RSAC Podcast: A Practical Guide—Vulnerability Management (January 6, 2026)

Episode Overview

In this episode, hosts Tatiana Sanchez and Casey Zirkis are joined by Steve Osepic, Managing Director for Threat Exposure Management at CRO, to dive deep into vulnerability management. The discussion centers on the alarming rise of exploit weaponization, practical approaches to dealing with vulnerability debt, and actionable tips for organizations of all sizes to strengthen their vulnerability management practices. The conversation maintains a tone of urgency, realism, and encouragement throughout.

Key Discussion Points & Insights

1. The Evolving Threat Landscape

• [00:30] Casey highlights that more than half of newly disclosed vulnerabilities had exploit code weaponized within 48 hours in 2025.
• Steve explains the underlying market for vulnerability weaponization, emphasizing how threat actors evaluate vulnerabilities based on prevalence, obscurity, and reliability.
  • They prioritize widely-used and internet-exposed software, as well as overlooked, older vulnerabilities ("they might target something from five, 10 years ago that's also still prevalent" — Steve, 03:51).
• Threat actors exploit the gap before defenders can respond (the "48 hours" window).

2. Internal Challenges in Vulnerability Management

• [05:29] Steve notes the massive increase in vulnerabilities year-over-year (38% from 2023 to 2024), creating "panic" within organizations.
• The core challenge isn't just volume, but knowing what to focus on first amidst overwhelming vulnerability counts ("the biggest internal challenge is panic. And it's caused by large numbers, frankly" — Steve, 06:26).
• This volume has created a sometimes adversarial relationship between risk managers (who want everything fixed immediately) and IT teams (who must prioritize).

3. Understanding and Addressing Vulnerability Debt

• [08:46] Steve defines vulnerability debt as inheriting an unmanageable backlog of existing vulnerabilities ("you get hit with the first scan results. And there are 200,000 or 250,000 vulnerabilities and half of them are critical...that's that debt" — 09:03).
• Large vulnerability backlogs should be treated as intelligence, offering the opportunity to learn about the environment's weaknesses, rather than just viewing them as purely negative.
• Modern scanning technologies, like authenticated scans, can exponentially increase vulnerability counts, requiring organizations to rethink how data is viewed ("authenticated scanning can 10x your vulnerability count" — Steve, 11:33).

4. Effective Strategies and Continuous Management

• [12:06] The panel discusses the unpredictability of which vulnerability will be exploited—using the analogy of water finding its way through a roof crack.
  • "It's almost like being a roofer...if there's a tiny little hair fracture and yet it goes straight into the house, that's where it's going to come in. And it's very difficult to predict" — Steve, 12:18.
• Emphasizes a continuous, hygiene-focused approach: treat vulnerability management like regular home maintenance.
• Vulnerability management should run parallel to the development life cycle rather than being seen as a separate, one-off task.

5. Actionable Steps for Organizations, Regardless of Size

• [14:17] Steve recommends integrating vulnerability management professionals into cyber fusion centers, where they are crucial during incidents by quickly answering "Do we have this [affected technology]? Do we have this vulnerability?"
  • "Immediately... that's vulnerability management's gonna be able to tell you that" — Steve, 14:50.
• For smaller organizations or those with limited resources:
  • Treat vulnerability management like software development: create an infinite backlog, slice out manageable sprints, and use prioritization informed by threat intelligence ("You're not going to be able to fix them all. It's a marathon. Not a sprint, it's a marathon made up of a bunch of sprints" — Steve, 16:36).
  • Anyone can begin; tools and open-source resources are available.

6. Entry Points and Upskilling for Vulnerability Management

• [17:50] Steve highlights Metasploitable 3, an open-source project by Rapid7, as a resource for hands-on vulnerability research.
  • Suggests involving junior analysts in vulnerability management as an onramp to roles like penetration tester, noting it's a career gateway.
• Vulnerability management is an area anyone can grow into, making it valuable both for organizations and individual career progression.

Notable Quotes & Memorable Moments

• On market-driven threat actor behaviors:
  "Our job, one thing we don't care about as threat actors is art or style points, maybe a little. But truly what we're looking for is that place, that intersection of something that's very prevalent, hard to detect and easily targeted."
  — Steve Osepic, [03:13]

• On the psychological hurdle of vulnerability volume:
  "You have teams that are in the auditing capacity and those that are responsible for risk management. And it's really hard for somebody to back away from a statement saying we need to fix all external critical vulnerabilities within 24 hours. Great concept, great idea, right? But… the scanners producing 100, 200,000, I've seen 10 million. I've seen it."
  — Steve Osepic, [06:56]

• Vulnerability management as intelligence:
  "The huge backlog can be an opportunity. You can flip that on its head and you can start looking at it as intel... In the threat intel space we look at data as power, we look at data as enabling and empowering and allows us to get to the base of something."
  — Steve Osepic, [10:34]

• Waterproofing analogy for continuous management:
  "When we're standing on the roof… if we have the drone, right And I could show you the cracks. I could show you where water might come in, but that's where I stop… if there's a tiny little hair fracture and yet it goes straight into the house, that's where it's going to come in. It's very difficult to predict that. So the best thing you can do is take a continuous… approach."
  — Steve Osepic, [12:17]

• On accessible, hands-on upskilling opportunities:
  "If you have an interest in vulnerability research and how something is exploited, there are tools like Metasploitable 3. If you look that up, that's a Rapid 7 open source project. It has a very exploitable Windows system and Linux system on there. We utilize that here in Akron to work with the local STEM school."
  — Steve Osepic, [17:51]

Timestamps for Important Segments

• [00:30] – State of vulnerability weaponization and market drivers
• [05:29] – Internal organizational challenges and the "panic" of large numbers
• [08:46] – Defining vulnerability debt and strategies for overcoming it
• [12:06] – The unpredictability of exploitation; waterproofing analogy
• [14:17] – Actionable steps for organizations, integrating vulnerability management with broader strategies
• [17:51] – Practical upskilling: getting started with Metasploitable 3 and entry points for professionals

Key Takeaways

• Volume is inevitable; prioritization is essential.
• Vulnerability management is not a separate, periodic task—it's continuous, like regular home maintenance.
• Leverage backlogs as intelligence, not just as a problem.
• Even small organizations with limited resources can make meaningful progress by adopting agile-inspired, prioritized sprints in vulnerability management.
• Entry-level upskilling opportunities are abundant and should be embraced; this field can be a stepping stone for broader cybersecurity roles.

For more resources and continued discussion, visit the RSAC membership platform at onersac.com.