Margin of Safety #21: A Shift in Vulnerability Management
Vuln management is shifting from prioritizing alerts to automated remediation, and we’ve identified some emerging leaders
For much of the last two decades, vulnerability management has centered on asset discovery and risk identification. Tools such as Tenable, Qualys (*disclaimer: Forgepoint previous investment), and Rapid7 built their value on scanning infrastructure and flagging exposures. The challenge now facing security teams is not a lack of visibility, but rather the volume and volatility of the output.
As enterprise environments have expanded across cloud workloads, endpoints, and third-party services, the volume of identified vulnerabilities has risen substantially. It is no longer uncommon for teams to confront tens of thousands of alerts, many of which are low priority or false positives. The rate of newly disclosed CVEs continues to grow annually, while the time between disclosure and exploit is contracting. This combination has strained security operations, often leading to inaction or delayed responses.
In response, a cohort of startups has emerged focused on prioritization and contextualization. These platforms attempt to separate signal from noise by layering business context and exploitability metrics atop raw scanner data. This represents progress, but the broader market is beginning to recognize its limits. Ranking problems is not the same as resolving them.
The next phase of innovation in vulnerability management will be defined by remediation. Emerging platforms are leveraging large language models to process scanner findings, interpret contextual signals, and initiate patching actions. The aspiration is to automate not just detection and triage, but resolution itself.
Micropatching—the application of narrowly scoped, targeted fixes—offers a promising path forward. If effective, it could reduce the need for extensive prioritization pipelines altogether. Fixing issues as they arise, even those deemed low-risk, could materially reduce enterprise exposure over time.
That said, automation in this context raises legitimate governance concerns. Security leaders are unlikely to grant unrestricted access to production environments. Buy-in from both CISOs and CIOs will depend on transparency, auditability, and most importantly of all: correctness (Read our previous post “Battle of the CISO vs CIO”) Trust, in this case, must be earned before automation can be deployed at scale.
Consequently, human-in-the-loop design is likely to remain a necessary feature. Platforms must be able to demonstrate how they arrived at a remediation decision, what changes are being proposed, why those changes are safe, and how they can be rolled back if necessary. Execution must be explainable, observable, and ideally reversible.
We’re particularly excited about companies that treat testing as a foundational capability—those that enable safe rollouts and strong test coverage. In computer science, safety is often only knowable empirically, through execution. That’s why we believe the future of remediation will involve two principles in tandem: (1) making small, incremental changes through micropatching, and (2) validating those changes with robust, test-driven rollouts. A remediation platform is only as good as its ability to ensure nothing breaks silently
While agentic remediation platforms are not yet mature, the direction is clear. The focus is shifting from surfacing problems to resolving them—quietly and reliably. Companies working in this area include Cogent, Maze, Zafran, Staris, Asterisk, and Specular, each approaching the problem with a different set of assumptions, but aligned in the view that vulnerability management must evolve beyond detection.
Reach out to us if you are building in this space. We have some thoughts!
Kathryn Shih – kshih@forgepointcap.com
Jimmy Park – jpark@forgepointcap.com