Amsterdam, 9 February 2026 — Most organisations (70%) struggle to keep up with resolving the growing number of vulnerabilities. This is revealed by recent research from international cybersecurity company Hadrian. Despite significant investment in tools, data and coverage, many organisations are still unable to reduce real-world security risk. This is driven by a widening gap between the volume of data generated by security tools and organisations’ actual security posture. This so-called verification crisis shows that security teams are identifying an increasing number of vulnerabilities, but lack the means to determine which ones are truly exploitable and therefore urgent.

Almost every (95%) security leader is dissatisfied with their ability to prioritize remediation based on real-world risk. While visibility across attack surfaces has improved, with many companies having deployed tools to monitor their internet-facing systems within the last few years, confidence in security decision-making has declined.

Measuring the wrong thing

At the center of the problem is measurement. While Continuous Threat Exposure Management (CTEM) programs are becoming more common, only 33% of organizations measure whether exploitable risk is actually reduced over time. Instead, most programs continue to focus on discovery-oriented metrics such as coverage gaps, asset counts and alert volume, indicators that increase activity without improving outcomes or reducing exposure.

“Security programs keep adding tools and expanding scope, but outcomes aren’t improving,” said Rogier Fischer, CEO and Co-Founder of Hadrian. “Teams are measuring how much they find, not how much real risk they remove. Without exploitability verification, more data doesn’t lead to faster remediation; it leads to paralysis.”

Remediation speed hides a deeper problem

Just 0.47% of vulnerability scanner findings prove to be exploitable in real environments in Hadrian’s research across 300 organizations, leaving teams buried in noise. The remediation data highlights a growing inconsistency in how security teams are able to sustain focus over time. While the median remediation time for critical vulnerabilities is just four days and 22 days for high-severity issues, the mean remediation time stretches to 64 and 139 days respectively. This divergence indicates that although teams can respond quickly when urgency is clear, a subset of risks remains unresolved for months.

The long tail of unresolved risk

The long tail materially extends exposure windows. The slowest 10 percent of critical vulnerabilities remain open for more than four months, while high-severity issues can persist for over a year. These are not missed findings, but known exposures that continue to compete for attention as new alerts and tickets are generated across an expanding security toolset. 

“Security teams can move fast, but too many tools and unverified alerts make it difficult to maintain focus on what actually matters,” said Fischer.

Hadrian’s Offensive Security report concludes that reducing exposure in 2026 will require security programs to move beyond visibility alone and focus on maintaining clarity over time. This includes validating exploitability early, aligning remediation effort with proven risk, and measuring success based on how much real exposure is removed, not how many findings are generated.

‍

Note to editors:

Methodology 

The 2026 Offensive Security Benchmark Report is based on a combination of verified risk data collected throughout the 2025 calendar year and quantitative survey research:

• Verified risk data from 300+ organizations across the US, UK, Netherlands, Germany, France and Italy.
• Continuous real-world exploitation by Hadrian’s ethical hackers.
• Quantitative analysis of attack surfaces, exploitability and remediation timelines.
• A focus group of 34 enterprise CISOs and senior SecOps leaders across multiple industries.
• Cross-validation between platform telemetry, attacker behavior, and executive insights.

About Hadrian

Hadrian is a leading cybersecurity company specializing in offensive security solutions. With the mission to empower organizations from a hacker’s perspective, Hadrian uses advanced technologies to identify and mitigate vulnerabilities before they can be exploited. Through continuous monitoring and proactive threat analysis, Hadrian supports companies worldwide in building resilient digital infrastructures in an increasingly complex cyber landscape.