A Practical Guide: Vulnerability Management - RSAC

Summary5 min read

RSAC Podcast: A Practical Guide—Vulnerability Management (January 6, 2026)

Episode Overview

In this episode, hosts Tatiana Sanchez and Casey Zirkis are joined by Steve Osepic, Managing Director for Threat Exposure Management at CRO, to dive deep into vulnerability management. The discussion centers on the alarming rise of exploit weaponization, practical approaches to dealing with vulnerability debt, and actionable tips for organizations of all sizes to strengthen their vulnerability management practices. The conversation maintains a tone of urgency, realism, and encouragement throughout.

Key Discussion Points & Insights

1. The Evolving Threat Landscape

[00:30] Casey highlights that more than half of newly disclosed vulnerabilities had exploit code weaponized within 48 hours in 2025.
Steve explains the underlying market for vulnerability weaponization, emphasizing how threat actors evaluate vulnerabilities based on prevalence, obscurity, and reliability.
- They prioritize widely-used and internet-exposed software, as well as overlooked, older vulnerabilities ("they might target something from five, 10 years ago that's also still prevalent" — Steve, 03:51).
Threat actors exploit the gap before defenders can respond (the "48 hours" window).

2. Internal Challenges in Vulnerability Management

[05:29] Steve notes the massive increase in vulnerabilities year-over-year (38% from 2023 to 2024), creating "panic" within organizations.
The core challenge isn't just volume, but knowing what to focus on first amidst overwhelming vulnerability counts ("the biggest internal challenge is panic. And it's caused by large numbers, frankly" — Steve, 06:26).
This volume has created a sometimes adversarial relationship between risk managers (who want everything fixed immediately) and IT teams (who must prioritize).

3. Understanding and Addressing Vulnerability Debt

[08:46] Steve defines vulnerability debt as inheriting an unmanageable backlog of existing vulnerabilities ("you get hit with the first scan results. And there are 200,000 or 250,000 vulnerabilities and half of them are critical...that's that debt" — 09:03).
Large vulnerability backlogs should be treated as intelligence, offering the opportunity to learn about the environment's weaknesses, rather than just viewing them as purely negative.
Modern scanning technologies, like authenticated scans, can exponentially increase vulnerability counts, requiring organizations to rethink how data is viewed ("authenticated scanning can 10x your vulnerability count" — Steve, 11:33).

4. Effective Strategies and Continuous Management

[12:06] The panel discusses the unpredictability of which vulnerability will be exploited—using the analogy of water finding its way through a roof crack.
- "It's almost like being a roofer...if there's a tiny little hair fracture and yet it goes straight into the house, that's where it's going to come in. And it's very difficult to predict" — Steve, 12:18.
Emphasizes a continuous, hygiene-focused approach: treat vulnerability management like regular home maintenance.
Vulnerability management should run parallel to the development life cycle rather than being seen as a separate, one-off task.

5. Actionable Steps for Organizations, Regardless of Size

[14:17] Steve recommends integrating vulnerability management professionals into cyber fusion centers, where they are crucial during incidents by quickly answering "Do we have this [affected technology]? Do we have this vulnerability?"
- "Immediately... that's vulnerability management's gonna be able to tell you that" — Steve, 14:50.
For smaller organizations or those with limited resources:
- Treat vulnerability management like software development: create an infinite backlog, slice out manageable sprints, and use prioritization informed by threat intelligence ("You're not going to be able to fix them all. It's a marathon. Not a sprint, it's a marathon made up of a bunch of sprints" — Steve, 16:36).
- Anyone can begin; tools and open-source resources are available.

6. Entry Points and Upskilling for Vulnerability Management

[17:50] Steve highlights Metasploitable 3, an open-source project by Rapid7, as a resource for hands-on vulnerability research.
- Suggests involving junior analysts in vulnerability management as an onramp to roles like penetration tester, noting it's a career gateway.
Vulnerability management is an area anyone can grow into, making it valuable both for organizations and individual career progression.

Notable Quotes & Memorable Moments

On market-driven threat actor behaviors:
"Our job, one thing we don't care about as threat actors is art or style points, maybe a little. But truly what we're looking for is that place, that intersection of something that's very prevalent, hard to detect and easily targeted."
— Steve Osepic, [03:13]
On the psychological hurdle of vulnerability volume:
"You have teams that are in the auditing capacity and those that are responsible for risk management. And it's really hard for somebody to back away from a statement saying we need to fix all external critical vulnerabilities within 24 hours. Great concept, great idea, right? But… the scanners producing 100, 200,000, I've seen 10 million. I've seen it."
— Steve Osepic, [06:56]
Vulnerability management as intelligence:
"The huge backlog can be an opportunity. You can flip that on its head and you can start looking at it as intel... In the threat intel space we look at data as power, we look at data as enabling and empowering and allows us to get to the base of something."
— Steve Osepic, [10:34]
Waterproofing analogy for continuous management:
"When we're standing on the roof… if we have the drone, right And I could show you the cracks. I could show you where water might come in, but that's where I stop… if there's a tiny little hair fracture and yet it goes straight into the house, that's where it's going to come in. It's very difficult to predict that. So the best thing you can do is take a continuous… approach."
— Steve Osepic, [12:17]
On accessible, hands-on upskilling opportunities:
"If you have an interest in vulnerability research and how something is exploited, there are tools like Metasploitable 3. If you look that up, that's a Rapid 7 open source project. It has a very exploitable Windows system and Linux system on there. We utilize that here in Akron to work with the local STEM school."
— Steve Osepic, [17:51]

Timestamps for Important Segments

[00:30] – State of vulnerability weaponization and market drivers
[05:29] – Internal organizational challenges and the "panic" of large numbers
[08:46] – Defining vulnerability debt and strategies for overcoming it
[12:06] – The unpredictability of exploitation; waterproofing analogy
[14:17] – Actionable steps for organizations, integrating vulnerability management with broader strategies
[17:51] – Practical upskilling: getting started with Metasploitable 3 and entry points for professionals

Key Takeaways

Volume is inevitable; prioritization is essential.
Vulnerability management is not a separate, periodic task—it's continuous, like regular home maintenance.
Leverage backlogs as intelligence, not just as a problem.
Even small organizations with limited resources can make meaningful progress by adopting agile-inspired, prioritized sprints in vulnerability management.
Entry-level upskilling opportunities are abundant and should be embraced; this field can be a stepping stone for broader cybersecurity roles.

For more resources and continued discussion, visit the RSAC membership platform at onersac.com.

Loading summary

Transcript32 lines

[00:05]
A
You're listening to the RSA Conference podcast,
[00:08]
B
Where the world talks security.
[00:14]
A
Hello, listeners. Welcome to this edition of our RSAC podcast series. Thank you for tuning in. I'm Tatiana Sanchez. And I'm Casey Zirkis, and we are your RSAC podcast hosts. Casey, what are we going to discuss today?
[00:31]
C
Well, Tatiana, I don't know. Well, I do know that you pay very close attention to cybersecurity news, as do I. And according to many news articles and even industry reports that came out in 2025, we're seeing that more than half of newly disclosed vulnerabilities saw exploit code weaponized within 48 hours. So organizations clearly are struggling to get ahead of vulnerabilities and move past vulnerability debt. But even with the help of resources like CISA's known exploited vulnerabilities catalog, there are still challenges. And that's why we're excited to be joined today by Steve Osepic, who will share actionable strategies on how organizations can manage their vulnerability program and start driving significant risk reductions to truly get ahead.
[01:34]
A
And before we get started, we do want to remind our listeners that here at RSAC we host podcasts twice a month. And we encourage you to subscribe, rate and review us on your preferred podcast app so that you can be notified when new tracks are posted. And now we would like to ask our guest to formally introduce himself before we dive in. Steve.
[01:55]
B
Hi. Great to talk to you today. I am Steve Osepic. I am the managing director at CRO that's leading our threat exposure management practice.
[02:05]
A
Thanks, Steve.
[02:06]
D
And thanks for taking the time to join us today. I want to first start off by asking, how are vulnerabilities weaponized and what are the true common exploit techniques being used by threat actors today?
[02:19]
B
Absolutely. And what's not commonly known is just how much of a market there is behind this weaponization. Probably a good way to approach it. And if you think about those techniques like it's getting into the shoes of somebody that's trying to break into a system. Let's say that we're threat actors and we want to create an exploit kit and we want to make money off this. Right. We want to sell this and other folks will use this exploit kit in this fantasy world to actually perform our campaigns and sell this to folks who want to break into systems. Right. And so what are the things we're going to think about in that world? We're talking about weaponization prevalence. If we're looking at different vulnerabilities that we could potentially or different areas of Study where we could create this exploit code. We're going to look at what's on the Internet, what is exposed, what are folks using, what types of software, what platforms. Another thing we might look at is the obscurity. Are we going to get caught? Is it something that maybe hasn't had attention in some time that we could focus on and get a lot of potential targets? Is there something that we can focus on and target that other folks aren't looking at? And another one is reliability. Is this exploit code going to work? Can we test it? Can we get it to run the same way every time? Right. So these are all things that we're going to think about. And from a techniques perspective, a lot of these vulnerabilities, the work is done for us from a threat actor perspective in the form of things like CVEs, vulnerabilities, things that are published. So our job, one thing we don't care about as threat actors is art or style points, maybe a little. But truly what we're looking for is that place, that intersection of something that's very prevalent, hard to detect and easily targeted. And what we're seeing, you mentioned that 48 hours number. There are a combination of these things we have access to as threat actors. We could either target things that are just coming out for which they don't have detection yet, like you said, the 48 hour time, that's one way to do it. And you get that window of time as a threat actor before the defenses have caught it. We sometimes refer to those as zero days. Right. But the other side of this that I see as well is on the backlog, they might target something from five, 10 years ago that's also still prevalent, that's also still out there. So a lot of money changes hands during that period, you know, from the time when a threat actor targets a vulnerability to when they actually cash in on it. And that's what really decides what things get targeted in the market.
[04:49]
C
Someone was asking the other day about, can you talk more about new threats and daily breaches? Right. And you know, to your point, Steve, I don't think that there's always the new zero day that folks are chasing that sometimes it's older vulnerabilities. Right. But we do see that there is an increase in the number of vulnerabilities year over year. There was a 38% increase from 23 to 24, and that number keeps rising. So. So given this surge, what are some of the biggest internal challenges organizations face when they're dealing with vulnerabilities?
[05:29]
B
You know, I have a new answer to this. I think after spending really close to a decade in this space. And I will say that vulnerability management, ctem, you know, threat exposure management, these are things that are the same or it share some space at least depending on who you speak to and what you see is this market moving to this CTEM continuity, continuous threats and exposure management. This concept, and it's in relation to what you asked, the biggest challenges organizations are finding is what do I focus on? And it's a great concept, it's a great framework. It's just that it's a framework, right? We're aligning to this. This takes into account the fact that CISOs are really struggling to figure out day to day, what do I focus on in vuln management? To focus on the most important thing in my organization. That is the key, most difficult thing, you know. So I've taken a more of an approach with my clients to take a step back. You know, the biggest internal challenge, you ask, actually the biggest internal challenge is panic. And it's caused by large numbers, frankly, if we really break it down, because you have teams that are in the auditing capacity and those that are responsible for risk management. And it's really hard for somebody to back away from a statement saying we need to fix all external critical vulnerabilities within 24 hours. Great concept, great idea, right? But we know if we shift over to even just our partners and our, our friends within the managed detection and response space, they handle millions of events a day. And they don't tell themselves they have to run every single one to ground within the spare time. What they do is they have big funnel and they take in all these events and they crunch them down and they get value out of taking a million events and turning them into five. Right? That's valuable in their world, in the vuln management space, I think we got off on the wrong foot because we used to have enough vulnerabilities, we could tackle them in a week or two. Now we're getting to the point where we have so many vulnerabilities, it's become just as large as the detection response. So the biggest internal challenges are the. I would say it's created an adversarial scenario between risk and it. And I see it a lot because risk rightly doesn't want to see the critical vulnerabilities exposed. But the reality of the scanners producing 100, 200,000, I've seen 10 million. I've seen it. So it's good for everybody to hear that on the call, all your listeners need to hear. You're probably sitting there thinking, I have more vulnerabilities than you think. No, probably not. Believe it or not, everybody and everybody I've worked with has this problem. I think we need to talk about that, socialize that, and then get ourselves back to a mindset like we do in managed detection response of, okay, we know all of this. What should we tackle first? Right. That's the key.
[08:16]
D
And Steve, you emphasize that sometimes, you know, the market is moving to threat exposure management, but oftentimes organizations don't know where to start on vulnerability management. And sometimes, you know, small to medium sized businesses don't have the limited resources to respond to such vulnerabilities, which can often lead to vulnerability debt. Steve, can you clarify what this term means and can you also explain what are the most effective strategies for organizations to move past it?
[08:47]
B
Absolutely. It's a great point too, to bring up vulnerability debt. And I apologize to anybody that heard that term and got a pit in their stomach because those of us who do deal with it, right, we're very familiar with this term. For those who don't, it's a phenomenon. You imagine you're starting a job. A lot of times it happens as a ciso, even in a small organization, a credit union or a small, maybe even a local car dealership. And you start the job the honeymoon period and then you get hit with the first scan results. And there are 200,000 or 250,000 vulnerabilities and half of them are critical. That's that debt. Right. Somebody was here before, you're here now, somebody will maybe be here next. And you're looking at this large amount of debt vulnerability backlog and you're saying, where do I start? A lot of times the board also is very keen on driving down the number of vulnerabilities. The amount of vulnerabilities can get very large. So that is a space where we really bring in some wisdom. Right. It's not. The technology that exists in the market is very good nowadays. There are many good CTEM capabilities and technologies. We don't even need to, you know, it's an easily searched field. Right. A lot of folks are getting in on this and it's needed because there's a gap between when you get the results from the vulnerability scanners and the technologies. And when you go to figure out, like I said before, what do I work on this week, what do we start on and then how do I take that process, make sanity within an insane system, right. Too many vulnerabilities and then show an auditor that is working the way they want it to. And a lot of that, believe it or not, the huge backlog can be an opportunity. You can flip that on its head and you can start looking at it as intel. That's how we, you know, I've spent some time in the threat intel space. In the threat intel space we look at data as power, we look at data as enabling.
[10:38]
A
Right.
[10:39]
B
And empowering and allows us to get to the base of something. In this space we look at data as maybe sometimes it's malicious to us. Here's a great, real quick anecdote client who is getting ready to turn on agent based or authenticated scanning, which means the scanner is going to have the ability to more completely ascertain the vulnerability status of the system because it's going to be able to log in. Imagine one world where we look at that as more data. And that's good, right? More data is always good in the intel world that's going to give us more information about where the vulnerabilities are and what to focus on. But if we're in an SLA service level agreement driven environment, which all of us are, all of us are. So if we're in that environment, then if I move over to every critical and high has to be fixed within 24 hours or 15 days or 30, 30 by the way is the average 30 days. Then I have just added maybe half a million more vulnerabilities depending on the size or even half doubled them, tripled them a lot of times. Authenticated scanning. Can 10x your vulnerability count? So it really, really has to do with how the organization looks at it and how we approach it from the perspective of threat management.
[11:53]
C
It's so interesting because I'm listening to you and I'm thinking, well geez, you can get that, you know, down to even five vulnerabilities. But really the only one that matters is the one that's being exploited. Right. And you don't know what that is.
[12:07]
B
Yes, that's a great point. It's almost like being a roofer. And you, you asked me to come over and say where is the water going to get in?
[12:16]
C
Right.
[12:17]
B
I can tell you.
[12:18]
C
Tricky.
[12:20]
B
And then so are threat actors and they, they are like water when they're really good and they can be very good. So you know, when we're standing on the roof, or hopefully we're not standing on a roof, but like we're, if we have the drone, right And I could show you the cracks.
[12:35]
A
Yeah.
[12:35]
B
I could show you where water might come in, but that's where I stop. Right at the end of the day, if there's a tiny little hair fracture and yet it goes straight into the house, that's where it's going to come in. And it's very difficult to predict that. So the best thing you can do is take a continuous. There's that word again. Continuous approach in this way, where it's sort of like basement waterproofing. If you have a basement or roof, everybody has a roof. Right. So it's that sort of. You don't care about it until something goes wrong, you know?
[13:05]
C
Right.
[13:05]
B
Then you really do care about it. And I think we all need to start. Obviously, some of us are already doing this, and I. And we're making good progress, but it's almost a hygiene thing. We need to get to where we think about vulnerability management every day or exposure management every day. And it's a. It's. It's almost like our development life cycle. It continues along parallel to our improvements to our products and our. Our business.
[13:30]
C
I love that analogy because it just makes sense. Right? It gives you a visual that you can sort of relate to as a homeowner and a human being. And it makes total sense. And I'm thinking about, okay, we have the drone. We see all the potential places that that water could make its way into my home and create a problem. I have limited resources, Steve, and I can't possibly afford to feel fix all of those cracks. So for organizations that may not have a strong vulnerability management program or they have limited resources, what are some actionable steps that they can take today to start, who's involved, what tools, what teams should be brought into the equation?
[14:17]
B
And I'll take the last one first because, you know, got me thinking that this is. This is something. Frankly, I found I've gotten a lot of value from bringing vulnerability management and CTAM teams into cybersecurity or cyber fusion centers. If you think about it, one of the first things. If you get threat intel on a vulnerability that's making the rounds, what's the very first question that the threat intel person will ask? And it is.
[14:42]
C
I'm so glad you're answering it because I thought you wanted me to answer it. I was sweating over here, Steve.
[14:48]
B
I can stop you, I promise. No, but when I say it, you'll know. When I say it, you'll be like, oh, yeah, of course. The question they always ask is, do we have this? Do we have this. Oh, there's this big, very scary thing happening with this technology. Do we have that technology immediately? Right, that's vulnerability management's gonna be able to tell you that. CTAM's gonna be able to tell you that. Right. Because they're gonna be in the asset management database, they're gonna be into the ticketing system, system record. They're gonna be able to see. Yeah, we do have that. Or no, actually we have this other version that doesn't apply to that very fast. Right. The other thing that they can tell you very quickly is where somebody could have gotten in. Vulnerability management professional data, they know where the, I guess the skeletons are buried, if you will skeleton the closet. That's the metaphor. Shouldn't even use that probably. But they know where the secrets are and the secrets to the organization and where somebody could have gotten in. So during an incident or during a threat hunt, they will have interesting things to tell you about parts of the environment that you would never think to look. So I would say that small orgs that don't have this. Maybe now we're talking in this example I was talking about maybe three or four different people. What if you have one person like you said, and you're small and you don't really have a lot to focus on this understandable. A lot of people don't think of it the same way you think about software development. It really fits because just like software developers, we have an infinite backlog. You're not going to be able to fix them all. It's a marathon. Even though I use the word sprint, it really is a marathon. Not a sprint, it's a marathon made up of a bunch of sprints just like software development. So what I've seen help like think of it this way. We're used to getting software changes in via the normal software development life cycle. Developers are used to pulling tasks out of a system and working on those for a sprint. We can do the same thing for vulnerability management. We can rank and stack them according all the vulnerabilities according to Threat intel and then we can come up with that list to say this week or this two week period. We are also, in addition to the work we're doing, doing in the software development Sprint, we're going to fix some of these vulnerabilities. I think that anybody can start. The good thing about vulnerability management is it's a bit of a jobs opportunity and I know that's very near and dear to all of our hearts right now. What I mean by that is it doesn't take a lot to get started. If you have an interest in vulnerability research and how something is exploited, there are tools like Metasploitable 3. If you look that up, that's a Rapid 7 open source project. It has a very exploitable Windows system and Linux system on there. We utilize that here in Akron to work with the local STEM school. And essentially it makes it very easy to start researching vulnerabilities. You could read about one, you could replicate it in your own little lab. I think these kinds of things. When you think about how training is at such a premium and everybody says when we every time RSA does a survey, it's always we want more training. Right. And this is a great opportunity to start baking that into your job and starting to get into some of the crunchy parts of it. You can have a junior analyst learning vulnerability management and becoming potentially a pen tester someday or something like this. Right. I think it's a gap. I think it's a missing piece in our space that you can utilize to get into it. And anybody at any level of capability or technology can start on this world because there's so much information out there.
[18:22]
C
I love that. So Metasploitable 3, a rack of seven open source tools. That's fantastic. I'm gonna take your advice and go check it out. I might have to call you on the side to figure out what to do next, but please do.
[18:37]
B
It's a little crunchy and they've done a great job, but it's a little on the crunchy side. We'd be glad to give you the cheat sheet on that. Yeah, absolutely.
[18:44]
C
Fantastic. Fantastic. Steve, thank you so much for being here today. I also have learned about continuous threats and exposure management, ctam, a acronym to add to our vernacular. So thank you so much, listeners. Thank you for tuning in. Please keep the conversation going in our RSAC membership platform by visiting onersac.commembership and be sure to check onersac.com for new content posted year round. Until next time.