# Speed Over Volume: Why Mid-Market Teams Should Rethink Vulnerability Management Priorities


## The Vulnerability Management Paradox


Mid-market security teams face a persistent challenge: they are drowning in vulnerability data while remaining woefully underprotected. With thousands of CVEs published annually—over 30,000 in recent years—organizations struggle to prioritize effectively. However, a new perspective is gaining traction in the security community: the number of vulnerabilities you track matters far less than how quickly you remediate the ones that actually threaten your organization.


According to Intruder's Chris Wallis, a thought leader in vulnerability management, mid-market organizations should fundamentally shift their strategy away from chasing comprehensive vulnerability counts toward optimizing remediation velocity and expanding their defensive scope beyond CVE-centric approaches. This shift addresses a critical gap in how many organizations currently approach security.


## The Vulnerability Count Trap


For years, vulnerability management has been measured in volume. Security teams prided themselves on "discovering" or "tracking" thousands of vulnerabilities across their infrastructure. This metric-focused approach created several problems:


The illusion of comprehensiveness: Organizations believed that tracking more vulnerabilities meant achieving better security posture. In reality, many tracked vulnerabilities were either:

  • Not applicable to the organization's environment
  • Requiring minimal or no remediation effort
  • Overshadowed by more critical issues

    • Resource drain without proportional protection: Security teams invested enormous effort in vulnerability assessment, classification, and remediation planning—only to spread their actual remediation resources across hundreds of non-critical issues. Meanwhile, the truly dangerous vulnerabilities in their attack surface remained unpatched for extended periods.


    Alert fatigue and decision paralysis: With vulnerability counts spiraling into the thousands, teams struggle to distinguish signal from noise. Prioritization frameworks became complex theoretical exercises rather than practical guides for action.


    ## The Case for Speed-First Remediation


    Wallis and others in the vulnerability management space argue for inversion of this approach. Rather than asking "How many vulnerabilities can we identify?" organizations should ask: "How quickly can we patch the vulnerabilities that matter?"


    Why remediation speed is the real security metric:


  • Attack windows narrow with visibility: Attackers research and exploit CVEs rapidly. The average time from CVE publication to exploit availability has shrunk to weeks or even days. Organizations that remediate within this window significantly reduce breach risk.

  • Time-to-fix directly correlates with breach impact: Studies from organizations like Mandiant and the Cybersecurity and Infrastructure Security Agency (CISA) show that breach severity increases dramatically as unpatched vulnerability windows extend beyond 30 days.

  • Speed enables focus on high-impact issues: By committing to faster remediation cycles for vulnerabilities that are actually exploited or relevant to your environment, teams can channel resources toward strategic improvements rather than busywork.

    • For mid-market teams with limited resources, this reframing is transformative. Rather than maintaining a backlog of thousands of potential future patches, organizations can operate on a sprint-based model: identify applicable vulnerabilities, prioritize ruthlessly, and execute remediation within defined windows.


    ## Beyond CVEs: The Attack Surface Management Imperative


    However, Wallis's argument goes deeper. Focusing exclusively on CVEs is inherently limiting—and potentially dangerous. Many breaches involve vulnerabilities or weaknesses that never receive CVE designations:


    Unmanaged attack surface issues include:

  • Exposed credentials and secrets in repositories, logs, and cloud storage
  • Insecure API endpoints and poorly configured cloud buckets
  • Legacy systems running unsupported software without available patches
  • Third-party integrations with weak authentication or encryption
  • Misconfigured access controls in cloud environments
  • Dormant accounts and overly permissive IAM policies

    • These issues represent the "known unknown" problem: security teams may be aware of them, but they fall outside traditional vulnerability management frameworks because they lack CVE designations.


    ## Attack Surface Management as a Complement


    Rather than viewing attack surface management as separate from vulnerability management, modern organizations should treat them as complementary:


    | Aspect | CVE-Focused VM | Attack Surface Management |

    |--------|---|---|

    | Scope | Published vulnerabilities | All exposures (configured, misconfigured, unknown) |

    | Responsiveness | Reactive to disclosures | Continuous monitoring |

    | Methodology | Patch and update | Inventory, classify, and remediate |

    | Timeline | Often measured in months | Ideally continuous or weekly |


    For mid-market organizations, this means implementing tools and processes that:


    1. Continuously scan and inventory cloud infrastructure, APIs, and external assets

    2. Classify exposures by business impact and remediation difficulty

    3. Prioritize based on exploitability and exploited-in-the-wild status, not just CVSS scores

    4. Establish SLAs for remediation by risk tier rather than treating all vulnerabilities equally


    ## Practical Implementation for Mid-Market Teams


    Shifting from a volume-focused to a speed-focused vulnerability management strategy requires structural changes:


    Establish remediation SLAs by severity:

  • Critical (exploited in the wild): 24-48 hours
  • High (applicable and easy to patch): 2-4 weeks
  • Medium/Low (limited applicability): Quarterly review cycles

    • Automate what you can:

  • Deploy configuration management tools that automatically patch non-critical systems
  • Use runtime application self-protection (RASP) or container scanning to catch issues before deployment
  • Integrate vulnerability data feeds directly into remediation workflows

    • Measure the right metrics:

  • Mean time to remediation (MTTR) for critical vulnerabilities
  • Percentage of applicable CVEs patched within SLA
  • Attack surface exposure count and trend (rather than total vulnerability count)

    • Expand monitoring beyond CVEs:

  • Implement cloud security posture management (CSPM) tools
  • Deploy external asset discovery (EAD) platforms
  • Conduct quarterly access reviews and permission audits

    • ## Why This Matters for Organizations


    The implications are significant. Organizations that adopt speed-first vulnerability management while expanding to attack surface management achieve:


  • Better actual security: Fewer breaches due to faster remediation of exploited vulnerabilities
  • More efficient operations: Less wasted effort on immaterial vulnerabilities
  • Improved incident response: Better visibility into what's actually exposed and dangerous
  • Competitive advantage: Ability to respond to threats faster than less mature competitors

    • For mid-market organizations particularly—which often lack the budget and headcount of enterprise security teams—this approach is not just preferable, it's essential. The organizations that will win in the increasingly hostile threat landscape are not those tracking the most vulnerabilities, but those patching the right ones fastest.


    ## Conclusion


    Chris Wallis's argument represents a maturation in how the industry thinks about vulnerability management. The shift from counting vulnerabilities to optimizing remediation speed, combined with expanding beyond CVE-centric approaches to comprehensive attack surface management, offers a realistic path forward for mid-market security teams. By embracing these principles, organizations can transform their vulnerability management from a compliance checkbox into a genuine competitive advantage and breach-prevention mechanism.