We Must Go Beyond the Scan/Patch Hamster Wheel

Bob Tinker, CEO

Last week, SC Media published my byline, “Why Vulnerability Scanning and Patching Alone No Longer Work.”  Here's some context about why I wrote this article, why reliable cybersecurity matters deeply to me, and frankly, why my co-founder Ashar Aziz and I launched BlueRock Security in the first place.

If we’re being honest, cybersecurity is getting worse, not better. Attackers are winning—full stop. And the situation continues to deteriorate.

In many areas of cybersecurity, we've adopted a “deer in the headlights” stance, overly reliant on Detection and Response to fight fires after they ignite. Rather than proactively building preventative firewalls and guardrails, we’ve become addicted to watching and reacting—assuming we're lucky enough to even detect an attack in progress. I'll address this "deer in the headlights" problem further in an upcoming article.

In my recently published piece, however, I focus on a separate and even more foundational cybersecurity challenge: our obsession with the endless scan-and-patch hamster wheel. Of course, vulnerability scanning and patching is essential—no argument there. But it's insufficient. We scan, patch, scan, patch—and yet we're still losing ground to exploits.

Despite improvements in tooling designed to help us identify and prioritize known vulnerabilities, the modern cybersecurity battlefield is vastly different from two decades ago when vulnerability management practices first emerged.

The sheer volume of vulnerabilities—nearly 50,000 projected for 2025 alone—is overwhelming defenders. In conversations with customers, I hear growing frustration and concern about two key issues: (1) vulnerabilities in third-party libraries dramatically expanding the attack surface, and (2) the accelerating pace of exploit discovery and development driven by AI.

These realities compelled me to highlight our industry's predicament. There's an alarming gap between our current defensive strategies and the accelerating innovation of attackers. AI-driven exploit development, combined with persistent weaknesses in widely used software, is dangerously tipping the scales in favor of attackers.

Traditional tools and scoring systems simply aren't keeping pace. Even vulnerabilities previously classified as "moderate" risk are being exploited faster than most security teams can patch them. Equally troubling is the recurrence of vulnerabilities we've already patched, underscoring that patches alone aren't durable enough solutions.

The message from cybersecurity leaders I speak with is clear: patching vulnerabilities after they're identified is increasingly insufficient. We must rethink our approach, prioritizing secure-by-design practices and embracing runtime security innovations that proactively reduce exploitability instead of chasing vulnerabilities after they're already exposed.

Thank you, SC Media, for helping spread this important message.  Full article: “Why Vulnerability Scanning and Patching Alone No Longer Work”

Bob

‍