          Research & Articles
          Sharing what the data shows us.
        

Michael Roytman 1/26/26 Michael Roytman 1/26/26

Remediation Half‑Life

Michael Roytman 1/13/26 Michael Roytman 1/13/26

The KEV Paradox

Michael Roytman 1/5/26 Michael Roytman 1/5/26

Trojan RAT: Stopping Exploit Spoofing with Machine Learning

Ed Bellis 12/18/25 Ed Bellis 12/18/25

Say Goodbye to Kenna — Say Hello to Local Models at Scale

Last week, Cisco announced the End of Life of Cisco VM (Kenna Vulnerability Management), a company and product I spent the better part of 13 years building. Needless to say, this brought me through the whole range of emotions, but it also served as a great way to reflect on that time.

Joe Clay 12/16/25 Joe Clay 12/16/25

New Features: Critical Indicators & Known Exploitation Calendar Heatmap

We built critical indicators to explain the reasoning behind any CVE’s Empirical Score (0% - 100% real-world exploitation risk). Every CVE we analyze is modeled against over 2,000 data points. We took these model weight contributions and grouped them into the following categories: Chatter, Exploitation, Threat Intelligence, Vulnerability Attributes, Exploit Code, References, and Vendor.

Michael Roytman 12/4/25 Michael Roytman 12/4/25

Risk Model Slop

In cybersecurity risk scoring, “risk model slop” is the quiet but widening gap between what a probability means in a model and how vendors distort it once it leaves its original calibration.

Michael Roytman 10/8/25 Michael Roytman 10/8/25

Local Models vs Global Scores: Why Context Isn’t Enough

Context improves interpretation; local models improve decisions. If you want autonomous, defensible security actions, invest in a model that learns your environment and keeps learning as it changes.

Michael Roytman 9/4/25 Michael Roytman 9/4/25

How to Calculate a Shadow Price: Turning Model Thresholds into Operational Strategy

Michael Roytman 9/2/25 Michael Roytman 9/2/25

Shadow Pricing: the Business Case for Remediation Capacity

Michael Roytman 8/27/25 Michael Roytman 8/27/25

The Duality of Risk and Capacity in Vulnerability Management

Ed Bellis 8/25/25 Ed Bellis 8/25/25

AUC or GTFO

Michael Roytman 8/18/25 Michael Roytman 8/18/25

Blackhat Rat Pack Recap

Jay Jacobs 8/14/25 Jay Jacobs 8/14/25

Finding New Exploits with A Bespoke Model

“Why do we need another scoring system?” is not the best question to ask. Instead we need to get accustomed to asking about performance. This post walks through an example from our latest improvement to our exploit code classifier.

Jay Jacobs 8/14/25 Jay Jacobs 8/14/25

It’s Not About Making a Scoring System

Ed Bellis 7/17/25 Ed Bellis 7/17/25

Why I Decided to Join Empirical Security

Michael Roytman 7/15/25 Michael Roytman 7/15/25

Benchmarking LLMs on the Vulnerability Prioritization Task

LLMs underperform EPSS in estimating vulnerability exploitation in the next 30 days.

Jay Jacobs 7/8/25 Jay Jacobs 7/8/25

Known Exploited vs Recently Exploited

Past exploitation is not a guarantee of future exploitation. However, recent exploitation is in fact a powerful predictor of future exploitation!

Ben Schmeckpeper 7/2/25 Ben Schmeckpeper 7/2/25

Building with Intention: The Way We Work at Empirical

Jay Jacobs 6/30/25 Jay Jacobs 6/30/25

Known (Re-)Exploited Vulnerabilities

Conventional wisdom in cybersecurity tells us that if a vulnerability is known to be exploited that everyone should patch it immediately, but the reality is a lot more nuanced. Known exploited in the past does not guarantee future exploited.

Jay Jacobs 5/29/25 Jay Jacobs 5/29/25

Watch our co-founder speak at VulnCon 2025

Watch our co-founder Jay Jacobs present research and facilitate industry discussions at CVE Program & FIRST VulnCon 2025 in Raleigh, NC.