Is Vulnerability Management Dead? A Security Architect's Take
Snir Ben Shimol
BSidesSF 2025 — Here Be Dragons · Day 2 · Main
Snir Ben Shimol, CEO and co-founder of Zest Security and a veteran of Varonis and Prisma Cloud, argued that traditional vulnerability management is broken — not because the tools are bad, but because visibility without a remediation path is not security. Drawing on research across hundreds of enterprises, he proposed a cloud-specific survival framework built around enrichment, infrastructure-as-code correlation, mitigating controls, and AI-assisted triage. ---
AI review
Ben Shimol came with data. The 62% of incidents tied to known-but-unpatched findings, five-day exploitation windows against weeks-long remediation timelines, and the IaC correlation gap — these are the numbers that should be on every CISO's desk. The cloud guardrail section is the most underappreciated thing in vulnerability management and he explains it well.