When it Comes to Managing Risk, Context is King
CVE/FIRST VulnCon 2025 · Main Stage
In the rapidly evolving landscape of cybersecurity, organizations face an overwhelming deluge of vulnerabilities, making traditional vulnerability management (VM) strategies increasingly untenable. Lucas Maidar, a veteran in vulnerability management from Tenable's research organization, presented a compelling case at VulnCon for a paradigm shift: moving beyond compliance-driven, CVSS-centric approaches to a **context-is-king** methodology. His talk, "When it Comes to Managing Risk, Context is King," highlighted the critical need for security teams to prioritize remediation efforts based on actual threat intelligence and environmental factors, rather than solely on severity scores.
AI review
Maidar is a practitioner who clearly knows this domain cold — 16 years writing Tenable plugins gives him legitimate credibility and the three case studies (CUPS, Ivanti, Apache Parquet) are the kind of real-world triage examples that resonate with working vulnerability managers. The core argument is sound: CVSS measures severity not risk, EPSS is a useful-but-flawed black box, and known-exploited-in-the-wild is the signal that actually matters. The EPSS critique specifically — 80% of CVEs scoring >0.9 have no known exploitation, and 50% of actually-exploited CVEs score below 0.1 — is the…