Frontier AI

The Exposure Gap: How to Close the Distance Between Risk and Response

by Brad Hibbert, COO & CSO//6 min read/

Most security programs are built to find risk. Very few are built to close it. Three structural problems explain that gap, but most programs are designed to address only one of them.

The first problem is visibility. Nobody has a single, complete view of their environment. Scanners see different things, clouds report different things, identity tools flag different things, and none of them speak the same language. You end up defending pieces of your attack surface rather than the whole thing.

The second is vulnerability prioritization. When every scanner returns thousands of critical findings, the word critical stops meaning anything. A low-severity vulnerability sitting on a path to your payment systems is not the same risk as a critical finding on an isolated development server that nobody can reach. Severity scores do not tell you that. Attack path thinking does.

The third is the handoff between the team that finds the problem and the team that fixes it. Security and engineering operate with different tools, different priorities, and different definitions of urgency. The gap between identifying a risk and closing it is where days and weeks disappear, and where most breaches ultimately live.

Fix all three and you have an exposure management program that actually reduces risk. Fix only one and the other two will undermine it.

We covered each of these in depth in our latest research, including a self-guided maturity assessment to show you where your program stands across all three. More on that at the end.

The attack has become smarter, not just faster

Most security programs were built for a world where attackers operated on human timelines. That world is gone.

The average time from vulnerability disclosure to working exploit is now under twenty hours. Before AI it was measured in weeks.

More significant than speed is how modern AI reasons about what it finds. Rather than treating each vulnerability as an isolated finding, it looks for how weaknesses connect. Four low-severity findings, none of which would individually trigger an alert, can be chained into a path that achieves full domain compromise. Severity scores were never designed to capture that relationship, and programs built around them have a blind spot that AI on the attack side is increasingly good at exploiting.

The Verizon 2026 Data Breach Investigations Report, analyzing over twenty-two thousand confirmed breaches, found that vulnerability exploitation is now the single most common initial access vector, the first time in nineteen years of data it has taken the top spot. Only twenty-six percent of known exploited vulnerabilities were fully patched last year, down from thirty-eight percent the year before.

Most breaches are not surprises. They are exposures that were visible in the data and never acted on in time.

The Monday morning test

The Brinqa Research team put together a straightforward test that tells you quickly whether your program is built for the threat that exists today.

Take your ten most critical current exposures. For each one, ask your team one question: if this were exploited right now, what could an attacker actually reach?

If your team can answer that with specificity, you have a risk-based vulnerability management program. You know what you are defending and why it matters.

If the answer is a CVSS score, a scanner output, or an honest admission that the full path is not mapped, you have a visibility problem. Visibility is what you fix first, because every other decision in the program depends on it.

Download the AssessmentDownload the Assessment

Two other things worth building from that conversation:

  1. Remediation does not always mean patch. While a fix is being staged and tested, there are usually actions available right now: restrict access to the affected asset, apply a compensating control, tighten the privilege boundary, isolate it from the rest of the network. Risk reduction does not have to wait for a maintenance window.
  2. Build the program for the speed the threat actually moves at. Periodic assessments were designed for a world where attackers operated on human timelines. AI-powered discovery and chained exploitation do not take quarters off. A program built around continuous ingestion, continuous prioritization, and continuous action is not a luxury. Given where the threat is today, it is the baseline.

Stop counting what you found. Start measuring what you closed.

That is what continuous threat exposure management (CTEM) is actually for; not a framework label, but a program built to operate at the speed the threat moves.

Where does your program stand?

If the Monday morning test raised questions, the next step is a more complete picture. Our research team built a self-guided maturity assessment that scores your program across five dimensions (visibility, prioritization, remediation velocity, verification, and governance) in under ten minutes. It tells you exactly where to focus next.

The full whitepaper covers the complete diagnosis: what the modern attacker playbook looks like, why the remediation handoff is still where most programs lose the most time, and what an exposure management program built for 2026 requires.

Take the assessment and read the whitepaper‌‍​‍​‍‌‍‌​‍‌‍‍‌‌‍‌‌‍‍‌‌‍‍​‍​‍​‍‍​‍​‍‌​‌‍​‌‌‍‍‌‍‍‌‌‌​‌‍‌​‍‍‌‍‍‌‌‍​‍​‍​‍​​‍​‍‌‍‍​‌​‍‌‍‌‌‌‍‌‍​‍​‍​‍‍​‍​‍‌‍‍​‌‌​‌‌​‌​​‌​​‍‍​‍​‍‌‍​‍‌​‍‌‍‍‌‌‍‍‌​‌‌‍​‌​‍‍‌​‌‍​‌‌‍‍‌‍‍‌‌‌​‌‍‌​‍‍‌​‌‌​‌‌‌‌‍‌​‌‍‍‌‌‍​‍‌‍‍‌‌‍‍‌‌​‌‍‌‌‌‍‍‌‌​​‍‌‍‌‌‌‍‌​‌‍‍‌‌‌​​‍‌‍‌‌‍‌‍‌​‌‍‌‌​‌‌​​‌​‍‌‍‌‌‌​‌‍‌‌‌‍‍‌‌​‌‍​‌‌‌​‌‍‍‌‌‍‌‍‍​‍‌‍‍‌‌‍‌​​‌‌‍​‌​​​​​‌‍​​​​​‌‌‌‍​‍​‌‍​‍‌‌‍‌‍​​‌‍‌‌​​‍​‍‌​‌​​​​‌‍‌‍​​​‍‌​‍‌​‌‌‍​‌‌‍​‌​‍‌​‌‍​​​​​‌‍​‍​​‍​​‍‌‍‌​​​‌​‌‌‌‍​‌‍​‌‌‍‌‍​‍‌‌​‌‍‌‌​​‌‍‌‌​‌‌​​‌‍‌​‌‌​​‍‌​​‌‍​‌‌‌​‌‍‍​​‌‌‍​‍‌‍‌‍‌​‌‍‌​‍‌‌​‌‌‌​​‍‌‌‌‍‍‌‍‌‌‌‍‌​‍‌‌​​‌​‌​​‍‌‌​​‌​‌​​‍‌‌​​‍​​‍​‍‌​‌‌‌‍​​​‌‍‌​​‍​​​‍​​​‌‍​‍​​​​​‍​​‌​‍‌‌​​‍​​‍​‍‌‌​‌‌‌​‌​​‍‍‌‍​‌‍‍​‌‍‍‌‌‍​‌‍‌​‌​‍‌‍‌‌‌‍‍​‍‌‌​‌‌‌​​‍‌‌‌‍‍‌‍‌‌‌‍‌​‍‌‌​​‌​‌​​‍‌‌​​‌​‌​​‍‌‌​​‍​​‍​​​‌‍​‌‌‍​‍‌‍‌‌​‌​​​​‌‍‌‌‌‍​‌‍‌‌​‍​‌‍‌‌​​​‍‌‌​​‍​​‍​‍‌‌​‌‌‌​‌​​‍‍‌‌​‌‍‌‌‌‍​‌‌​​‌‍​‍‌‍​‌‌​‌‍‌‌‌‌‌‌‌​‍‌‍​​‌‌‍‍​‌‌​‌‌​‌​​‌​​‍‌‌​​‌​​‌​‍‌‌​​‍‌​‌‍​‍‌‌​​‍‌​‌‍‌‍​‍‌​‍‌‍‍‌‌‍‍‌​‌‌‍​‌​‍‍‌​‌‍​‌‌‍‍‌‍‍‌‌‌​‌‍‌​‍‍‌​‌‌​‌‌‌‌‍‌​‌‍‍‌‌‍​‍‌‍‌‍‍‌‌‍‌​​‌‌‍​‌​​​​​‌‍​​​​​‌‌‌‍​‍​‌‍​‍‌‌‍‌‍​​‌‍‌‌​​‍​‍‌​‌​​​​‌‍‌‍​​​‍‌​‍‌​‌‌‍​‌‌‍​‌​‍‌​‌‍​​​​​‌‍​‍​​‍​​‍‌‍‌​​​‌​‌‌‌‍​‌‍​‌‌‍‌‍​‍‌‍‌‌​‌‍‌‌​​‌‍‌‌​‌‌​​‌‍‌​‌‌​​‍‌‍‌​​‌‍​‌‌‌​‌‍‍​​‌‌‍​‍‌‍‌‍‌​‌‍‌​‍‌‌​‌‌‌​​‍‌‌‌‍‍‌‍‌‌‌‍‌​‍‌‌​​‌​‌​​‍‌‌​​‌​‌​​‍‌‌​​‍​​‍​‍‌​‌‌‌‍​​​‌‍‌​​‍​​​‍​​​‌‍​‍​​​​​‍​​‌​‍‌‌​​‍​​‍​‍‌‌​‌‌‌​‌​​‍‍‌‍​‌‍‍​‌‍‍‌‌‍​‌‍‌​‌​‍‌‍‌‌‌‍‍​‍‌‌​‌‌‌​​‍‌‌‌‍‍‌‍‌‌‌‍‌​‍‌‌​​‌​‌​​‍‌‌​​‌​‌​​‍‌‌​​‍​​‍​​​‌‍​‌‌‍​‍‌‍‌‌​‌​​​​‌‍‌‌‌‍​‌‍‌‌​‍​‌‍‌‌​​​‍‌‌​​‍​​‍​‍‌‌​‌‌‌​‌​​‍‍‌‌​‌‍‌‌‌‍​‌‌​​‍​Take the assessment and read the whitepaper‌‍​‍​‍‌‍‌​‍‌‍‍‌‌‍‌‌‍‍‌‌‍‍​‍​‍​‍‍​‍​‍‌​‌‍​‌‌‍‍‌‍‍‌‌‌​‌‍‌​‍‍‌‍‍‌‌‍​‍​‍​‍​​‍​‍‌‍‍​‌​‍‌‍‌‌‌‍‌‍​‍​‍​‍‍​‍​‍‌‍‍​‌‌​‌‌​‌​​‌​​‍‍​‍​‍‌‍​‍‌​‍‌‍‍‌‌‍‍‌​‌‌‍​‌​‍‍‌​‌‍​‌‌‍‍‌‍‍‌‌‌​‌‍‌​‍‍‌​‌‌​‌‌‌‌‍‌​‌‍‍‌‌‍​‍‌‍‍‌‌‍‍‌‌​‌‍‌‌‌‍‍‌‌​​‍‌‍‌‌‌‍‌​‌‍‍‌‌‌​​‍‌‍‌‌‍‌‍‌​‌‍‌‌​‌‌​​‌​‍‌‍‌‌‌​‌‍‌‌‌‍‍‌‌​‌‍​‌‌‌​‌‍‍‌‌‍‌‍‍​‍‌‍‍‌‌‍‌​​‌‌‍​‌​​​​​‌‍​​​​​‌‌‌‍​‍​‌‍​‍‌‌‍‌‍​​‌‍‌‌​​‍​‍‌​‌​​​​‌‍‌‍​​​‍‌​‍‌​‌‌‍​‌‌‍​‌​‍‌​‌‍​​​​​‌‍​‍​​‍​​‍‌‍‌​​​‌​‌‌‌‍​‌‍​‌‌‍‌‍​‍‌‌​‌‍‌‌​​‌‍‌‌​‌‌​​‌‍‌​‌‌​​‍‌​​‌‍​‌‌‌​‌‍‍​​‌‌‍​‍‌‍‌‍‌​‌‍‌​‍‌‌​‌‌‌​​‍‌‌‌‍‍‌‍‌‌‌‍‌​‍‌‌​​‌​‌​​‍‌‌​​‌​‌​​‍‌‌​​‍​​‍​‍‌​‌‌‌‍​​​‌‍‌​​‍​​​‍​​​‌‍​‍​​​​​‍​​‌​‍‌‌​​‍​​‍​‍‌‌​‌‌‌​‌​​‍‍‌‍​‌‍‍​‌‍‍‌‌‍​‌‍‌​‌​‍‌‍‌‌‌‍‍​‍‌‌​‌‌‌​​‍‌‌‌‍‍‌‍‌‌‌‍‌​‍‌‌​​‌​‌​​‍‌‌​​‌​‌​​‍‌‌​​‍​​‍​​​‌‍​‌‌‍​‍‌‍‌‌​‌​​​​‌‍‌‌‌‍​‌‍‌‌​‍​‌‍‌‌​​​‍‌‌​​‍​​‍​‍‌‌​‌‌‌​‌​​‍‍‌‌​‌‍‌‌‌‍​‌‌​​‌‍​‍‌‍​‌‌​‌‍‌‌‌‌‌‌‌​‍‌‍​​‌‌‍‍​‌‌​‌‌​‌​​‌​​‍‌‌​​‌​​‌​‍‌‌​​‍‌​‌‍​‍‌‌​​‍‌​‌‍‌‍​‍‌​‍‌‍‍‌‌‍‍‌​‌‌‍​‌​‍‍‌​‌‍​‌‌‍‍‌‍‍‌‌‌​‌‍‌​‍‍‌​‌‌​‌‌‌‌‍‌​‌‍‍‌‌‍​‍‌‍‌‍‍‌‌‍‌​​‌‌‍​‌​​​​​‌‍​​​​​‌‌‌‍​‍​‌‍​‍‌‌‍‌‍​​‌‍‌‌​​‍​‍‌​‌​​​​‌‍‌‍​​​‍‌​‍‌​‌‌‍​‌‌‍​‌​‍‌​‌‍​​​​​‌‍​‍​​‍​​‍‌‍‌​​​‌​‌‌‌‍​‌‍​‌‌‍‌‍​‍‌‍‌‌​‌‍‌‌​​‌‍‌‌​‌‌​​‌‍‌​‌‌​​‍‌‍‌​​‌‍​‌‌‌​‌‍‍​​‌‌‍​‍‌‍‌‍‌​‌‍‌​‍‌‌​‌‌‌​​‍‌‌‌‍‍‌‍‌‌‌‍‌​‍‌‌​​‌​‌​​‍‌‌​​‌​‌​​‍‌‌​​‍​​‍​‍‌​‌‌‌‍​​​‌‍‌​​‍​​​‍​​​‌‍​‍​​​​​‍​​‌​‍‌‌​​‍​​‍​‍‌‌​‌‌‌​‌​​‍‍‌‍​‌‍‍​‌‍‍‌‌‍​‌‍‌​‌​‍‌‍‌‌‌‍‍​‍‌‌​‌‌‌​​‍‌‌‌‍‍‌‍‌‌‌‍‌​‍‌‌​​‌​‌​​‍‌‌​​‌​‌​​‍‌‌​​‍​​‍​​​‌‍​‌‌‍​‍‌‍‌‌​‌​​​​‌‍‌‌‌‍​‌‍‌‌​‍​‌‍‌‌​​​‍‌‌​​‍​​‍​‍‌‌​‌‌‌​‌​​‍‍‌‌​‌‍‌‌‌‍​‌‌​​‍​

FAQs

B
Brad Hibbert
Chief Operating Officer & Chief Strategy Officer
Brad Hibbert brings over 30 years of executive experience in the software industry, with a proven track record of aligning business and technical teams to drive growth and customer success.
See all of Brad's posts

Ready to Unify Your Cyber Risk Lifecycle?

Get a DemoGet a Demo