DeRISK Quantified Vulnerability Management evaluates cyber risks using business-level metrics

DeNexus announced an innovative enhancement to its cyber risk management flagship solution DeRISK.

The new DeRISK Quantified Vulnerability Management leverages advanced AI techniques to automatically and continuously mapping common vulnerabilities and exposures, or CVEs, to potential financial impacts, providing insights for cybersecurity teams.

This new solution will revolutionize vulnerability management in OT environments by addressing the overwhelming challenge of prioritizing CVEs, reducing the task to only those that drive financial exposure, and transforming how organizations handle cybersecurity risks in industrial settings.

Unlike traditional scoring methods, DeRISK Quantified Vulnerability Management translates cybersecurity vulnerabilities and controls into clear financial risk metrics including dollars at risk, enabling executives to make informed business decisions in cybersecurity investments. By integrating with leading ICS/OT security solutions and leveraging advanced technologies like generative AI, it provides a comprehensive, business-oriented view of vulnerability management priorities.

“DeRISK Quantified Vulnerability Management is groundbreaking, bringing significant efficiency to security teams, MSSPs and MSPs” said Jose Seara, CEO of DeNexus. “Instead of allocating precious time and resources to vulnerabilities that do not truly drive risk even if highly critical and exploitable, they can now focus only on the ones that might trigger the greatest operational and financial damage to the organization.”

“Evaluating cyber exposures and cyber risks using business-level metrics is transformational for cybersecurity teams in their need to justify investments,” says Paul Donnelly, OT Systems Engineer at EDF Renewables United Kingdom. “This starts with understanding the financial and operational damages potentially caused by vulnerabilities throughout the supply chain.”

Despite various scoring systems like CVSS, EPSS, and KEV, cybersecurity teams remain overwhelmed by the volume of vulnerabilities to address. Recent research shows organizations take about a year (361 days) to address 50% of the CVEs that impact their environment. DeNexus’ new offering tackles this challenge head-on by applying advanced cyber risk modeling and quantification techniques to compile Value at Risk and Expected Financial Loss for each identified vulnerability, given security controls in place. 

“Using a true risk-based approach to vulnerability management is no longer a nice-to-have—if we all keep just chasing CVSS metrics, we will all go broke and sleepless” says John Franzino, CEO of GridSecurity Inc. “In addition to layering in exploit metrics like EPSS and KEV, we must understand the context and exposure of identified vulnerabilities—using DeRISK’s wealth of outside-in and inside-out data, we can now prioritize remediation at scale, while also having financial data to support risk-acceptance decisions.”

Key highlights of the new offering include:

• AI-powered vulnerability mapping: Utilizing Large Language Models (LLMs), DeRISK automatically maps daily newly published Common Vulnerabilities and Exposures (CVEs) to the MITRE ATT&CK frameworks for Enterprise and ICS.
• Financial risk quantification: DeNexus’ advanced risk modeling powered by inside data from OT systems processes this mapping to calculate the Value at Risk and Expected Financial Loss for each identified vulnerability in a given network, considering the network topology, role of the affected device, and implemented cybersecurity controls.
• DeRISK quantified vulnerability management(DQVM): Combining this new offering with DeNexus´ Risk Mitigation Simulation feature in DeRISK, enterprises with industrial networks now take a financial approach to vulnerability management.
• Integrated vulnerability data: The solution incorporates inside-out vulnerability data from leading cybersecurity partners including Claroty, Forescout, Nozomi Networks, and Tenable.