The State of Play

Vulnerability and attack surface management has matured into a proven operational discipline with GA tooling, analyst recognition, and documented ROI. The question facing most organisations is not whether to adopt it, but how to close the persistent gap between discovery and remediation. Platforms from Qualys, Rapid7, and Tenable can surface thousands of vulnerabilities daily across cloud, on-premises, and SaaS environments. Analyst frameworks from GigaOm, IDC, Forrester, and SANS have formalised evaluation criteria, and the CAASM market is projected to reach $12.6B by 2033.

The technology works, but it has fundamentally failed. The constraint is not discovery but remediation physics. Empirical research from May 2026 on 500K+ vulnerability reports (HackerOne) shows discovery velocity up 76% YoY while remediation throughput collapsed 46%, creating a widening exposure debt. More critically: Mandiant's incident response data (500K+ investigation hours) found the mean time-to-exploit is now -7 days—exploits are weaponised and active BEFORE patches are released, rendering patch-based defense obsolete. The asymmetry is structural: AI-driven discovery (10-40x faster), PoC generation (60x faster), and weaponisation (172,000x faster) now exceed enterprise patch deployment (45-90 days) by orders of magnitude. Remediation capacity hasn't merely stalled—it has degraded: analysis shows remediation times increased 47% over five years (171→252 days), and organisations can remediate only 1 in every 10 CVEs monthly. Alert fatigue affects 90% of teams, and fewer than one in four use advanced prioritisation methods like CISA KEV or EPSS. The CVSS-based strategy achieves only 3.96% efficiency despite 82% coverage. For well-resourced enterprises with embedded automation, autonomous remediation, and continuous risk management loops, the practice delivers ROI. For everyone else, the practice has become a compliance theatre generating activity metrics disconnected from actual security outcomes.

Qualys leads the vendor field with 54%+ customer penetration and $669.1M in 2025 revenue, backed by 88% user recommendation rates. Its MITRE ATT&CK integration has reduced vulnerability scope by 85% for adopters, and comprehensive VMDR deployments report 403% three-year ROI. Tenable Nessus remains broadly deployed across 43,000+ organisations, while Rapid7 has expanded its platform through the Noetic acquisition for asset inventory and AI-driven attack coverage targeting GenAI vulnerabilities. GigaOm's 2026 Radar evaluated 32 ASM vendors, recognising Bishop Fox as a leader for its human-in-the-loop exploitation methodology -- a sign that the market is consolidating around differentiated approaches rather than feature parity. Gartner's 2026 Magic Quadrant recognizes Tenable as a Challenger in cyber-physical systems protection with unified exposure visibility across IT, cloud, identity, and OT assets.

Regulatory pressure reinforces adoption. Federal FISMA M-24-04 zero-trust mandates have driven enterprise-scale ASM deployments, with Qualys CSAM discovering 100K+ domains and 3M+ subdomains for individual customers. SANS published formalised ASM evaluation frameworks in late 2025, cementing the practice's institutional standing.

May 2026 empirical research crystallised the nature of the remediation crisis. HackerOne analysis of 500K+ vulnerability reports showed discovery submissions up 76% YoY but resolution rate down 46%—the opposite trajectory needed. Unresolved critical vulnerabilities grew 25x, creating exponential exposure debt. Mandiant's incident response dataset (500K+ hours, 2025 investigations) found median time-to-exploit at -7 days: exploits are weaponised before patches are released. Meanwhile, Lyrie research quantified the velocity asymmetry: AI discovery 10-40x faster, PoC creation 60x faster, weaponisation 172,000x faster, but enterprise patch deployment flat at 45-90 days. Remediation time per organisation has degraded 47% over five years (171→252 days), and capacity is fundamentally bottlenecked at 1-in-10 CVEs per month. Vendor innovation shifted toward autonomous remediation and data-aware prioritisation: Rapid7's Kenzo Security agentic AI agents achieve 94% investigation time reduction; Qualys integrates Data Security Posture Management to prioritise by breach impact; ServiceNow (which acquired Armis for $7.75B) orchestrates multi-rule workflows. Platform vendor commitment intensified: Microsoft Defender EASM and Security Exposure Management GA with native cloud integration; Qualys VMDR and CNAPP on Oracle Cloud Marketplace. Yet practitioner critique from the JupiterOne Industrial Complex analysis documented the discipline's fundamental misalignment—CVSS strategies require 57.4% of remediation effort for 3.96% efficiency. The constraint is not discovery but remediation and measurement discipline.

The barriers remain structural. Edgescan data shows remediation cycles ranging from 63 days in software to 104 days in construction, and large enterprises leave 45.4% of vulnerabilities unaddressed. Unit 42's analysis of 750+ incidents found 87% of breaches spanning multiple attack surfaces with a 72-minute average exfiltration window -- far faster than most teams can respond. Practitioner analysis reveals endemic false positive epidemics (277 false-HIGH findings in single projects) exposing context-blindness as a root cause of scanner output misalignment with actual production risk. Tool reliability remains a recurring irritant: both Rapid7 InsightVM (CVE-2026-1814) and Tenable Nessus Agent (CVE-2026-2026) required emergency patches in February 2026. Practitioners have begun questioning the metrics themselves, arguing that vulnerability counts are poor proxies for risk reduction and incentivise activity over outcomes.

• 2018: Research formalised attack surface metrics at network level (NIST) and cyber-physical systems (arXiv); vendor landscape solidified (Rapid7, Qualys, Tenable); Bow Valley College achieved sub-week remediation cycles with InsightVM; adoption reached 48% of organisations for strategic assessment but only 5% at high maturity; industry experts raised concerns about false positive burden, vendor incentive misalignment, and low exploitation rates of reported vulnerabilities.
• 2019: Rapid7 achieved Forrester Wave leadership with highest VRM scores; Qualys launched integrated VMDR platform; attack surface discovery expanded with Project Sonar (232M+ assets) and new ASM category (Bugcrowd). Cloud deployments scaled: Guidewire and CognitiveScale ran InsightVM on 5,000+ AWS workloads. Forrester TEI study quantified 342% three-year ROI with 22% false positive reduction. Market matured but fundamental challenges persisted: vendor tools reported excessive findings with low real-world exploitability; even market-leading tools contained vulnerabilities; alternative approaches (instrumentation-based AppSec) offered critical assessment of broad scanning ROI.
• 2020: Market consolidation continued with Tenable leading in customer scale (30,000+) and Fortune 500 penetration. Qualys VMDR reached general availability with early enterprise deployments (Toyota Financial Services, 10,000+ devices). Rapid7 customers (SAI Global, Trov) scaled to 4,000+ assets with measurable false positive reduction and operational speed gains. However, adoption maturity lagged capability: ESG survey showed 98% identify ASM as priority but 68% had been attacked from unknown assets; only 9% test their complete surface. IT leader perception gap widened: 84% rated programs mature despite gaps in automation (48%) and business alignment (31%). The market showed technology maturation but persistent organisational adoption friction.
• 2021: Enterprise deployments accelerated: Palo Alto achieved 95% cost reduction with internal Cortex ASM rollout across 700,000+ cloud instances; SoftBank deployed InsightVM at hundreds of thousands of assets. Qualys VMDR penetration reached 32% of customer base ($70M Cloud Agent subscriptions, 40% YoY growth). Organizational demand for ASM governance rose sharply (61% of executives expected board ASM requests). However, tool reliability challenges emerged: French CERT documented Nessus Agent vulnerabilities (CVE-2021-20077 et al.); security researchers highlighted inherent accuracy trade-offs in vulnerability scanning. Log4Shell response (December 2021) demonstrated vendor capability for incident detection but also exposed the challenge of asset discovery: many organizations lacked visibility into their complete attack surface even with mature tools.
• 2022-H1: Vendor innovation accelerated with Qualys VMDR 2.0 launch (June) featuring TruRisk risk quantification—beta customers achieved 28% reduction in critical vulnerabilities and 23-50% risk reduction. Rapid7 integrated CISA's Known Exploited Vulnerabilities catalog and Log4Shell detection. Forrester recognized ASM as emerging market (January). However, real-world program maturity remained low: 70% of security professionals rated their vulnerability management programs "somewhat effective or worse," with 58% lacking risk-based prioritization and 62% requiring 48+ hours for remediation. Only 9% of organizations tested their complete attack surface; 69% had been attacked from unknown assets; automation revealed 40% underestimation of actual attack surface.
• 2022-H2: Market legitimacy solidified with IDC recognizing ASM/BAS as distinct software category. Qualys VMDR won SC Awards 2022 and led GigaOm Radar Q3, validating third-party recognition of product maturity. However, large-scale observational research (Cortex Xpanse: 50M IPs across 100+ enterprises) revealed persistent deployment maturity gaps: 90% of issues in cloud environments, 25% RDP exposure, 30% of organizations running end-of-life software with active exploits, and no industry showing attack surface reduction. Vendor platform maturity lagged behind capabilities: practitioners noted CVSS v3 support arriving 7 years after standard release, signaling evolution delays despite category advancement.
• 2023-H1: Qualys VMDR adoption reached 54% customer penetration worldwide with F100 biotech scaling to 290K+ assets and Fortune 200 monitoring millions of containers, validating enterprise scale-out. Cisco TEI study demonstrated 125% ROI over 3 years with 6-month payback and quantified savings ($1.5M breach risk reduction, 7,800 annual IT ops hours). Forrester ASM landscape expanded to 36 vendors, signaling category maturation. However, critical operational gap persisted: Bitsight analysis of 100K+ orgs revealed only 5% monthly remediation rate, exposing the disparity between discovery capability and organizational remediation capacity. Tool reliability challenges continued with French CERT advisories on Nessus vulnerabilities including RCE.
• 2023-H2: Qualys VMDR customers achieved 403% three-year ROI; Rapid7 InsightVM won SC Awards 2023 recognition. Palo Alto Unit 42 research found 80% of security exposures in cloud with 20% monthly service churn. However, implementation maturity remained the critical blocker: SecureOps survey of 421 professionals revealed 24% breached despite vulnerability awareness, only 11% patched same day, 47% took >1 week—demonstrating capability-maturity gap. Trend Micro analysis highlighted distributed environment challenges (inventory irregularity, alert overload). Vendor ecosystem grew with Bitsight named KuppingerCole EASM Leader, confirming market consolidation but persistent organizational remediation capacity constraints.
• 2024-Q1: Qualys reported 19% YoY growth in large customers ($500K+), with major Fortune 1000 consolidation wins and March launch of MITRE ATT&CK integration reducing vulnerability scope by 85%. Federal FISMA M-24-04 requirements (zero-trust mandates) drove regulatory adoption signals: Qualys CSAM discovered 100K+ domains and 3M+ subdomains for enterprise customers. Remediation efficiency improved incrementally (30 to 17 days for critical vulnerabilities at leading vendors). However, SaaS sprawl research revealed 80-app average with 65% shadow IT usage, creating unmanaged attack surface blind spots. SME adoption barriers persisted: budget, resource, expertise, and patch management constraints limited DIY maturity despite vendor platform advancement.
• 2024-Q2: Market research confirmed ecosystem expansion: Attack Surface Management category projected to grow from $0.9B (2024) to $3.3B by 2029 (29.3% CAGR), with SMEs as fastest-growing segment and cloud deployments dominant. Vendor platform innovation continued across Rapid7, Qualys, Tenable, and emerging players (Bitsight, CyCognito, SecurityScorecard). However, critical gaps persisted: practitioners documented tool fragmentation (disconnected network, application, pen-test scanners), alert overload, and complex remediation workflows as recurring implementation barriers. Scope limitations emerged: analysis suggested traditional broad vulnerability management approaches insufficient for modern application security due to lack of developer integration and application context. Discovery-remediation capability gap remained the constraining factor despite vendor maturity and market growth.
• 2024-Q3: Vendor ecosystem consolidation accelerated: Rapid7 acquired Noetic (July) to enhance cyber asset inventory and attack surface visibility. Qualys maintained market leadership with 54%+ customer penetration, benefiting from FISMA M-24-04 federal zero-trust requirements (Qualys CSAM discovered 100K+ domains, 3M+ subdomains). Forrester Wave Q3 2024 ASM report validated Qualys as Strong Performer for enterprise attack surface monitoring. Attack surface management market momentum strengthened with MarketsandMarkets projecting 29.3% CAGR to $3.3B by 2029. Attack activity escalated (vulnerability attacks +1,200% YoY) pressuring organizations to operationalize vulnerability management. Named organization deployments (Exponent engineering firm) continued with InsightVM+MDR integration. Discovery-remediation gap persisted as category constraint: tool fragmentation, alert overload, and organizational remediation capacity remained limiting factors for broader SME adoption despite vendor innovation and market growth.
• 2024-Q4: Tool maturity challenges intensified: 49% of ASM practitioners planned to replace their solution within 12 months due to dissatisfaction with value/performance (Team Cymru survey of 440), and 66% reported dissatisfaction with actionable insights from EASM tools (312 IT professionals). Foundational constraints emerged: Cloud Security Alliance identified systemic CVE program failures (data quality, interoperability, metadata gaps), while DefCamp benchmarking revealed tool capability variability (Nessus achieved 18.56% vs promised 55.09% detection accuracy). Practitioner analysis quantified fundamental efficiency gap: 99.59% false positive rate in vulnerability management (only 109 of 26,447 identified vulnerabilities exploited in 2023 per CISA KEV). Discovery-remediation capability gap persisted as defining constraint despite platform maturity: organizational readiness and tool dissatisfaction revealed significant gaps between vendor capability advancement and real-world adoption effectiveness.
• 2025-Q1: Vulnerability management market expansion continued with Research and Markets projecting $4.09B by 2030 (24.98% CAGR from $1.06B in 2024). Vendor platform maturity advanced: Rapid7 integrating Noetic capabilities for asset inventory and cloud visibility. Qualys VMDR maintained strong adoption at 54%+ penetration with recent user surveys (151 reviews) showing 88% likelihood to recommend and 94% renewal intent, signaling strong customer satisfaction. However, significant operational challenges emerged: Rapid7 InsightVM users reported disruptive CVSS scoring changes from AI-powered vulnerability prioritization (February 2025), with practitioners highlighting negative workflow impact and quality concerns. This signaled real-world adoption friction despite vendor platform advancement. Concrete deployment: Energie Suedbayern (German utilities provider, 2,000 IP addresses) deployed InsightVM and InsightIDR for ITSG compliance, reporting 60% time savings and successful enterprise-wide rollout. Overall trend reflected market growth momentum alongside persistent tool maturity and organizational readiness gaps limiting broader adoption.
• 2025-Q2: Vulnerability management market accelerated with External Attack Surface Management (EASM) projected to reach $930.7M by 2026 (17.5% CAGR), and broader ASM market on pace for 30.4% CAGR to $9.19B by 2032. Vendor platform maturity and market validation strengthened: Qualys VMDR won SC Awards Europe 2025 for third consecutive year with customer ROI estimates of 20-30%; Rapid7 InsightVM deployments reported 50% reduction in exploitable vulnerabilities; Tenable Nessus confirmed as market leader with ~43,000 organizations using the platform. Analyst recognition continued: KuppingerCole Leadership Compass 2025 benchmarked vendors including Bitsight as Overall Leader for second consecutive year. However, operational maturity gaps persisted despite platform advancement: 90% of organizations reported alert noise challenges, 41% struggled to make findings actionable, and adoption of advanced prioritization methods (CISA KEV, EPSS) remained low at 18-23%. Critical infrastructure vulnerabilities exposed: CERT-FR documented multiple critical flaws in Tenable Nessus (RCE, privilege escalation, data breach risks), highlighting security risks within core vulnerability management tooling. Overall trend reflected sustained market growth and vendor platform recognition alongside persistent organizational remediation capacity and tool reliability limitations.
• 2025-Q3: Vulnerability and attack surface management market sustained strong growth with vendor platforms advancing and industry standardization accelerating. Rapid7 extended exposure management with AI attack coverage for GenAI applications (OWASP Top 10 LLM) and Remediation Hub improvements (Aug 2025), while Qualys VMDR maintained market leadership at 54%+ customer penetration with 403% three-year ROI for comprehensive feature adoption. Vendor competitive positioning refined: Info-Tech user comparisons (Aug 2025) showed Qualys VMDR outpacing Tenable in composite satisfaction (8.8 vs 7.9) and emotional footprint (+97 vs +88). Industry standardization strengthened: SANS Institute published formalized Attack Surface Management evaluation guide (Sept 2025), signaling maturation to institutionalized practice status. However, fundamental operational constraints remained unchanged: discovery-remediation capability gap persisted as defining blocker with empirical evidence from Edgescan (July 2025) revealing industry variance in remediation efficiency (software 63 days, construction 104 days) and 45.4% of vulnerabilities left unaddressed by large enterprises. Alert noise endemic (90% reporting fatigue) with CISA KEV/EPSS adoption still low (18-23%). Critical meta-risk surfaced July 2025: Tenable Nessus and Security Center discovered containing critical RCE vulnerabilities (CVE-2025-24855, CVE-2025-29087, CVE-2025-36630), exposing circular dependency where defenders' tooling introduces new attack surface. Practitioner analysis (Sept 2025) challenged ROI measurement fundamentals, arguing traditional metrics (vulnerability count) are poor risk proxies and incentivize activity over actual security outcomes. Overall trend reflected sustained vendor platform advancement and strong ROI for well-resourced enterprises alongside persistent organizational capability gaps, tool reliability concerns, and measurement discipline problems blocking broader operational maturity.
• 2025-Q4: Vulnerability and attack surface management market sustained strong growth momentum with CAASM category expanding to $1.8B in 2024, projected for 23.7% CAGR to $12.6B by 2033 (North America 38% share, Asia Pacific 27.1% CAGR). Qualys VMDR maintained market leadership at 54%+ customer penetration with 88% likelihood to recommend and 94% renewal intent (Nov 2025, 151+ user reviews). Tenable Nessus remained broadly deployed (43,000+ organizations), though platform vulnerability count increased: December 2025 CERT-FR advisory documented critical RCE flaws in Nessus <10.9.6 and <10.11.1, reinforcing meta-risk that vulnerability management tooling introduces new attack surface requiring continuous patching. Industry demand remained strong: CVE disclosure accelerated with 21,500+ CVEs in H1 2025 alone (38% High/Critical, 133 daily new flaws), with attackers weaponizing exploits within hours/days. Vendor platform innovation continued: Tenable November 2025 whitepaper advocated risk-based approaches with machine learning and threat intelligence integration for cloud/AI/OT asset visibility. Industry standardization solidified: SANS published formalized ASM evaluation frameworks, signaling practice maturation. However, fundamental operational constraints persisted unchanged: discovery-remediation capability gap remained defining blocker (software 63-day avg, construction 104-day avg, 45.4% vulnerabilities unaddressed by large enterprises), alert noise endemic (90% fatigue), advanced prioritization adoption low (18-23% CISA KEV/EPSS), and practitioners documented ROI measurement problems (traditional metrics poorly aligned with risk reduction). Overall trend reflected market expansion, vendor platform maturity, and strong ROI for well-resourced enterprises alongside persistent organizational capability gaps, tool reliability escalation, and measurement discipline problems blocking broader SME adoption.
• 2026-Jan: Vendor platform validation continued with Tenable recognized as Leader by Gartner, Forrester, and IDC for exposure management platform. Named organization deployment: Wesley Mission Queensland deployed InsightVM and MDR for ISO 27001 compliance and remote workforce security, reporting incident reduction to near-zero. Critical practitioner analysis surfaced at month start, documenting endemic ROI measurement challenges in ASM—alert fatigue, unclear linkage between discovery and incident reduction, and disconnects between tool capability and outcome metrics—exposing persistent maturity gaps despite vendor platform advancement. Market remained robust with analyst validation and enterprise deployments demonstrating operational effectiveness, but fundamental measurement discipline and organizational readiness challenges persisted.
• 2026-Feb: Vendor financial performance and ecosystem maturity continued to advance: Qualys reported 10% YoY revenue growth to $669.1M in 2025 with strong VMDR traction, receiving analyst recognition from GigaOm and IDC for ASM leadership. Rapid7's Splunk integration (v1.5.2) reached maturity with 7,300+ downloads, signaling normalized operational tooling for vulnerability data integration into SIEM platforms. Threat landscape analysis (Unit 42) documented 87% of 750+ analyzed incidents spanning multiple attack surfaces with 72-minute average exfiltration time, reinforcing organizational need for comprehensive ASM coverage. GigaOm Radar 2026 evaluated 32 ASM vendors, recognizing Bishop Fox as Leader for human-in-the-loop exploitation validation and false positive elimination. However, tool reliability constraints persisted: Rapid7 (CVE-2026-1814 in InsightVM/Nexpose <8.36.0) and Tenable (CVE-2026-2026 in Nessus Agent) both published vulnerability advisories in mid-month, continuing pattern of ASM tooling introducing new attack surface risks requiring emergency patching. Market remained strong with growing third-party analyst validation and vendor ecosystem maturity, but meta-risk of tool vulnerabilities and organizational measurement discipline remained defining adoption barriers.
• 2026-Apr: Empirical research hardened the case that the practice's core problem is remediation physics, not discovery. Qualys analysis of 1 billion remediation records across 10,000 organisations found 88% of weaponised vulnerabilities fail manual processes and 50% are exploited before patches arrive; Rapid7's 2026 Global Threat Landscape Report documented a 105% YoY increase in confirmed CVSS 7-10 exploitation with median publication-to-KEV time of 5 days. A practitioner analysis of zero-day dominance (70% of exploited vulnerabilities are zero-days, with exploitation sometimes preceding public disclosure by a day) challenged the viability of CVE-based prioritisation models as the primary defence. On the vendor side, Qualys VMDR expanded to the Oracle Cloud Marketplace with native OCI integration, Tenable was named a Challenger in Gartner's 2026 Magic Quadrant for cyber-physical systems protection, and Rapid7's Kenzo Security agentic AI agents reached GA with 94% investigation time reduction and alert coverage scaling from 12% to 100%. Sector-specific evidence confirmed outcome potential (manufacturing: ransomware dwell time cut from 42 to 5 days with strong ASM visibility), yet practitioners continued documenting endemic false positive epidemics (277 false-HIGH findings in single projects) exposing context-blindness as a root cause of scanner misalignment with actual production risk.
• 2026-May: The remediation physics crisis hardened into structural indictment. HackerOne analysis of 500K+ vulnerability reports showed discovery submissions up 76% YoY while resolution rate collapsed 46%, with unresolved critical vulnerabilities growing 25x. Mandiant's incident response dataset (500K+ hours) put mean time-to-exploit at -7 days — exploits weaponised before patches release — and Lyrie research quantified the asymmetry: AI-driven weaponisation is 172,000x faster than enterprise patch deployment cycles. JupiterOne's practitioner analysis confirmed remediation time has degraded 47% over five years (171→252 days), with CVSS-based strategies achieving only 3.96% efficiency despite 82% coverage. Against this, vendor consolidation and platform GA announcements continued: ServiceNow's $7.75B Armis acquisition integrated real-time IT/OT/IoT asset visibility into enterprise workflow orchestration; Microsoft Defender EASM reached GA with automated asset discovery and attack path analysis; Qualys posted Q1 revenue of $175.6M (+10% YoY) with Agent Val GA and Anthropic/OpenAI partnerships; Forrester named Tenable a Leader in unified VM; and the NCSC published authoritative six-principle VM guidance establishing baseline expectations. CrowdStrike earned Customers' Choice in EASM for the second consecutive year, signalling sustained enterprise confidence in consolidated exposure management — even as the structural gap between discovery speed and remediation capacity continued to widen.