Steve Carter discusses the evolution of the vulnerability management market, as well as where vulnerability management has failed and why the next phase has to center around automation and scale.
The problem, as Carter sees it, is deceptively simple: Organizations are drowning in vulnerabilities but still can’t prioritize or fix them quickly. Scanners can identify thousands of issues, but the process of getting those vulnerabilities to the right people, assigning ownership, and remediating the risk is almost always manual and inconsistent. The real bottleneck isn’t in detection—it’s in what happens after.
Alan and Carter discuss how automation may be the missing piece. Not just automating patching, but automating the full lifecycle—from data collection across a range of tools (CSPMs, endpoint agents, bug bounty platforms, etc.) to enrichment with business context, to orchestration of workflows. In that sense, the challenge isn’t just a security problem. It’s a data problem. Modern orgs are pulling in vulnerability signals from 20 or more tools, and without a way to normalize, prioritize and act on them, teams fall behind fast.
Furthermore, the rise of cloud-native infrastructure only makes things harder. Containers, ephemeral assets, and serverless components don’t play nicely with legacy tooling built for static environments. Carter notes that any modern approach to vulnerability and exposure management has to handle this dynamic complexity or risk becoming irrelevant.
There’s no silver bullet—but there is progress. Automation, better data handling, and continuous visibility are turning a slow, error-prone process into something manageable. It’s taken more than 20 years, but the industry might finally be closing in on a real solution.
