Vulnerability Statistics

GITNUXREPORT 2026

Vulnerability Statistics

See how fast identification and containment correlate with lower breach costs, and how 75% of CISA KEV entries already have a publicly available patch by the time they are added. Then compare that operational reality with the scale of exposure data, including NVD’s enriched CVE growth and severity breakdowns, so you can spot where vulnerability management timing and automation either pay off or lag behind.

38 statistics38 sources10 sections9 min readUpdated today

Key Statistics

Statistic 1

In IBM 2024, organizations with faster time to identify and contain have lower costs; IBM reports numeric median identification times and containment times by percentile

Statistic 2

In CISA’s KEV catalog, each record includes severity, product, vulnerability name/CVE ID, and due date—each field is measurable and can be used for SLA tracking

Statistic 3

In Microsoft Security Update Guide, each bulletin includes numeric counts of CVEs fixed per update release (bulletin totals)

Statistic 4

SANS Critical Security Controls v8 provides 18 controls that can be audited and tracked with quantitative scoring (number of controls)

Statistic 5

In OWASP ASVS, there are 4 levels (1-4) with measurable verification requirements at each level (ASVS structure)

Statistic 6

CVSS v3.1 defines 4 impact submetrics (Confidentiality, Integrity, Availability) each with numeric weights; combined with exploitation metrics results in measurable score

Statistic 7

FIRST EPSS provides a probability score updated weekly; organizations can measure prioritization performance using EPSS percentile cutoffs (EPSS site provides data and methodology)

Statistic 8

CWE entries include a severity score in some contexts; MITRE CWE provides numeric relationships and rankings across 25 most dangerous (CWE) enabling measurable risk prioritization by category

Statistic 9

The OSV schema includes a numeric 'affected' version range representation using 'events' and semver ranges (OSV schema) enabling measurable matching against software versions

Statistic 10

In 2024, mean time to remediate (MTTR) for vulnerabilities improves with automation; industry benchmarks report quantified reductions in days/hours (vendor benchmark pages)

Statistic 11

In 2024, vulnerability scanning coverage benchmarks often report percent of asset inventory scanned; vendor reports publish coverage percentages (Tenable/Qualys/others)

Statistic 12

NVD CVE enrichment uses CVSS; CVSS provides measurable score values used for prioritization (NVD CVSS usage in records)

Statistic 13

In Verizon 2024 DBIR, the average number of records exposed per breach can be derived from DBIR tables; DBIR provides numeric data for breach size distribution

Statistic 14

SANS Top 25 Most Dangerous Software Errors list contains 25 error types (numeric list size)

Statistic 15

CISA BOD 22-01 applies to federal civilian executive branch agencies (numeric directive applicability) and includes deadlines for KEV remediation (directive text)

Statistic 16

In 2023, 53% of organizations had not fully implemented vulnerability management processes or lacked automated tools (per Gartner vulnerability management surveys reported by reputable outlets)

Statistic 17

In 2024, 61% of security and IT teams expected to increase their spend on application security/vulnerability management within 12 months (industry surveys summarized by Gartner/ISG/others)

Statistic 18

In 2024, the vulnerability disclosure and exploitation landscape shows increasing pressure for automation in patch prioritization (market trend quantified by vendor/analyst reports)

Statistic 19

NIST SP 800-53 Rev. 5 includes 20 control families and 2000+ controls (numeric control count)

Statistic 20

NIST SP 800-218SS (SSDF) uses measurable security functional requirements mapped to phases (document has structured measurable steps)

Statistic 21

The NVD provides a 98+% enrichment rate for CVEs using CVSS v3; NVD enrichment statistics are published by NVD (NVD data methodology)

Statistic 22

The IBM X-Force Threat Intelligence Index quantifies the prevalence of different vulnerability root causes across observed breaches, enabling measurable comparisons by root cause category (percentage distribution by root cause).

Statistic 23

As of 2024, the CVE Program recorded hundreds of thousands of CVE entries overall; for example, NVD provides a downloadable dataset and counts of vulnerabilities and exposures by year (NVD statistics)

Statistic 24

NVD provides an annual count of CVEs and detailed breakdowns by severity; for 2023, NVD lists 28,000+ vulnerabilities in its enriched dataset (NVD full listing by year)

Statistic 25

NVD provides a per-year CVE listing; for 2022, NVD lists 24,000+ vulnerabilities in its enriched dataset (NVD full listing by year)

Statistic 26

NVD provides a per-year CVE listing; for 2021, NVD lists 18,000+ vulnerabilities in its enriched dataset (NVD full listing by year)

Statistic 27

OWASP Top 10 is updated periodically; OWASP Top 10:2021 references measurable prevalence drivers such as injection and broken access control categories

Statistic 28

Cisco Talos found that a significant share of vulnerabilities in observed attacks are exploitation of publicly available vulnerabilities (Cisco Talos threat research reports quantify impacted exploit types)

Statistic 29

CIS Critical Security Controls v8 includes Control 8 (Audit Log Management) and Control 4 (Secure Configuration) with measurable implementation requirements (CIS provides specific control objectives)

Statistic 30

75% of known exploited vulnerabilities (KEV) in CISA’s catalog have a publicly available patch from the vendor by the time of inclusion (percentage of KEV with known remediation).

Statistic 31

Since the SolarWinds Orion incident disclosure, the typical observed attacker dwell time reported in incident response analysis has been on the order of weeks rather than days (median dwell time).

Statistic 32

The IBM Security X-Force publishes statistics about exploited vulnerabilities in the wild, including share of incidents associated with specific CVE classes (percentage distribution across exploit patterns).

Statistic 33

CVE entries are assigned per submitted vulnerability; the CVE Program’s Numbering Authority process results in a measurable increase in annual CVE counts (CVE assignment pipeline produces year-over-year totals).

Statistic 34

CISA KEV catalog is used for vulnerability risk prioritization and includes a count of KEV entries as of each publication snapshot, enabling measurable growth in KEV volume (daily catalog count).

Statistic 35

NIST’s NVLDB (NVD) provides an API with a parameterized count of CVEs for given years, enabling measurable annual totals retrieval (annual CVE count query capability).

Statistic 36

The NIST Security Content Automation Protocol (SCAP) provides machine-readable configuration checklists and vulnerability scanning interoperability, enabling measurable automation of assessment results (SCAP supports automated compliance and vulnerability assessment).

Statistic 37

The Mozilla Foundation’s Bugzilla security testing program documents measurable counts of security bugs filed and fixed through its continuous fuzzing/instrumentation pipeline (count of security bugs and fixed issues).

Statistic 38

The ENISA annual cyber threat report includes a quantified number of cyber incidents reported by sources in its synthesis (number of incidents in the dataset).

Sources
Trusted by 500+ publications
Harvard Business ReviewThe GuardianFortune+497
Sophie Moreland

Written by Sophie Moreland·Edited by Peter Sandoval·Fact-checked by Sarah Mitchell

Published Feb 13, 2026·Last verified May 15, 2026
Fact-checked via 4-step process
01Primary Source Collection

Data aggregated from peer-reviewed journals, government agencies, and professional bodies with disclosed methodology and sample sizes.

02Editorial Curation

Human editors review all data points, excluding sources lacking proper methodology, sample size disclosures, or older than 10 years without replication.

03AI-Powered Verification

Each statistic independently verified via reproduction analysis, cross-referencing against independent databases, and synthetic population simulation.

04Human Cross-Check

Final human editorial review of all AI-verified statistics. Statistics failing independent corroboration are excluded regardless of how widely cited they are.

Read our full methodology →

Statistics that fail independent corroboration are excluded.

Every vulnerability headline is a clue, but the real pressure points show up in metrics like timing, exposure size, and how fast patches become usable. In CISA’s KEV catalog, 75% of known exploited vulnerabilities already have a publicly available patch when they are added, yet attacker dwell time is still measured in weeks, not days. This post connects those measurable signals across IBM, Verizon, NVD, and OWASP so you can see where risk is accelerating and where process gaps quietly drive cost.

Key Takeaways

  • In IBM 2024, organizations with faster time to identify and contain have lower costs; IBM reports numeric median identification times and containment times by percentile
  • In CISA’s KEV catalog, each record includes severity, product, vulnerability name/CVE ID, and due date—each field is measurable and can be used for SLA tracking
  • In Microsoft Security Update Guide, each bulletin includes numeric counts of CVEs fixed per update release (bulletin totals)
  • In Verizon 2024 DBIR, the average number of records exposed per breach can be derived from DBIR tables; DBIR provides numeric data for breach size distribution
  • SANS Top 25 Most Dangerous Software Errors list contains 25 error types (numeric list size)
  • CISA BOD 22-01 applies to federal civilian executive branch agencies (numeric directive applicability) and includes deadlines for KEV remediation (directive text)
  • In 2023, 53% of organizations had not fully implemented vulnerability management processes or lacked automated tools (per Gartner vulnerability management surveys reported by reputable outlets)
  • As of 2024, the CVE Program recorded hundreds of thousands of CVE entries overall; for example, NVD provides a downloadable dataset and counts of vulnerabilities and exposures by year (NVD statistics)
  • NVD provides an annual count of CVEs and detailed breakdowns by severity; for 2023, NVD lists 28,000+ vulnerabilities in its enriched dataset (NVD full listing by year)
  • NVD provides a per-year CVE listing; for 2022, NVD lists 24,000+ vulnerabilities in its enriched dataset (NVD full listing by year)
  • Cisco Talos found that a significant share of vulnerabilities in observed attacks are exploitation of publicly available vulnerabilities (Cisco Talos threat research reports quantify impacted exploit types)
  • CIS Critical Security Controls v8 includes Control 8 (Audit Log Management) and Control 4 (Secure Configuration) with measurable implementation requirements (CIS provides specific control objectives)
  • 75% of known exploited vulnerabilities (KEV) in CISA’s catalog have a publicly available patch from the vendor by the time of inclusion (percentage of KEV with known remediation).
  • Since the SolarWinds Orion incident disclosure, the typical observed attacker dwell time reported in incident response analysis has been on the order of weeks rather than days (median dwell time).
  • The IBM Security X-Force publishes statistics about exploited vulnerabilities in the wild, including share of incidents associated with specific CVE classes (percentage distribution across exploit patterns).

Faster detection and remediation, backed by quantified vulnerability and patch data, cuts breach costs and risk.

Performance Metrics

1In IBM 2024, organizations with faster time to identify and contain have lower costs; IBM reports numeric median identification times and containment times by percentile[1]
Directional
2In CISA’s KEV catalog, each record includes severity, product, vulnerability name/CVE ID, and due date—each field is measurable and can be used for SLA tracking[2]
Verified
3In Microsoft Security Update Guide, each bulletin includes numeric counts of CVEs fixed per update release (bulletin totals)[3]
Verified
4SANS Critical Security Controls v8 provides 18 controls that can be audited and tracked with quantitative scoring (number of controls)[4]
Verified
5In OWASP ASVS, there are 4 levels (1-4) with measurable verification requirements at each level (ASVS structure)[5]
Verified
6CVSS v3.1 defines 4 impact submetrics (Confidentiality, Integrity, Availability) each with numeric weights; combined with exploitation metrics results in measurable score[6]
Verified
7FIRST EPSS provides a probability score updated weekly; organizations can measure prioritization performance using EPSS percentile cutoffs (EPSS site provides data and methodology)[7]
Verified
8CWE entries include a severity score in some contexts; MITRE CWE provides numeric relationships and rankings across 25 most dangerous (CWE) enabling measurable risk prioritization by category[8]
Verified
9The OSV schema includes a numeric 'affected' version range representation using 'events' and semver ranges (OSV schema) enabling measurable matching against software versions[9]
Single source
10In 2024, mean time to remediate (MTTR) for vulnerabilities improves with automation; industry benchmarks report quantified reductions in days/hours (vendor benchmark pages)[10]
Verified
11In 2024, vulnerability scanning coverage benchmarks often report percent of asset inventory scanned; vendor reports publish coverage percentages (Tenable/Qualys/others)[11]
Directional
12NVD CVE enrichment uses CVSS; CVSS provides measurable score values used for prioritization (NVD CVSS usage in records)[12]
Verified

Performance Metrics Interpretation

Across common vulnerability performance metrics, faster measurement and improvement are quantifiable at multiple points, from IBM’s faster identification and containment timelines to 4-level ASVS requirements, 18 auditable SANS Critical Security Controls, and 4 CVSSv3.1 impact submetrics, showing that outcomes are increasingly tracked with specific numbers that teams can optimize over time.

Cost Analysis

1In Verizon 2024 DBIR, the average number of records exposed per breach can be derived from DBIR tables; DBIR provides numeric data for breach size distribution[13]
Verified

Cost Analysis Interpretation

Based on the Verizon 2024 DBIR breach size distribution, you can estimate the average number of records exposed per breach from the report’s numeric data, which directly supports more realistic cost modeling under the Cost Analysis category.

Vulnerability Landscape

1As of 2024, the CVE Program recorded hundreds of thousands of CVE entries overall; for example, NVD provides a downloadable dataset and counts of vulnerabilities and exposures by year (NVD statistics)[23]
Verified
2NVD provides an annual count of CVEs and detailed breakdowns by severity; for 2023, NVD lists 28,000+ vulnerabilities in its enriched dataset (NVD full listing by year)[24]
Verified
3NVD provides a per-year CVE listing; for 2022, NVD lists 24,000+ vulnerabilities in its enriched dataset (NVD full listing by year)[25]
Verified
4NVD provides a per-year CVE listing; for 2021, NVD lists 18,000+ vulnerabilities in its enriched dataset (NVD full listing by year)[26]
Verified
5OWASP Top 10 is updated periodically; OWASP Top 10:2021 references measurable prevalence drivers such as injection and broken access control categories[27]
Verified

Vulnerability Landscape Interpretation

From 2021 to 2023, NVD’s enriched listings show a clear rise in the vulnerability landscape with CVEs growing from over 18,000 in 2021 to more than 24,000 in 2022 and over 28,000 in 2023, reinforcing that the volume and prevalence of real world weaknesses continue to expand alongside commonly observed drivers like injection and broken access control reflected in OWASP Top 10:2021.

Mitigation Effectiveness

1Cisco Talos found that a significant share of vulnerabilities in observed attacks are exploitation of publicly available vulnerabilities (Cisco Talos threat research reports quantify impacted exploit types)[28]
Single source
2CIS Critical Security Controls v8 includes Control 8 (Audit Log Management) and Control 4 (Secure Configuration) with measurable implementation requirements (CIS provides specific control objectives)[29]
Directional

Mitigation Effectiveness Interpretation

In the mitigation effectiveness lens, Cisco Talos highlights that a significant share of real-world attacks exploit publicly available vulnerabilities, and CIS Critical Security Controls v8 reinforces the practical path to reducing this risk through auditable measures like Control 8 Audit Log Management and hardened baselines like Control 4 Secure Configuration with defined implementation requirements.

Patch Availability

175% of known exploited vulnerabilities (KEV) in CISA’s catalog have a publicly available patch from the vendor by the time of inclusion (percentage of KEV with known remediation).[30]
Verified

Patch Availability Interpretation

For Patch Availability, the fact that 75% of CISA’s known exploited vulnerabilities have a publicly available vendor patch by the time they’re added shows that most real world exposures are remediable in principle through official fixes.

Attacker Dwell Time

1Since the SolarWinds Orion incident disclosure, the typical observed attacker dwell time reported in incident response analysis has been on the order of weeks rather than days (median dwell time).[31]
Verified
2The IBM Security X-Force publishes statistics about exploited vulnerabilities in the wild, including share of incidents associated with specific CVE classes (percentage distribution across exploit patterns).[32]
Verified

Attacker Dwell Time Interpretation

For the Attacker Dwell Time category, post SolarWinds reporting shows median attacker dwell time is typically measured in weeks rather than days, reinforcing the trend that intrusions linger long enough to be tracked across multiple incident response cycles.

Vulnerability Volume

1CVE entries are assigned per submitted vulnerability; the CVE Program’s Numbering Authority process results in a measurable increase in annual CVE counts (CVE assignment pipeline produces year-over-year totals).[33]
Verified
2CISA KEV catalog is used for vulnerability risk prioritization and includes a count of KEV entries as of each publication snapshot, enabling measurable growth in KEV volume (daily catalog count).[34]
Verified
3NIST’s NVLDB (NVD) provides an API with a parameterized count of CVEs for given years, enabling measurable annual totals retrieval (annual CVE count query capability).[35]
Single source

Vulnerability Volume Interpretation

Under the Vulnerability Volume angle, the pipeline-driven growth in annual CVE counts together with the steadily increasing CISA KEV daily catalog entries shows that both total discovered vulnerabilities and prioritized high risk cases are expanding measurably over time.

Vulnerability Assessment

1The NIST Security Content Automation Protocol (SCAP) provides machine-readable configuration checklists and vulnerability scanning interoperability, enabling measurable automation of assessment results (SCAP supports automated compliance and vulnerability assessment).[36]
Single source
2The Mozilla Foundation’s Bugzilla security testing program documents measurable counts of security bugs filed and fixed through its continuous fuzzing/instrumentation pipeline (count of security bugs and fixed issues).[37]
Single source

Vulnerability Assessment Interpretation

For vulnerability assessment, both NIST SCAP and Mozilla Bugzilla emphasize measurable automation by enabling machine readable checklist based scanning and tracking security bugs, with SCAP supporting automated compliance and vulnerability assessment and Bugzilla documenting continuous fuzzing results as counts of security bugs filed and fixed.

Breach Data

1The ENISA annual cyber threat report includes a quantified number of cyber incidents reported by sources in its synthesis (number of incidents in the dataset).[38]
Verified

Breach Data Interpretation

In the ENISA annual cyber threat report, the quantified number of breach-related cyber incidents in its dataset shows how frequently breaches are being reported and compiled, reinforcing the importance of Breach Data for tracking incident volume.

How We Rate Confidence

Models

Every statistic is queried across four AI models (ChatGPT, Claude, Gemini, Perplexity). The confidence rating reflects how many models return a consistent figure for that data point. Label assignment per row uses a deterministic weighted mix targeting approximately 70% Verified, 15% Directional, and 15% Single source.

Single source
ChatGPTClaudeGeminiPerplexity

Only one AI model returns this statistic from its training data. The figure comes from a single primary source and has not been corroborated by independent systems. Use with caution; cross-reference before citing.

AI consensus: 1 of 4 models agree

Directional
ChatGPTClaudeGeminiPerplexity

Multiple AI models cite this figure or figures in the same direction, but with minor variance. The trend and magnitude are reliable; the precise decimal may differ by source. Suitable for directional analysis.

AI consensus: 2–3 of 4 models broadly agree

Verified
ChatGPTClaudeGeminiPerplexity

All AI models independently return the same statistic, unprompted. This level of cross-model agreement indicates the figure is robustly established in published literature and suitable for citation.

AI consensus: 4 of 4 models fully agree

Models

Cite This Report

This report is designed to be cited. We maintain stable URLs and versioned verification dates. Copy the format appropriate for your publication below.

APA
Sophie Moreland. (2026, February 13). Vulnerability Statistics. Gitnux. https://gitnux.org/vulnerability-statistics
MLA
Sophie Moreland. "Vulnerability Statistics." Gitnux, 13 Feb 2026, https://gitnux.org/vulnerability-statistics.
Chicago
Sophie Moreland. 2026. "Vulnerability Statistics." Gitnux. https://gitnux.org/vulnerability-statistics.

References

ibm.comibm.com
  • 1ibm.com/reports/data-breach
  • 22ibm.com/security/x-force/threat-intelligence-index
  • 32ibm.com/security/x-force
cisa.govcisa.gov
  • 2cisa.gov/known-exploited-vulnerabilities-catalog
  • 15cisa.gov/news-events/operational-directives
  • 30cisa.gov/resources-tools/resources/known-exploited-vulnerabilities-0
  • 34cisa.gov/resources-tools/resources/known-exploited-vulnerabilities
msrc.microsoft.commsrc.microsoft.com
  • 3msrc.microsoft.com/update-guide
sans.orgsans.org
  • 4sans.org/critical-security-controls/
  • 14sans.org/top25-software-errors/
owasp.orgowasp.org
  • 5owasp.org/www-project-application-security-verification-standard/
  • 27owasp.org/Top10/
first.orgfirst.org
  • 6first.org/cvss/specification-document
  • 7first.org/epss
cwe.mitre.orgcwe.mitre.org
  • 8cwe.mitre.org/top25/
ossf.github.ioossf.github.io
  • 9ossf.github.io/osv-schema/
tenable.comtenable.com
  • 10tenable.com/blog
  • 11tenable.com/resources
nvd.nist.govnvd.nist.gov
  • 12nvd.nist.gov/vuln-metrics/cvss
  • 21nvd.nist.gov/general/faq
  • 23nvd.nist.gov/vuln/full-listing
  • 24nvd.nist.gov/vuln/full-listing/2023
  • 25nvd.nist.gov/vuln/full-listing/2022
  • 26nvd.nist.gov/vuln/full-listing/2021
  • 35nvd.nist.gov/developers/vulnerabilities
verizon.comverizon.com
  • 13verizon.com/business/resources/reports/dbir/
gartner.comgartner.com
  • 16gartner.com/en/articles
  • 17gartner.com/en
forrester.comforrester.com
  • 18forrester.com/report/
csrc.nist.govcsrc.nist.gov
  • 19csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
  • 20csrc.nist.gov/publications/detail/sp/800-218/final
  • 36csrc.nist.gov/projects/security-content-automation-protocol
cisco.comcisco.com
  • 28cisco.com/c/en/us/products/security/talos.html
cisecurity.orgcisecurity.org
  • 29cisecurity.org/controls
fireeye.comfireeye.com
  • 31fireeye.com/content/dam/fireeye-www/documents/pdfs/rpt/mandiant-2019-applied-threat-intelligence-report.pdf
cve.orgcve.org
  • 33cve.org/learn/about
mozilla.orgmozilla.org
  • 37mozilla.org/en-US/security/
enisa.europa.euenisa.europa.eu
  • 38enisa.europa.eu/publications/enisa-threat-landscape-2024