For years, security teams have followed a familiar playbook: scan everything, patch everything, and prioritize vulnerabilities based on severity scores. Yet despite continued investment in vulnerability management tools and processes, breaches persist—and vulnerability backlogs continue to grow faster than most organizations can realistically manage.
That disconnect was the focus of a recent CYBR.SEC.Community webcast featuring Michael Farnum, CEO of CYBR.SEC.Community, in conversation with Jeremiah Grossman, CEO of Root Evidence. At the center of their discussion was Epoch Theory, Grossman’s framework for understanding how cybersecurity evolves in distinct phases driven by attacker behavior, not defensive intention.
Symptoms of What's to Come
Rather than treating today’s challenges as isolated failures of tooling or process, Epoch Theory reframes them as symptoms of a broader transition. According to Grossman, security doesn’t progress linearly. It moves in epochs: periods defined by what attackers find most economically and operationally viable at a given time.
In earlier epochs, attackers focused on networks, prompting the rise of firewalls. When those controls matured, attackers shifted up the stack to web applications, driving the adoption of web application security. Later epochs saw ransomware eclipse traditional malware, rendering signature-based antivirus ineffective and accelerating the move toward behavioral detection. More recently, the rise of unknown assets and external exposure fueled attack surface management.
Robert Hansen
The pattern is consistent: defenders build controls, attackers adapt, and a new epoch begins.
This historical lens matters because vulnerability management, as practiced today, is increasingly misaligned with the current epoch. Organizations are overwhelmed by sheer volume—hundreds of thousands of known CVEs, growing year over year—yet only a small fraction are ever exploited in the wild. Even fewer are responsible for material financial loss. Still, most security programs prioritize vulnerabilities using abstract scoring systems that struggle to reflect real-world risk.
Where Vulnerability Management Breaks Down
Grossman argues that this is where vulnerability management begins to break down. The industry treats prioritization as a mathematical exercise, when it should be an evidence-based risk decision grounded in attacker behavior and loss outcomes. Severity scores, exploit availability, and patch timelines all provide signals—but none, on their own, reliably predict impact.
Epoch Theory also introduces an economic reality many security leaders quietly recognize: security controls are not free. As environments grow more complex, the cost of scanning, patching, and validating remediation continues to rise. At some point, those costs approach—or exceed—the expected cost of loss. When that happens, traditional “scan-and-patch-everything” models become unsustainable.
Another key insight from the discussion is that loss is rarely driven by the initial exploit alone. In many breaches, the real damage occurs during prolonged dwell time. From an epoch perspective, this shifts the defensive emphasis from perfect prevention to faster detection and containment—accepting that compromise is inevitable, but catastrophic loss is not.
Rethinking the Game
Rather than offering a silver bullet, the webcast challenges security leaders to rethink vulnerability management through the lens of epochs: understand where attackers are concentrating effort today, recognize when legacy models no longer fit, and align security investment with real-world outcomes instead of theoretical risk.
, and CYBR.SEC.Media
The full session goes deeper into Grossman’s Epoch Theory, explores why traditional prioritization models struggle, and outlines how vulnerability management may evolve toward actuarial, loss-based decision-making.
If your vulnerability backlog feels unmanageable, or if explaining risk to the business feels increasingly disconnected from reality, this conversation offers a framework worth understanding.
Watch the complete session here.
