The 1% Problem: Inside Qualys’s bet that most of cybersecurity has been chasing the wrong list
Less than 1%: that is the share of "critical" vulnerabilities sitting in the average enterprise environment that an attacker can actually exploit. The other 99% are real findings with real CVE numbers and real severity scores. They show up on dashboards, consume engineer hours, and get patched on schedule. And in most cases, an attacker would not be able to use them against the organisation, so there's no need to anxiously chase them down. That has always been true.
However, what has changed is the cost of getting it wrong. In an era where AI is compressing the window between vulnerability disclosure and active exploitation to hours — not weeks — spending finite security resources on the irrelevant 99% is no longer just inefficient. It is a structural liability. The question is no longer whether organisations can patch faster. It is whether they are even patching the right things at all.
That uncomfortable number is the premise underneath two of Qualys’s newer capabilities, TruLens and TruConfirm, along with Agent Val, the agentic AI layer being built on top of them. I spoke to two of the people responsible for building it.
A scanner that knows what it cannot see
“For 20 years, vulnerability management has been about producing a list,” Himanshu Kathpal, VP of Products at Qualys, told us. “The longer the list, the more thorough the program looked. But the list was never the goal.”
Traditional scanners are good at one thing: telling you what software exists in your environment and matching it against a database of known vulnerabilities. They are almost completely blind to a more important question: whether any of those vulnerabilities can actually be reached and exploited, given everything else you have done to defend yourself. A vulnerability flagged as critical might be sitting behind a web application firewall, a segmentation rule, or an EDR policy that takes the real risk to near zero. Or it might be wide open. The scanner cannot tell the difference.
TruConfirm is Qualys’s answer. The product runs what the company calls “safe exploit validation” in production, checking whether each vulnerability is actually reachable. “Instead of running attacker payloads,” Kathpal said, “we replicate the behaviour of an attacker using benign equivalents.”
If a vulnerability allows an attacker to create an out-of-band connection back to their server, TruConfirm sends a benign payload that asks the target to reach a Qualys-controlled endpoint. If it does, the path is proven open. Nothing malicious has been sent. The mechanism is the one an attacker would use. The warhead is gone.
That gap, between mechanism and warhead, is where most of the engineering work lives. “Public exploits are easy,” Kathpal said. “Safe exploit checks are not.” Qualys hired a team of world-class WhiteHat engineers to take public exploit code, reverse-engineer it, and strip out everything dangerous while preserving the signal that proves the vulnerability is real. The product took two years to build. It leaves no footprint on the target system, deploys no agents, and does not escalate privileges, even when the underlying vulnerability would allow it. “The point is to prove the attacker’s path is reachable,” Kathpal said, “not to walk down it.”
The 62 million number
Whether any of this matters depends on whether the funnel narrows the work in a way customers can feel. The number Qualys quotes is from a Fortune 50 deployment that came in carrying 62.5 million live findings. After running TruRisk, Qualys’s prioritisation engine, that came down to roughly 4%. After overlaying the critical asset context, 1%. After TruConfirm validation, the actionable list shrank again, this time to only the vulnerabilities genuinely exploitable in that customer’s specific environment.
The point, Kathpal was careful to note, is not the math. “Instead of arguing about which 600,000 findings to chase first,” he said, “the team ends up with a list small enough to act on, and confident enough to defend in a board meeting.”
There is a quieter point underneath. TruConfirm is included in the Enterprise TruRisk Management (ETM) subscription rather than priced as a separate add-on. Exploit validation, in Qualys’s pricing decision, “should not be a luxury feature. It should be the baseline.”
That decision is doing competitive work. Breach and attack simulation tools have been on the market for years, and almost nobody runs them in production because the public exploits they rely on are not safe enough. Qualys is betting that production-safe validation, included in the price, kills that category as a separate purchase.
The other half of the picture
If TruConfirm answers the question “is this vulnerability exploitable here,” TruLens answers a different one: is anyone trying to use it against us?
“Once AI showed up in the threat-actor toolkit,” Kathpal said, “the rate at which new vulnerabilities surfaced roughly tripled. Whatever budget anyone had set aside for the year burned out in a quarter.”
CVSS, the industry’s standard prioritisation tool, is binary and static. It tells you a vulnerability exists and what could happen in the worst case. It does not tell you whether anyone is actually trying to do the worst-case scenario to you today in your industry. TruLens is the layer Qualys built to add that context. The product tracks more than 700 active threat actors, mapping which industries they target, what malware they prefer, what initial access techniques they use, and, crucially, when they are active.
The data comes from dark web chatter, deep web forums, third-party intelligence feeds, and Qualys’s own analysis of past campaigns. “When SolarWinds happened, we mapped the five steps that played out,” he said. “When the next Lazarus campaign hits, we will have the playbook before most teams know to look for it.”
Instead of asking whether a CVE is critical, the question becomes whether anyone with the means and motive to hit your industry is actively weaponising it right now. Most of the time, the answer is no, and the work goes lower on the list. Sometimes the answer is yes, and everything else stops.
TruLens also reports a metric that Qualys built to fix what they see as a long-standing distortion in the industry’s reporting: average window of exposure. Mean Time to Remediate, the headline number for vulnerability programs for a decade, averages everything: all criticals, all internet-facing assets, all the noise alongside the signal. “It flatters the report,” he said, “but it does not reflect actual risk.”
The window of exposure measures how long a specific class of vulnerability remained exploitable before it was patched. If your public servers had Log4Shell exposed for six days, that is the number that matters, not the 60-day average across every finding in the system. The product also benchmarks teams against peer cohorts sliced by geography, industry, and organisation size. As Kathpal put it, “a 20-person fintech in Singapore is not a useful comparison for a 50,000-person manufacturer in Germany.”
The bias they had to fix
The hardest engineering problem in TruLens was bias in the underlying data. Almost every commercial threat intelligence feed is calibrated to the United States, because that is where the honeypots have historically been deployed. For Qualys’ customers globally across the US, Europe, and Asia, that meant the threat picture they were getting was not really their threat picture. The fix was unglamorous: Qualys deployed honeypots in India and built geo-specific intelligence on top of them, with similar work underway in every region where they operate.
The other surprise was that threat actors are not stable entities. “Lazarus splinters into 15 sub-units with different names,” Himanshu said. Groups collaborate, sell access, share infrastructure. “Cybercrime is now an as-a-service model.” Tracking actors as fixed identities was producing a misleading picture, so the team shifted to tracing campaigns instead, working backwards through dark web chatter, leaked tooling, and SEC filings to rebuild the chain from reconnaissance through impact. The next iteration of the product will surface the dollar cost of an attack alongside its technical details.
“If a particular actor decides to come for your business next quarter, what does it cost when remediation, recovery, insurance, and downtime are added up?” That number, more than any CVSS score, is the one that gets a board’s attention.
What sits underneath all of this
Spend any amount of time talking to Qualys’s product team and a quieter argument starts to surface — that the entire industry has been measuring the wrong thing for a long time. “If less than 1% of critical vulnerabilities are exploitable,” Himanshu said, “then 99% of the work the industry has been doing has been chasing things that were never going to hurt anyone. That is the central operational problem of cybersecurity.”
It is a strong claim, and it is fair to push back on it. Compensating controls fail. Environments change. The 99% is not zero. The pitch is more careful: not to stop fixing those vulnerabilities, but to stop pretending the queue order does not matter.
The other open question is the agent layer. Agent Val, already shipping, with broader workflow integration coming this year, handles validation end to end. It decides which CVEs to validate first, launches the TruConfirm scan, updates the risk score, and connects to Qualys’s patching workflow. It runs in three modes: fully automatic, semi-automatic with human approval, and manual. The natural worry is that an agent with this much access becomes a new attack surface.
The architecture answers that. Agent Val does not run inside the customer environment. It runs on the FedRAMP-compliant Qualys platform, and inherits the role-based access of the user running it. “It cannot do anything you could not do yourself,” Himanshu said.
The list of 600,000 critical findings was never the artefact that mattered. The list of 15 is. Whether the industry agrees and whether budgets shift are answers we will get over the next two or three reporting cycles. But the question Qualys is forcing onto the table is the one the rest of the industry has been quietly avoiding. If most of what your team is doing is not making you safer, what is the work you should be doing instead?
This article is part of an editorial series produced in partnership with Qualys, exploring how the Risk Operations Center, is reshaping the way enterprises think about cyber risk. The reporting, interviews, and views are The Source Code’s own.
