Picus Launches Exposure Validation to Safely Deprioritize CVEs

Real-time attack simulations and evidence-based scoring replace guesswork with proof specific to individual organizations, saving thousands of hours

SAN FRANCISCO, May 22, 2025 (GLOBE NEWSWIRE) -- Picus Security, the leading security validation company, today announced Picus Exposure Validation, allowing security teams to verify the exploitability of vulnerabilities based on their unique environments. The new capability continuously tests security controls against real-world attack techniques, identifying which vulnerabilities are truly exploitable and which can safely be deprioritized. Traditional vulnerability management products overlook internal factors like asset criticality and security controls, treating vulnerabilities as equally critical whether in a Fortune 100 company with sophisticated defenses or a regional business relying on basic protections. Picus closes this crucial gap with the Picus Exposure Score, an evidence-based, context-aware metric that accurately quantifies actual risk by accounting for how effectively current security controls mitigate real threats.

More than 40,000 new CVEs were disclosed in 2024 alone, 61% of which were labeled as high or critical. Conventional strategies rely heavily on vulnerability severity (CVSS) and exploitability indicators (EPSS), which ignore whether vulnerabilities are exploitable or already mitigated by existing defenses in a specific organization. This ineffective approach misdirects remediation efforts, leads to inaccurate risk assessments, and contributes significantly to security team burnout. Picus Exposure Validation solves these issues by accurately determining which vulnerabilities truly pose real-world risks, enabling organizations to focus their limited resources on genuinely exploitable threats.

“The challenge today isn’t finding vulnerabilities, it’s knowing which ones matter in your unique environment,” said Volkan Ertürk, co-founder and CTO of Picus Security. “CVSS, EPSS and KEV offer theoretical risk signals. Picus Exposure Validation delivers proof by testing threats against your production defenses in real time. It replaces assumptions with evidence so security teams can focus on vulnerabilities that are actually exploitable.”

Picus Exposure Validation allows security teams to:

• Prioritize accurately, de-prioritize safely: Teams can allocate resources effectively using an automated, transparent and customizable Exposure Score, leveraging best-in-class Security Validation technologies to highlight real threats and safely set aside theoretical risks.
  
  
• Make faster, confident decisions: Teams accelerate decision-making with transparent, real-time reports backed by continuous attack simulations, security control testing and comprehensive documentation supporting compliance efforts and executive communications.
  
  
• Save time and improve mitigation: Teams can significantly reduce manual workload through automated validation processes and receive actionable, tailored recommendations for quickly improving security control effectiveness and mitigating vulnerabilities, even when immediate patching isn’t possible.

Organizations using Picus Exposure Validation have already seen advantages for their teams and their businesses. A global industrial enterprise saved thousands of hours on patching low-impact vulnerabilities. Based on CVSS scores alone, 63% of the vulnerabilities in this organization’s environment were critical, but Picus determined that only 9% were truly high risk and must be prioritized.

For security teams, this is a new way of combining once-overlooked data with a customized view of exploitability to provide focus for team members. A clear view of risk and exploitability gives teams back the precious time and resources needed for mitigation and remediation efforts so they can close security gaps quickly.

Picus Exposure Validation is available now. Learn more on the company’s website, and register for the Adversarial Exposure Validation Summit, May 29 and June 3, 2025.

About Picus Security 
Picus Security, the leading security validation company, gives organizations a clear picture of their cyber risk based on business context. Picus transforms security practices by correlating, prioritizing and validating exposures across siloed findings so teams can focus on critical gaps and high-impact fixes. With Picus, security teams can quickly take action with one-click mitigations to stop more threats with less effort. Offering Adversarial Exposure Validation with Breach and Attack Simulation and Automated Penetration Testing, working together for greater outcomes, Picus delivers award-winning, threat-centric technology that allows teams to pinpoint fixes worth pursuing.

Follow Picus Security on X and LinkedIn.

Contact

Jennifer Tanner
Look Left Marketing
picus@lookleftmarketing.com

A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/2020a071-b1c6-4efc-b12d-adbe1040d9f5