IT Brief Asia - Technology news for CIOs & IT decision-makers
Asia
Vicarius finds 79% hit by known vulnerability incidents

Vicarius finds 79% hit by known vulnerability incidents

Fri, 17th Jul 2026 (Yesterday)
Sean Mitchell
SEAN MITCHELL Publisher

Vicarius has released a report on vulnerability remediation, finding that 79% of organisations suffered a security incident linked to a known vulnerability in the past year.

The study points to a gap between detecting software flaws and fixing them. In a survey of 300 IT and cybersecurity professionals in the United States and United Kingdom, many organisations said they still rely on manual steps and administrative workflows after identifying a vulnerability.

Among the headline findings, 75% of responses to critical vulnerabilities resulted in an administrative action, such as creating a Jira or ServiceNow ticket, rather than directly resolving the issue. Only 25% of organisations said they deploy automated remediation directly from their security platform.

The report also found that 58% of vulnerability remediation activities still require direct human intervention. This suggests many teams continue to rely on handoffs between security, IT and other functions, even as automated scanning tools have become widely used.

Closure gap

Another finding concerns how organisations define when a vulnerability has been addressed. Half of respondents said a vulnerability can be considered closed without a verified rescan or automated check to confirm the fix worked.

As a result, 50% of organisations treat administrative milestones, including ticket generation or formal risk acceptance, as enough to clear a vulnerability from their dashboards. The report argues this can create a mismatch between internal reporting and the actual state of technical risk.

The survey included Managers, Directors and Vice Presidents at organisations with 500 to 2,000 employees. Respondents came from sectors including financial services, manufacturing, healthcare, automotive, government and technology services.

The data points to operational problems in the remediation lifecycle rather than shortcomings in vulnerability discovery. Security teams may know about flaws in their systems, but ownership, verification and execution can still break down before a fix is applied.

Manual handoffs

The report also highlighted ambiguity over responsibility for fixing vulnerabilities. It found that 38% of organisations said remediation ownership depends on the situation, while 43% said they can only sometimes fix what they find without involving another team.

In practice, this can mean a vulnerability moves through several systems and approvals before technical action is taken. The average organisation uses three or more systems for each remediation process, increasing the chance that context is lost as work passes between teams and tools.

For many companies, that creates what the report describes as a "ticket trap", in which opening, routing or approving a task is mistaken for reducing risk. The findings suggest organisations may be measuring process completion rather than confirmed resolution.

"Treating a ticket creation as a security victory is a fundamental operational flaw," said Roi Cohen, Chief Executive Officer, Vicarius.

"Our latest report shows that while finding flaws has become automated, fixing them is still slowed by human intervention, organizational siloes, and tool sprawl. When three out of four critical vulnerability responses result in an administrative handoff rather than immediate mitigation, we shouldn't be surprised that attackers operating at machine speed win the race," said Cohen.

Operational focus

The results add to a wider industry debate over whether vulnerability management programmes are too heavily weighted towards discovery metrics and ticket volumes rather than verified remediation. In many organisations, scanners can identify weaknesses quickly, but patching and mitigation depend on separate teams, change controls and manual checks.

That can leave known flaws exposed for long periods, especially where accountability is split across infrastructure, security and application teams. The report suggests this operational fragmentation is one reason incidents continue to arise from vulnerabilities already listed in internal inventories.

Vicarius based the study on research carried out in partnership with an independent market research firm. The sample was evenly distributed among Managers, Directors and Vice Presidents, with respondents drawn from mid-sized organisations across the US and UK.

One of the clearest findings was the gap between activity and outcome in remediation programmes: only half of organisations require proof that a fix has worked before marking a vulnerability as closed.