IT Brief India - Technology news for CIOs & IT decision-makers
India
Qualys data shows vulnerability backlog widening sharply
SOCs Cybersecurity Verizon

Qualys data shows vulnerability backlog widening sharply

Wed, 20th May 2026 (Today)
Sean Mitchell
SEAN MITCHELL Publisher

Qualys has contributed vulnerability remediation analysis to Verizon's 2026 Data Breach Investigations Report, covering more than one billion anonymised records linked to CISA's Known Exploited Vulnerabilities catalogue.

The data spans four consecutive reporting cycles and examines how long vulnerability instances remain open after a flaw is added to the US government's list of known exploited vulnerabilities. Researchers describe it as a survival analysis of remediation, measuring exposure over time rather than relying on year-end closure figures.

The figures show that KEV vulnerability instances increased 7.7-fold over four years, rising to 527.3 million from 68.7 million. Median detection-to-closure remained steady at nine days, suggesting remediation teams did not slow even as case volumes rose sharply.

The latest cycle reversed gains seen the previous year. By day 28 after a vulnerability was added to the KEV catalogue, 35% of instances were still open, up from 27% in the prior cycle.

That left an open backlog of 184 million instances at the 28-day mark, compared with 31 million previously. By the end of the year-long observation window, 9% remained open, equating to about 47 million vulnerability instances with no near-term path to closure under current operating models.

Backlog pressure

The findings point to a widening gap between the number of exploited vulnerabilities requiring attention and the volume organisations can address through existing patching processes. Rather than a decline in discipline, the data suggests a scale problem driven by workload growth.

Saeed Abbasi, Senior Manager, Threat Research Unit, Qualys, said: "The DBIR described the picture our data painted in plain terms: a treadmill picking up speed. Defenders are running harder than ever, and still falling behind."

The analysis also examined proactive remediation, in which organisations fix vulnerabilities before CISA formally adds them to the KEV list. In absolute terms, that activity increased, with defenders patching 63.7 million vulnerability instances before KEV listing in the latest cycle, up 30% year on year.

Even so, the proactive remediation rate fell to 12.1% from 16.6% because overall KEV-linked workload grew faster. Total KEV-linked workload rose 78% over the same period, from 295.8 million to 527.3 million instances.

A minority of organisations consistently outperformed the broader trend by acting before formal KEV listing. Those organisations used risk-based prioritisation, threat context and scoring systems to move likely exploitable vulnerabilities into remediation workflows earlier.

Metric limits

The research argues that conventional patching metrics no longer capture the full extent of business exposure because they do not show how long vulnerabilities remain open while exploitation risk is active. By contrast, a survival-curve approach is intended to show how exposure persists during the first weeks after listing and across the long tail of unresolved cases.

In the latest reporting cycle, more than a third of KEV instances remained open after four weeks. The figures suggest meaningful exposure continues well beyond the timeframes many organisations use to assess patch performance.

Abbasi said: "The 2025 DBIR, based primarily on data from 2024, was the high water mark. At every milestone in the survival chart, organizations were remediating faster than they ever had before, showing improvements from 2022 to 2023 and from 2023 to 2024. Then 2025 happened. The curve shifted back to 2023 levels, with 35% still open at Day 28 (up from 27% in 2024), and the long tail hardened at 9%. That 9% translates to roughly 47 million vulnerability instances with no near-term path to closure under current operating models."

He added that defender effort had not fallen even as outcomes worsened under the weight of higher volumes. "Defender effort did not regress. Median detection-to-closure held steady at 9 days. Organisations closed more vulnerabilities in absolute terms than in any prior year. The engine did not slow. The load grew."

The findings challenge a long-standing assumption in vulnerability management that faster manual remediation can keep pace with attackers. The analysis concludes that additional staffing, tools or process changes may not be enough to close what it describes as a structural gap.

Abbasi said: "For more than a decade, the operating thesis of vulnerability management has been that faster manual remediation could outrun the attacker. The four-year survival analysis retires that thesis. The remediation engine is running at the same RPM. The load has increased nearly eightfold. No incremental investment in staffing, tooling, or process closes a structural gap of this shape."

He said the dataset pointed to a hard limit for remediation models built around human triage, change windows and approval gates. "More than one billion records, four reporting cycles, and three years of additional tooling and mandate pressure have not moved that limit."

Image: Saeed Abbasi (Qualys)
Related stories
Small businesses fear AI cyberattacks, WatchGuard finds
Check Point launches agentic network security platform
Check Point launches autonomous network security platform
Global 2000 downtime costs rise to USD $600 billion
AI security training surges as prompt injection tops list
Top stories
Aveva unveils AI & data updates across industrial suite
Tenable launches Hexa AI with Anthropic partnership
Riverbed unveils Zero Disruption AI observability tools
Large firms prioritise storage scale & reliability in AI
Riverbed says go from ticket queues to zero disruption