansen suggests.