Vulnerability management is hard. Every day, over 60 to 100 new CVEs are published in the National Vulnerability Database (NVD). That adds up to around 2,000 to 3,000 vulnerabilities per month, and more than 25,000 annually—a number that’s been steadily rising year over year.
Doing it in Operational Technology (OT) networks? Even harder. This relentless growth is overwhelming traditional CVE management processes, especially in industrial environments where patching isn’t always feasible. As the volume surges, organizations face a mounting backlog of unresolved vulnerabilities, making it increasingly difficult to separate signal from noise. Without a smarter, risk-based approach, the sheer scale of CVE discovery is turning vulnerability management into an unmanageable—and risky—problem.
For Managed Security Services Providers (MSSPs), risk-based vulnerability management is becoming the frontline of competitive differentiation.
Let’s unpack why, using real-world data from two industrial customers managed by the same MSSP.
The MSSP’s Role in OT Vulnerability Management
At the core, MSSPs help customers monitor, assess, and respond to cybersecurity threats. One of their most vital duties? Managing vulnerabilities—those known weaknesses in software and hardware tracked under Common Vulnerabilities and Exposures (CVEs).
But in OT networks, traditional vulnerability management breaks down. Why?
Because patching isn’t always an option. Because devices are old, diverse, and often can’t be updated. Because operational uptime takes priority over IT best practices. This makes risk-based CVE management, not volume-based triage, the only sane approach.
The Data: One MSSP, Two Industrial Customers, 2,972 Vulnerabilities
MSSP´s Customer 1 operates 6 production facilities. MSSP´s Customer 2, 5 facilities. Combined, they account for 2,972 unique vulnerabilities—1,616 for Customer 1, 1,356 for Customer 2.
Customer 1 – All CVEs
Customer 2 – All CVEs
There’s overlap: 1,229 CVEs appear in both portfolios, still too many for efficient vulnerability management. But not all vulnerabilities are the same.
The Power of Context: What Actually Drives Risk
To prioritize CVEs effectively, MSSPs need more than EPSS and CVSS scores. They need contextual intelligence:
-
-
- Business impact data (What would downtime cost?)
- Threat intelligence (Is this being actively exploited?)
- Network topology (Is the vulnerable device exposed?)
- Cybersecurity controls (Is the device isolated or protected?)
- Device function (Is it mission-critical?)
-
DeRISK™ QVM, a purpose-built OT Quantified Vulnerability Management engine, fuses all of this into a real-time risk score in dollars—not abstract ratings. That’s the difference. Using DeRISK™ QVM, we analyzed each CVE’s potential financial impact. The result? A clear ranking of the vulnerabilities that actually drive risk—those that impact critical devices for the business, are not mitigated by compensating cybersecurity controls, and would cause serious financial loss if triggered. That reduces the sheer amount of 2,972 CVEs to less than 30.
That is 1% of the initial count! And only 7 CVEs in the TOP 10 risk drivers overlapping between the two customers. That is 0.24% of original CVE count! Imagine time and cost savings for the MSSP, and efficiency brought into the vulnerability management program!
Customer 1 – TOP 10 CVEs driving Risk
Customer 2 – Top 10 CVEs driving Risk
What the Data Showed
-
- Customer 1’s top CVE (CVE-2023-48795) impacted 26 devices across 4 sites, representing over $45,000 in risk reduction potential.
Customer 1 – Devices Make/Model and Facility Names anonymized
-
- Customer 2 faced similar threats. Several of the same CVEs—like CVE-2023-44487 and CVE-2021-21974—appeared again, but with different device counts, roles, and resulting financial risk.
Customer 2 – Devices Make/Model and Facility Names anonymized
Each facility had a distinct “risk signature.” One size never fits all.
Why This Is a Competitive Edge for MSSPs
MSSPs that can tell customers which vulnerabilities actually matter—and why—aren’t just offering security. They’re offering insight, efficiency, and cost savings.
By focusing patching, segmentation, or compensating controls on the top 2% of CVEs driving 90% of the risk, MSSPs become strategic partners—not just service providers.
Conclusion
OT vulnerability management is uniquely challenging. Generic scores like CVSS or EPSS can’t tell the full story. Risk-based prioritization is not optional—it’s essential. And DeRISK™ QVM by DeNexus is the purpose-built engine to make it possible.
Call to Action
MSSPs: Want to deliver smarter, risk-aligned OT security? Explore DeRISK™ QVM today. It’s not just better vulnerability management—it’s better business.
If you want to learn more, get in touch with our team, or understand how the above is put to use to quantify and manage cyber risks at 250+ industrial sites monitored by DeNexus, you can contact us at https://www.denexus.io/contact.