Integrative research means our extensive company research informs every thesis and perspective. The result is deep industry knowledge, expertise, and trend insights that yield valuable results for our partners and clients.

About the Author:
Howard Smith
Managing Director
Howard Smith has nearly three decades of experience at First Analysis, working with entrepreneurs as an investor and as an advisor on growth transactions to help build leading technology businesses. He leads the firm’s work in the Internet of Things, cybersecurity, and internet infrastructure sectors. He also built the firm's historical franchises in call centers and computer telephony. His thought-leading research in these areas has been cited for excellence by the Wall Street Journal and other publications. He serves on the boards of AppDetex, Fortress Information Security, SmartWitness, VisiQuate and ObervIQ. Prior to joining First Analysis in 1994, he was a senior tax consultant with Arthur Andersen & Co. He earned an MBA with honors from the University of Chicago and a bachelor’s degree in accounting with highest honors from the University of Illinois at Urbana-Champaign. He is a certified public accountant.
First Analysis Cybersecurity Team
Howard Smith
Managing Director
Matthew Nicklin
Managing Director
First Analysis Quarterly Insights
RBVM - key to not getting crushed by the vulnerability boulder
June 28, 2021
  • Patching all an enterprise's cybersecurity vulnerabilities is a Sisyphean task that's only made harder by a scarcity of qualified cybersecurity personnel.
  • Risk-based vulnerability management (RBVM) solution providers make it easier for enterprises to protect their business with vulnerability prioritization technology that optimally focuses their remediation efforts on the vulnerabilities that are most important in the context of each business. Several recent events highlight how the RBVM space remains as interesting and important as ever.
  • We examine the considerations related to each of the three elements of the RBVM framework (vulnerabilities, assets and threats), some of the main approaches to RBVM, and some of the companies focused on moving solutions forward.


Includes discussion of CSCO, QLYS, RPD, TENB and seven private companies

A Sisyphean task

The universe of vulnerabilities

Which vulnerabilities do I have?

Adding threat intelligence

Assessing damage potential

Choosing RBVM solutions

One size does not fit all

A sample of solution providers

Making an impossible task a little more possible

Cybersecurity index continues to outperform the Nasdaq and S&P

Q2 cybersecurity M&A activity continues to slow

Q2 cybersecurity private placements sustain recent pace

A Sisyphean task

It is no secret that today's IT organizations face a Sisyphean task in trying to patch all known vulnerabilities, a challenge that's only made harder by a scarcity of qualified personnel. To help manage the task, IT security departments often advise IT staff on which of the myriad vulnerabilities they should prioritize based on a variety of factors. At its highest level, this is called risk-based vulnerability management (RBVM), and the solutions used to aid in this task are usually referred to as either RBVM software or vulnerability prioritization technology (VPT), with the terms being generally synonymous.

This challenge of how to best prioritize vulnerabilities is decades old, and solutions have continuously evolved over this time. But several recent developments highlight how the space remains as interesting and important as ever. These include government issued guidelines suggesting a risk-based approach to vulnerabilities to help combat ransomware, the May 14 announcement that Cisco will buy VPT specialist and leader Kenna Security, and the June 8 announcement that risk-based cybersecurity firm Brinqa received $110 million in its first institutional funding round.

To access the full report, please provide your contact information in the form below. A First Analysis representative will follow up with you shortly. Thanks for your interest in First Analysis research.
First Name required!
Last Name required!
Email required!
Industry required!
Unfortunately, your request to access the complete report has failed.

Please check the contact information you have entered.

If the form submission failure persists, please contact Person at (xxx) xxx-xxxx to handle your request. Thank you.
©2024 by First Analysis Corporation.
One South Wacker Drive
Suite 3900
Chicago, IL 60606