You can't protect what you don't know you have

A recap of session 1 of Hadrian's Exposure Maturity Model webinar series, with Alex Wells and Stirling Fisher

Most security programs are not built around a clear picture of the attack surface. They are built around the assets someone thought to add to a list, tested on a schedule someone decided was reasonable, and measured against SLAs someone set without knowing how fast attackers actually move. The program looks structured. The risk is not.

That gap between the appearance of a mature program and the reality of one is exactly what the first session in Hadrian's Exposure Maturity Model webinar series confronted. The session laid out a structured approach for security teams to transition from reactive exposure management to a proactive, risk-based operational posture. The starting point is an honest look at where most programs actually are.

The landscape is worse than most programs acknowledge

Every organization has more internet-facing assets than its security team knows about. That is not a hypothesis. It is the baseline condition from which the session opened. In 2024, 38% of cyber breaches originated from unknown or unmanaged assets. The average time to exploitation is now negative one day for external-facing exposures, meaning attackers are exploiting some vulnerabilities before patches are even publicly available. And the volume problem is structural: roughly 131 CVEs were published per day in 2025, a number that makes manual research and triage progressively less viable each year.

The consequence is that security teams are spending 60 to 70% of their capacity on triage and investigation rather than remediation. The program is busy. But busy is not the same as effective.

As Stirling Fisher put it: "You simply can't protect what you don't know you have."

The organizations that suffered the most from major vulnerabilities were not unlucky. As the session framed it: "The organizations that got hit weren't unlucky. They were operating without a systematic picture of their attack surface." The distinction matters because it shifts the failure from circumstance to architecture.

Why most programs stay stuck

Alex Wells did not soften the industry baseline: "Most organizations are at stage one or in transition. And that's really our industry baseline."

Part of why programs stay stuck is how they are measured. As the session observed: "The subtext is that you're saying 'we're doing the right things' and nobody's asking whether the programs actually improve the security posture." Compliance metrics reward activity. They do not measure whether the attack surface is actually shrinking.

The structural blockers run deeper than metrics, though. The first is ownership. No one is explicitly accountable for the completeness of the asset inventory, only for the security of the assets already known. The gap between those two things is where breaches originate. The second is volume without validation: scanners generate thousands of findings with no automated method to confirm which represent real, exploitable exposures. Teams drown. The third is the compliance trap itself: programs designed to pass audits rather than understand actual risk. "It's very easy to sort of do tick boxes. But those aren't real tests of how exposed your organization is."

Maturity is only as strong as its weakest dimension

Maturity in this model is not a single score. It is measured independently across five dimensions: discovery, prioritization, validation, automation, and remediation routing. And as the session made clear: "Your weakest dimension will set the ceiling for everything else."

This framing is sharper than it first appears. A team with excellent discovery and no automated validation is not a mature program with a gap. It is still an early-stage program. Most programs invest unevenly: discovery tooling tends to be mature, validation tends to be manual, and remediation routing tends to be ad hoc. The result is a program that looks more advanced than it is.

Building a structured program is not a tool deployment

Moving from reactive to structured exposure management is primarily a program-level change. "It isn't really tool-based. It's about changing the way your security program is perceived within the organization." Five structural decisions define that shift.

The first and most foundational is ownership of the asset inventory. "Remediation starts from ownership, not investigation." Someone must be accountable for whether the inventory is complete, not only whether the known assets are secure. Stirling Fisher was direct: "The first fix is not a tool, it's a decision. Who's accountable for the completeness of the asset inventory?"

The second is shifting from inside-out to outside-in discovery. Inside-out scanning starts from what the organization already knows. Outside-in discovery "starts from your organization's identity and discovers assets the way an attacker would," finding everything reachable regardless of whether it was intended to be.

The third is risk-based prioritization. "Risk-based prioritization which incorporates business criticality and reachability closes critical exposures on average 60% faster than those using CVSS-based triage alone." CVSS scores measure theoretical severity. They do not measure what is actually reachable or what it protects.

The fourth is validation before the queue. "The fix here is validation: confirming exploitability before findings reach the remediation queue." Without this, analysts spend their time on findings that will never matter.

The fifth is SLA enforcement: defining SLAs "not as an aspirational target, but as an operational commitment." Targets without consequences are not SLAs. They are hopes.

When these five decisions are in place, the conversation inside the security program changes. Instead of debating "is this real and whose team is it," the team starts saying "here's what we found, here's who owns it, here's the SLA." A structured program requires both security and engineering teams to have a shared language, shared SLAs, and shared accountability. That is the program of work.

And the session closed with a framing worth holding onto: "Slower than ideal is still better than inconsistent and wrong."

Watch the full webinar to hear Alex Wells and Stirling Fisher walk through the full framework, or explore the Exposure Maturity Model at hadrian.io/maturity-model.