Security teams reported that it took an average of four weeks to remediate critical vulnerabilities, according to new research from risk-based vulnerability management provider Hackuity.
The study, published on Thursday and based on responses from 200 IT security decision-makers across the UK and APAC, found that escalating Common Vulnerabilities and Exposures (CVE) counts continued to overwhelm already stretched teams.
Nearly half of respondents said the rising volume of vulnerabilities placed additional strain on their resources. One in four reported that this pressure contributed to a data breach, while 36% said it resulted in a regulatory fine.
More than one third also reported delayed incident response, and 33% admitted that missed security alerts were linked to alert overload. The human impact was also significant, with 38% citing burnout within their teams.
Although most organizations said they had formal remediation processes, only 36% relied primarily on a risk-based vulnerability management approach. 60% of respondents said vulnerability management did not receive the same level of attention as other security projects, despite the growing operational risk.
Key Barriers Slowed Remediation Efforts
Hackuity’s report highlighted how operational, budget, and staffing constraints continued to hinder vulnerability management maturity. Respondents pointed to several persistent obstacles:
- Operational limitations (43%).
- Budget constraints (41%).
- Skills gaps (29%).
- High staff turnover (25%).
These challenges contributed to longer exposure windows. While the average mean time to remediation (MTTR) for critical vulnerabilities was four weeks, one in five organizations said remediation could take one to three months.
Sylvain Cortes, VP of Strategy at Hackuity, told Expert Insights organizations struggled to keep pace with expanding attack surfaces and increasingly accessible exploit kits.
“Security teams [are] fighting a battle on several fronts,” Cortes said. “Against this backdrop there is an ever greater need for a more centralised, automated, and risk-based approach to managing vulnerabilities. Teams need continuous monitoring and coordinated responses, with contextual data to help them to prioritise threats.”
