Safeguard
Vulnerability Management

Vulnerability fatigue and the case for risk-based prioritization

48,185 CVEs were published in 2025 alone. Most teams can't triage that volume — reachability and exploit maturity data show which ones actually matter.

Safeguard Research Team
Research
7 min read

The CVE program published 48,185 new vulnerability entries in 2025, a 20.6% jump from 39,962 in 2024, according to Jerry Gamblin's annual CVE Data Review — roughly 131 new CVEs every day of the year. The cumulative database crossed approximately 308,920 published entries by year's end, a milestone reached just over a quarter-century after CVE numbering began in 1999. Meanwhile, NVD's enrichment backlog — the gap between a CVE being published and receiving a full CVSS score and analysis — has remained a persistent problem since the agency's well-documented 2024 processing slowdown, meaning security teams often triage severity manually before official scoring ever arrives. Layered on top of that raw volume, CISA's Known Exploited Vulnerabilities catalog, the industry's standard reference for confirmed real-world exploitation, has grown past 1,250 entries as of mid-2026 and is still updated weekly — CISA added three more entries in a single alert dated July 7, 2026. For a security team staring at a dependency scan that returns hundreds of "critical" findings on a Monday morning, none of these numbers are abstract: they are the reason vulnerability management has quietly become a volume problem before it's ever a technical one. This piece looks at why alert volume causes fatigue, and how reachability and exploit-maturity signals fix it.

Why does CVE volume alone cause vulnerability fatigue?

CVE volume causes fatigue because the rate of new disclosures has outpaced any team's capacity to manually triage them, and severity scores alone don't tell you what to fix first. A typical enterprise codebase carries hundreds of direct and transitive dependencies, and a standard software composition analysis (SCA) scan matches every one of them against a CVE database without asking whether your application ever calls the vulnerable code. The result is a queue where a CVSS 9.8 finding in a library function your app never imports sits next to a CVSS 6.5 finding in a function that runs on every request handling customer payment data — with nothing in the raw finding list to distinguish them. When every finding looks equally urgent on paper, teams either burn hours re-litigating severity by hand or start ignoring the queue altogether, which is the definition of fatigue: not a lack of tooling, but a lack of a signal that separates real risk from theoretical risk.

What does CVSS severity leave out that causes teams to misprioritize?

CVSS severity leaves out two things that matter more in practice than the score itself: whether the vulnerable code path is ever executed, and whether anyone is actually exploiting it. CVSS base scores measure theoretical worst-case impact and exploitability assuming an attacker can already reach the vulnerable function — they say nothing about whether your specific build wires that function into a reachable call path. Industry data from multiple SCA and reachability vendors, and echoed in OWASP dependency-check discussions, consistently finds that a large majority of CVEs flagged in a typical dependency tree sit in code paths never invoked at runtime. A CVSS 9.8 deserialization flaw in an unused admin utility inside a transitive dependency is not equivalent operational risk to a CVSS 7.5 flaw in a request-handling path exposed to the internet, but a severity-only queue ranks them identically — which is exactly backward from where remediation effort should go first.

How do EPSS and KEV change what "high risk" means?

EPSS and KEV change "high risk" from a static score into a measure grounded in observed and predicted attacker behavior. The Exploit Prediction Scoring System, maintained by FIRST, is a probabilistic model that estimates the likelihood a given CVE will be exploited within the next 30 days, and it has become a widely adopted complement to CVSS precisely because CVSS was never designed to predict exploitation probability. CISA's KEV catalog goes a step further: a CVE on KEV isn't a probability estimate, it's confirmation of exploitation already happening in the wild, which is why federal binding operational directives and most mature vulnerability management programs treat KEV membership as an automatic priority escalation. Pairing EPSS and KEV with CVSS — now a standard three-signal combination across the industry rather than a single vendor's proprietary approach — lets a team distinguish "severe and being actively exploited today" from "severe but no known exploit exists," which is the distinction that actually drives sane patch-order decisions.

How does reachability analysis narrow the queue further?

Reachability analysis narrows the queue by adding proof, not probability, that your specific application can execute the vulnerable code — closing the gap that CVSS, EPSS, and KEV all leave open. Static reachability builds a call graph from your source, lockfile, and compiled artifacts to check whether any path from an entry point leads to the vulnerable sink; dynamic reachability observes production workloads directly and flags any vulnerable path that has never actually fired as cold. Safeguard's own reachability analysis, documented in its Vulnerability Prioritization capability, classifies every finding as reachable, conditionally reachable, unreachable, or unknown (with unknowns — cases involving reflection, eval, or dynamic dispatch — always treated conservatively rather than suppressed), and combines that classification with EPSS, KEV, and PoC-weaponization tracking into a single 0-100 priority score. Reported outcomes from that combined approach show reachability filtering alone typically removes 60-80% of findings from the "urgent" queue, with additional layers like low-EPSS filtering and dev/sandbox asset exclusion cutting further from there.

Does runtime and business context matter as much as the technical signals?

Runtime and business context matter just as much because two identical, equally reachable vulnerabilities are not the same operational risk if one sits in a production system holding regulated customer data and the other sits in an internal sandbox. A vulnerability reachable only inside a dev Docker Compose file used twice a year is a different priority than the same vulnerability reachable from an internet-facing API tagged as handling PCI data. That's why mature prioritization frameworks layer environment (production versus staging versus dev), exposure (internet-facing versus internal), data classification, and policy-declared business criticality — such as whether an asset is in scope for PCI, HIPAA, or FedRAMP — on top of the technical reachability and exploitability signals rather than treating a finding's risk as a fixed, asset-independent property. Skipping this layer is a common reason organizations still over- or under-prioritize findings even after adopting reachability and EPSS: the same CVE can legitimately warrant a same-day fix on one asset and a backlog ticket on another.

Can deduplication reduce fatigue without hiding real risk?

Deduplication reduces fatigue safely only when it collapses genuine duplicates without ever suppressing the categories of findings that must never go unseen. When multiple scanning engines — SAST, SCA, DAST, and others — flag the same underlying issue in the same component, showing that as three or four separate tickets multiplies noise without adding information; cross-scanner correlation that merges them into one finding is pure signal gain. Safeguard's AutoTriage capability does exactly this, reporting a measurable reduction percentage so the noise cut is auditable rather than opaque, while enforcing a hard guarantee that malware and secrets findings are never suppressed or merged away regardless of dedup logic. That distinction — reducing redundant noise while guaranteeing certain finding classes always surface in full — is the difference between prioritization that manages fatigue responsibly and a system that quietly trades visibility for a smaller number on a dashboard.

Vulnerability fatigue isn't solved by scanning less; it's solved by triaging with the same rigor an attacker uses to pick a target. With CVE disclosures now running past 48,000 a year and KEV entries updated weekly, severity alone can no longer be the sorting key. Reachability, exploit maturity, and business context together turn an unmanageable list into a backlog a team can actually work through.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.