Organizations continue to face significant challenges in reducing vulnerability remediation times, with many struggling to prioritize exposures that pose the greatest operational risk. While existing scoring systems like CVSS and EPSS provide baseline metrics, they often lack the contextual information needed for effective decision-making. Tenable’s new Vulnerability Watch classification system, inspired by the WHO’s COVID-19 variant tracking approach, aims to address this gap by introducing clear, status-based terminology to communicate vulnerability risks.
The Challenge of Vulnerability Prioritization
Traditional vulnerability scoring systems have served as the foundation for risk assessment for years, but their limitations are becoming increasingly apparent. The Common Vulnerability Scoring System (CVSS), while widely adopted, often fails to convey the real-world risk of vulnerabilities. Analysis of the 186 CVEs added to CISA’s Known Exploited Vulnerabilities (KEV) catalog in 2024 reveals that 40% were rated as critical, 46.2% as high severity, and 13.4% as medium severity. This distribution demonstrates that severity scores alone cannot reliably guide remediation efforts.
Tenable Research’s collaboration with Verizon on the 2025 Data Breach Investigations Report (DBIR) examined remediation rates for 17 CVEs in edge devices. The findings showed that over half (52.9%) were non-critical flaws (CVSS scores below 9.0), yet organizations still struggled with timely patching. Critical vulnerabilities like CVE-2024-21762 and CVE-2024-23113 in Fortinet products averaged between 172 and 260 days for remediation, while CVE-2024-3400 in Palo Alto Networks PAN-OS (CVSS 10.0) took most industries over 100 days to patch.
Introducing Vulnerability Watch
Tenable’s Vulnerability Watch classification system, launched in 2024, introduces three distinct categories for vulnerabilities: Vulnerability Being Monitored (VBM), Vulnerability of Interest (VOI), and Vulnerability of Concern (VOC). This system provides a semantic layer to vulnerability intelligence, translating technical risk assessments into terminology that’s more accessible to various stakeholders involved in remediation efforts.
| Classification | Definition | Example CVEs |
|---|---|---|
| Vulnerability Being Monitored (VBM) | Potential impact, under active tracking by Tenable Research | CVE-2024-48887 (FortiSwitch), CVE-2025-23120 (Veeam) |
| Vulnerability of Interest (VOI) | Proof-of-concept available or initial exploitation reports | CVE-2025-22457 (Ivanti), CVE-2025-32433 (Erlang/OTP) |
| Vulnerability of Concern (VOC) | Active, widespread exploitation occurring or imminent | CVE-2024-1709, CVE-2024-1708 (ConnectWise), CVE-2023-4966 (Citrix) |
Complementing Existing Tools
Vulnerability Watch is not designed to replace existing scoring systems but rather to complement them. Tenable’s research shows that while CVSS and EPSS remain important for technical teams, the new classification system helps bridge the communication gap between security teams and business stakeholders. The system is dynamic, allowing vulnerabilities to be reclassified as new information emerges – a VBM can become a VOI, a VOI can escalate to VOC, or a VOC can be downgraded as threats evolve.
This approach aligns with broader industry trends toward more contextual vulnerability management. PeerSpot’s 2025 comparison of Tenable Nessus and Tenable Vulnerability Management (TVM) highlights the growing importance of cloud-native, scalable solutions that incorporate AI-driven prioritization. While Nessus remains popular for its unlimited scanning capabilities (rated 8.2/10 by users), TVM’s cloud features and real-time monitoring (7.9/10) better support modern hybrid environments.
Implementation and Availability
Vulnerability Watch classifications are now available across Tenable’s product ecosystem. Security teams can access them through the Tenable CVE page, within individual CVE pages for classified vulnerabilities, and as part of Tenable’s Vulnerability Intelligence offering. The system integrates with Tenable One, the company’s exposure management platform, providing a unified view of organizational risk.
For organizations looking to improve remediation times, Tenable has partnered with Adaptiva to offer autonomous patch management solutions. This collaboration has demonstrated significant improvements, reducing average patching times from 32 days to under 5 days in some cases. These automated solutions work alongside Vulnerability Watch classifications to help organizations focus their efforts on the most critical exposures.
Looking Forward
As the cybersecurity landscape continues to evolve, tools like Vulnerability Watch represent an important step toward more effective risk communication. The system’s flexibility allows it to adapt to emerging threats, while its clear terminology helps organizations make better-informed decisions about remediation priorities.
With MITRE’s CVE Program undergoing renewal discussions in 2025, and potential shifts toward decentralized models like the proposed CVE Foundation or GCVE, classification systems that provide additional context beyond basic vulnerability scoring will likely become increasingly valuable. Tenable’s approach offers one potential model for how the industry might evolve to meet these challenges.
References
- “Reducing Remediation Time Remains a Challenge: How Tenable Vulnerability Watch Can Help.” Tenable Blog, 2025.
- “Tenable Nessus vs. Tenable Vulnerability Management.” PeerSpot Comparison, 2025.
- “CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited in the Wild.” Tenable Blog, 2025.
- “Tenable Unveils Autonomous Solution for Patch Management.” SecurityBrief UK, 2024.
- “Frequently Asked Questions About the MITRE CVE Program Expiration and Renewal.” Tenable Blog, 2025.
- “Verizon 2025 DBIR: Tenable Research Collaboration.” Tenable Blog, 2025.
