Most security leaders are not under the illusion that a CVSS score reliably tells them what to fix first. They know a 9.8 on an unreachable internal system is not the same threat as a 6.4 sitting exposed on a customer-facing API. The problem is that without a reliable way to verify exploitability at scale, the score remains the only practical tool they have.
For lean security teams, this creates a capacity problem. When every finding that lands in the queue requires manual investigation to determine whether it poses a genuine threat, triage consumes the time that should go toward remediation. Breeze Airways, a digital-first US airline founded in 2018, encountered this directly. Their security function is deliberately small, built to operate efficiently across a cloud-native environment handling passenger booking, payment processing, and loyalty data. With scanning tools in place, the team had visibility into findings, but confirming whether those findings were genuinely exploitable still required manual investigation per item, a process that could consume the better part of an afternoon, multiplied across every item in the queue.
That is the verification crisis that security functions across the industry are quietly absorbing. According to Hadrian's 2026 Offensive Security Benchmark Report, just 0.47% of vulnerability scanner findings prove exploitable in real environments, based on data across more than 300 organisations. The remaining 99.5% of what teams are triaging, validating, and tracking represents exposure that exists on paper but not in practice. For a team with limited capacity, the cost of processing that volume is not an efficiency problem. It is what determines whether genuine, confirmed risks receive the attention they need.
When triage scales faster than the team
The 2026 Verizon Data Breach Investigations Report places exploitation of vulnerabilities at 31% of initial access vectors, making it the leading entry point for breaches. A larger function can distribute triage work across more people. A small one has to process the same volume with the same headcount, which means more time on validation and less on the work that actually reduces risk.
Hadrian's research shows that 95% of security leaders are dissatisfied with their ability to prioritise remediation based on real-world risk. The most commonly cited reason, raised by 60% of surveyed security leaders, is the volume of unverified vulnerabilities competing for attention. This is not a critique of the tools or the teams. It is evidence that the current operating model reaches its limits faster when headcount is small.
When a critical finding is well-defined and clearly understood, teams move fast: the median remediation time is four days. But the mean sits at 64 days. For high-severity findings it is worse, a median of 22 days against a mean of 139. The slowest 10% of critical findings stay open for more than four months. Those are not findings being ignored, they are findings sitting in a queue where triage work keeps accumulating and remediation keeps getting pushed back.
At Breeze Airways, this pressure was compounded by scale. As the airline grew, the demands on the security function grew with it. Alert volume increased alongside the expanding environment, and more time went toward manual triage before any remediation work could begin. Every hour spent determining whether a finding was worth acting on was an hour not spent acting on the findings that were.
The answer is not a better score. It is less to score.
Security leaders understand that CVSS scores measure theoretical severity, not real-world exploitability. The problem is not awareness of that limitation. It is the absence of a workable alternative. Manual validation at scale is not a workable alternative for a small team.
What changes the equation is removing the verification step from triage entirely. When exploitability is confirmed before a finding reaches the team, with reproduction steps attached, asset context included, and the question of whether this issue warrants attention already answered, the queue contains only actionable work. The overhead of determining what matters is absorbed by the platform, not the team.
This is what adversarial exposure validation makes possible in practice. Rather than surfacing everything a scanner finds and leaving the judgement call to the security function, the platform tests whether findings are reachable and exploitable in the specific environment before escalating them. The 99.5% of findings that cannot be exploited in practice are filtered out.
For Breeze, this replaced hours of manual validation per finding with a confirmed signal that arrived ready to act on. Verified Risks delivers each finding with reproduction steps unique to the specific asset, meaning the team does not need to replicate the investigation and can move directly to remediation. This also changed how Breeze thinks about risk ranking. CVSS scores had served as the primary proxy for severity, a blunt instrument that treats theoretical impact as a stand-in for confirmed exposure. Hadrian replaces that with prioritisation grounded in what an attacker could actually reach.
As Noah H., CISO at Breeze Airways, described it:
"With Hadrian my team finally has a grip on prioritisation, it saved us days of sifting through noise."
Blind spots compound the problem where it matters most
For Breeze, those areas included API security and Content Security Policy configuration, exactly the parts of the environment where customer financial data and personally identifiable information were most concentrated. Gaining reliable depth of coverage in those areas required tooling specifically built to reach them, rather than broad scanning solutions designed for general coverage.
This is a common pattern in cloud-native environments, where the attack surface is dynamic and the areas of highest sensitivity do not always align with the areas that commodity scanning tools cover best. Continuous attack surface management addresses this by maintaining persistent discovery and monitoring across the full external environment, covering domains, IPs, certificates, and APIs, rather than providing a periodic snapshot that reflects the environment at a single point in time. When something changes, when a new asset appears or a configuration shifts, the team knows. The alternative is finding out when an attacker does.
Extending what a lean team can actually do
Validated findings change what a small security function can accomplish, but the operational benefit goes further than reducing triage time. When the findings that reach the team arrive with full context and reproduction steps, decisions require less specialist knowledge to act on. Security staff at different technical levels can engage with the platform directly without relying on a senior team member to interpret and translate.
At Breeze, this mattered. In a small security function, cross-functional agility is a competitive advantage. The platform's agentic AI interface extended that capability across the team, removing the bottleneck that arises when only the most experienced staff can extract value from the tool. The work became less reactive, decisions were better informed, and the security function gained the confidence that comes from continuous coverage rather than point-in-time assessments. Team morale improved alongside operational effectiveness, an outcome that is difficult to attribute to tooling alone, but follows naturally when the work feels manageable rather than unending.
To see how Breeze Airways moved from unverified scanner output to confirmed, actionable exposure, the full case study is here.
