Skip to content
Field Notes
Field Notes

From prioritization to proof

Exposure management has to prove reduction, not just rank findings.

Most security teams are running a machine that nobody quite names.

It takes in thousands of findings a week. It sorts them, scores them, pushes the scary ones up and the boring ones down, and hands the team a ranked list of what to worry about. The team works the top of the list. Tickets open, tickets close, the queue fills back up overnight, and the whole thing starts again next week.

It feels like progress. There's activity, there are reports, there's a real sense that the worst things are being dealt with first. But run it for a year and ask the one question that matters, and it gets quiet.

Did the risk actually go down?

Not "did we work hard." Not "how many tickets did we close." Is the environment harder to attack than it was a year ago, and can you show it?

I call this the triage treadmill. A lot of effort, a lot of motion, and you end up about where you started. Last quarter's findings are back on the list, slightly reordered. The number of criticals is about the same. And many teams struggle to point to a specific risk that is actually gone.

The treadmill isn't a failure of effort. Security teams work incredibly hard. It's a failure of where we put the finish line. We put it at "prioritized," and we did it for an honest reason: prioritized is the last thing the tools can actually do. Everything after it, the fix, the follow-up, the proof it worked, became someone else's job.

Ranking is not reducing

Here's the plain version of the problem. Moving a finding from rank 400 to rank 3 doesn't change anything about your environment. The exposure is just as real at rank 3. The only thing that changed is where it sits on the screen.

We've gotten very good at the sorting and spent almost no time on the gap between "we triaged it" and "it's gone." That's not a mystery, and it's worth being honest about why. Triaging is easy to measure and fixing is hard. "We triaged 4,000 findings this quarter" is a number you can put in a board deck and get credit for. "We removed one exposure path" is harder to count and harder to claim. So we optimized the thing we could measure and take credit for, and the actual risk sat right where it was.

It's worth saying who this serves. Most of the tooling market is built to help you rank faster, because ranking is what's easy to sell. Very few products are built around proving the risk went down, because proof is the one thing that can come back and say it didn't. A better score always looks like progress. Verified reduction sometimes looks like "we thought we fixed that, and we hadn't." One of those is comfortable to sell. The other is the one that actually matters.

A ranked list is a to-do list. A to-do list isn't an outcome. Somewhere we started treating the list as the work.

The score you sort by has never seen your environment

And the thing doing the ranking can't see the part that matters.

CVE · score 7.5 edge-proxy-03 internet-facing svc-acct · prod role customer-db → reaches business-critical data lab-bench-11 isolated test box → reaches nothing

Take two findings. Same CVE, same score, say a 7.5. The first is on a host we'll call edge-proxy-03: internet-facing, running as a service account that can assume a role in your production cloud, and that role can reach a tagged customer database or business-critical system. The second, same CVE and same 7.5, is on lab-bench-11, an isolated test box that can't reach anything and holds nothing worth taking.

One is a straight path to business-critical data. The other doesn't matter. Your severity score rates them the same, because it was never looking at your environment.

It scored the vulnerability on its own, the same 7.5 it would give any company anywhere. So the two findings land next to each other in the queue, and someone has to guess which one actually matters.

The exposure that should stop you is usually the one the score can't see, because seeing it means knowing what the finding can reach. The score never looked.

And it's about to get much worse

Here's why this stops being a chronic annoyance and becomes the thing that breaks.

The treadmill was survivable when findings grew slowly. They're not going to grow slowly. Every force in security right now is a findings multiplier. AI is helping teams write more code, faster, which means more change, more surface area, and more to scan. Attackers are automating discovery and moving at machine speed, so the window between exposed and exploited keeps shrinking. Your footprint keeps sprawling across more cloud accounts, more identities, more services than any team can hold in their head. And the scanners get better every quarter at surfacing more.

Put those together and the gap between what you can find and what you can prove reduced isn't just wide. It's widening, fast. Ranking faster in that world is bailing faster on a boat that's taking on more water every month. You do not out-triage an exponential. The only way off the treadmill is to change what "done" means, before the volume makes the old definition of done completely meaningless.

A test you can run on your own program

You don't need a vendor, including us, to tell you if you're on the treadmill. Run this yourself. Five questions, answered honestly.

The five-question self-diagnostic
  1. Can you name one exposure you removed last quarter and show it's gone? Not a closed ticket. The exposure condition itself, checked again and confirmed.
  2. Do you know which of last quarter's fixes reduced risk, versus just cleared the queue? If every closed ticket counts the same, you don't.
  3. When a finding gets prioritized, does the ranking know what it can reach in your environment, or only what it scores in the abstract?
  4. If your board asked whether you're less exposed than a year ago, could you answer with anything besides throughput numbers?
  5. When a fix is marked done, does anyone confirm the risk is gone, or does "closed" end the story?

If those are uncomfortable, that's not a knock on your team. It's the treadmill. It's what happens when the finish line gets set at the last easy step.

And to be fair about it, we hold ourselves to the same five. Any tool in this space, ours included, should be able to answer these about the work it claims to drive. If it can't, it isn't reducing your risk. It's just keeping you busy.

Proof is the finish line

Here's the change I think exposure management has to make, and why we're building Unizo.

The finish line isn't "prioritized," and it isn't even "remediated." It's proven reduced. Understand the exposure in the context of your real environment. See whether it forms a path to something that matters. Get the fix to the person who owns it, with enough context that they act on it. Then go back and check that the exposure is actually gone. Not the ticket. The risk.

That last step, the checking, is the one almost everyone skips, and it's the one that turns exposure management from an activity into a result. It's the difference between telling your leadership "we closed 900 tickets" and telling them "here's the risk we removed, and here's how we know."

"Prioritize better" was never much of a mission. "Prove it went down" is.

If you've been running the treadmill and quietly wondering whether the numbers mean what they're supposed to, we're thinking about the same problem. It's the one we started Unizo to solve.

Praveen Kumar, Co-founder & CEO, Unizo

Frequently asked
What's the difference between prioritizing findings and reducing exposure?
Prioritizing ranks findings so a team knows what to look at first. Reducing exposure means the underlying risk condition is actually removed, and that removal is verified. A program can prioritize constantly and still reduce very little, because ranking changes the order of a list, not the state of the environment.
Why aren't severity scores enough to prioritize security work?
A severity score describes a vulnerability on its own. It doesn't account for your environment, whether the affected asset is reachable, what it can access, or what it sits next to. Two findings with the same score can carry very different real risk depending on the paths around them.
What does "verified closure" mean in exposure management?
It means checking the actual exposure condition after remediation, instead of treating a closed ticket as proof. Unizo re-checks supported exposure conditions and produces evidence of whether risk was reduced, so "done" reflects the environment, not just the ticket queue.
Isn't this just another name for vulnerability management?
Vulnerability management usually centers on finding and tracking vulnerabilities. Exposure reduction focuses on whether a finding forms a real path to something that matters, driving the fix to the right owner, and producing evidence that the exposure was reduced. The findings are an input. The verified reduction is the outcome.
How can a team start measuring reduction instead of activity?
Start by separating activity metrics (tickets closed, findings triaged) from reduction metrics (exposure conditions verified as removed). The five questions in this piece are a practical way to see which one your current reporting actually measures.
All Field Notes