Capacity is King
Most exposure programs are managed like a throughput problem: “If we just fix more vulnerabilities, we’ll be safer.” The data say that’s an incomplete model. In practice, exposure is a constrained optimization problem: you have limited remediation capacity, and your outcome depends as much on what you pick as how fast you patch.
Prioritization to Prediction Vol. 8 formalizes that in a simulation: start with each organization’s open vulnerabilities, impose a capacity constraint, apply different prioritization strategies. The capacity levels are grounded in observed enterprise behavior: a low capacity organization closes 6.6% of open vulns per month, a median closes 15.2%, and a high capacity organization closes 27.1%. The median is about 15%.
Exploitability reduction achieved by improving remediation strategy and capacity is the cleanest executive benchmark I know for answering the only question that matters in exposure management: “What do I get (risk reduction) for the remediation I can actually afford (capacity)?”“
The median enterprise has 15% remediation capacity.
Here’s the benchmarking punchline: strategy dominates capacity.
Variability is high, but skews left.
First, simply comparing strategies at a fixed (median) capacity, P2P shows that CVSS-based prioritization performs about the same as random selection. This matters because it demonstrates something CISOs intuit but rarely quantify: severity isn’t a strategy.
Across low/median/high capacities, some strategies always outperform others regardless of capacity, and prioritizing known exploits beats “quadrupling capacity to patch what CVSS deems critical.” That is the core exposure-management governance insight: adding headcount and tooling won’t rescue a weak prioritization function. We’ll compare exact numbers in Part 4.
