Skip to content

runZero Named to Rising in Cyber 2025 List of Top Cybersecurity Startups

Selected by CISOs and leading investors, the list recognizes the 30 startups shaping the future of security.

Austin, Texas — June 4, 2025 — runZero, the leader in total attack surface management, today announced its inclusion in Rising in Cyber 2025, an independent list launched by Notable Capital to spotlight the 30 most promising cybersecurity startups shaping the future of security.

Unlike traditional rankings, Rising in Cyber 2025 honorees were selected through a multi-stage process grounded in real-world validation. Leading cybersecurity venture firms submitted nominations, and nearly 150 Chief Information Security Officers (CISOs) and senior security executives voted on the final list, highlighting the companies solving the most urgent challenges facing today’s security teams.

runZero was selected for its innovative approach to exposure management and attack surface discovery, helping security teams navigate today’s complex threat landscape. Unlike traditional vulnerability management solutions, runZero delivers complete and accurate visibility into every asset and exposure across internal, external, IT, OT, IoT, mobile, and cloud environments, including uncovering unknown and unmanageable devices and broad classes of exposures that evade other tools.

The company joins a cohort that has collectively raised over $7.8 billion, according to Pitchbook as of May 2025, and is defining the next era of cybersecurity across key areas like identity, application security, agentic AI, and security operations.

“The demand for cybersecurity innovation has never been greater. As the underlying technologies evolve and agentic AI reshapes everything from threat detection to team workflows, we’re witnessing a shift from reactive defense to proactive, intelligence-driven operations,” said Oren Yunger, Managing Partner at Notable Capital. “What makes this list special is that it reflects real-world validation — honorees were chosen by CISOs who face these challenges every day. Congratulations to this year’s Rising in Cyber companies for building the solutions that modern security leaders truly want and need.”

In celebration, honorees will be recognized today at the New York Stock Exchange (NYSE) alongside top security leaders and investors.

“We’re honored to be recognized as a Rising in Cyber 2025 company. runZero is challenging the status quo with a novel approach to exposure management that can finally provide defenders with the attack surface visibility and comprehensive risk detection required to protect complex, dynamic environments,” said Julie Albright, Chief Operating Officer for runZero. “As a disruptor in our space, it’s great to be acknowledged by CISOs who are in the trenches every day and who have struggled with outdated approaches to vulnerability management that are fundamentally broken. This recognition is a testament to the innovative approach we’ve taken and the meaningful impact we are making for teams responsible for securing their organizations against an increasingly challenging threat landscape.”

A new approach to exposure management

Leveraging innovative technology and proprietary discovery techniques, runZero provides organizations with the most complete and accurate visibility across their total attack surface, including unknown and unmanageable assets. On average, runZero enterprise customers report finding 25% more assets than they were previously aware of, with some environments yielding 10x more assets than security teams expected, radically expanding their view of their attack surfaces and the exposures within. These previously unknown assets are often those at the most risk.

Starting with a foundation of comprehensive visibility enables runZero to provide full-spectrum exposure detection across internal and external attack surfaces. Advanced fingerprinting methodologies build detailed, accurate profiles of each asset in the environment using a library of almost 1,000 attributes. This unmatched depth of data enables the platform to identify much broader classes of exposures going well beyond CVEs to identify risks that evade traditional vulnerability and external attack surface management solutions. runZero recently released new risk findings and dashboards, providing a novel paradigm for organizing, addressing, and tracking exposures over time.

To learn more about Rising in Cyber 2025, visit https://www.risingincyber.com/.

 

About Rising in Cyber

Rising in Cyber is an annual list recognizing the most innovative startups in cybersecurity as determined by nearly 150 leading CISOs and cybersecurity executives. Nomination criteria included private, venture-backed companies with a primary product focus on cybersecurity and the U.S. as a primary market. For more information about the honorees, participating investors, and methodology, visit www.risingincyber.com.

About Notable Capital

Notable Capital is a global venture capital firm based in the U.S. focused on early-to-growth-stage companies in cloud infrastructure and business and consumer applications. The firm invests primarily in the U.S., Israel, Europe, and Latin America. Notable Capital portfolio companies include Affirm, Airbnb, Anthropic, Brightwheel, Drata, Fal.ai, Handshake, HashiCorp, Ibotta, Monte Carlo, Neon, Orca Security, Quince, Slack, Stori, Vercel, and more.

Notable Capital is a longtime investor in the global cybersecurity sector. Its investments include Bitsight, Descope, Drata, Gem Security (Acquired by Wiz), HashiCorp ($HCP, Acquired by IBM), Nozomi Networks, Orca Security, Torq, Tonic.io, and Vdoo (Acq by JFrog), and more. More information can be found at www.notablecap.com and @notablecap.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Not Just the Score: Why EPSS Volatility Might Be the Signal You’re Missing

We’ve all been trained to fixate on the number. Whether it’s a CVSS score of 9.8 or an EPSS probability of 0.73429, security teams are under pressure to rank, triage, and patch based on single metrics. But in Episode 18 of runZero Hour, a conversation with EPSS co-creator Jay Jacobs revealed something that might change how you think about vulnerability risk entirely.

The number itself isn’t always the most important signal. Instead, it’s the change in that number — the volatility — that may hold more predictive power. As runZero’s Tod Beardsley explained in this episode, a sudden spike in an EPSS score might be your first sign of something bigger brewing. “I think the deltas are more interesting than the final number,” he said. “That tells me something just happened to make this much more likely to be exploited.”

This is more than a theoretical observation. EPSS is updated daily using machine learning models fed by real-world exploitation signals — things like IDS/IPS detections from live enterprise networks, newly published Metasploit modules, pull requests on exploit repositories, and dark web chatter. That means it doesn’t just reflect potential severity, like CVSS, it also reflects how “attacky,” as Tod put it, the Internet feels today.

Volatility can serve as a kind of early-warning system. If a vulnerability’s EPSS score jumps 50+ points overnight, it may be time to take a closer look — even if its CVSS score is a sleepy 7.2. And unlike CVSS, which has seen score inflation and subjective disagreement between vendors, EPSS is grounded in observed behavior, not guesswork.

Check out the on-demand recording of this special runZero hour to learn:

  • How to operationalize volatility as a signal in your vulnerability management program
  • Why CVSS scores aren’t the empirical truth they pretend to be
  • A candid breakdown of what EPSS and SSVC get right — and where they still fall short

And check out our latest report, Divining Risk: Deciphering Signals From Vulnerability Scores the strengths and weaknesses of all modern scoring systems.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

How to find Trimble Cityworks on your network

Latest Trimble Cityworks vulnerability #

vulnerability has been disclosed in Trimble Cityworks versions prior to 23.10. Cityworks is a popular GIS and asset management system for local governments. This vulnerability would allow a remote, authenticated attacker who could upload malicious files to execute arbitrary code on the vulnerable system.

This vulnerability has been designated CVE-2025-0994 and has a CVSS score of 8.6 (high).

Note that there is evidence that this vulnerability is being actively exploited in the wild.

What is the impact? #

Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code on the vulnerable system, potentially leading to complete system compromise.

Are any updates or workarounds available? #

Trimble has released updates to mitigate this issue. Users are encouraged to update to version 23.10 or later as quickly as possible. Additionally, as this vulnerability appears to be under active exploitation, users are advised to examine their systems for any unexpected files or network services. 

How do I find Trimble Cityworks installations with runZero? #

From the Service Inventory, use the following query to locate potentially impacted assets:

_asset.protocol:http and protocol:http and favicon.ico.image.md5:="b26ada00a06ee050e56160ea5308bc9f"

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

How to find AutomationDirect Modbus Gateways on your network

Latest AutomationDirect MB-GATEWAY vulnerability #

vulnerability has been disclosed in AutomationDirect MB-GATEWAY Modbus gateways. This vulnerability in the embedded web server allows unrestricted remote access to the device. This device is no longer supported by the vendor and will not receive updates, including security patches.

This vulnerability has been designated CVE-2025-36535 and has a CVSS score of 10.0 (critical).

What is the impact? #

Successful exploitation of this vulnerability could lead to configuration changes, operational disruption, or arbitrary code execution depending on the environment and exposed functionality.

Are any updates or workarounds available? #

This device is no longer supported by the vendor and users are encouraged to discontinue their use. If this is not possible, users are strongly recommended to implement network access controls to limit access to these devices to trusted networks.

How do I find AutomationDirect MB-GATEWAY Modbus gateways with runZero? #

From the Asset Inventory, use the following query to locate potentially impacted assets:

hw:="Automation Direct Modbus Gateway"

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

How to find Versa Networks Concerto installations on your network

Latest Versa Networks Concerto vulnerabilities #

Project Discovery has disclosed several vulnerabilities in Versa Concerto, a tool used to configure and monitor Versa devices in networks:

  • CVE-2025-34027 with a CVSS score of 10.0 (critical): an authentication bypass in the spack upload endpoint, which would allow an attacker to execute arbitrary code without authentication
  • CVE-2025-34026 with a CVSS score of 9.2 (critical): an authentication bypass in the Concerto API that would allow a remote, unauthenticated attacker to view log and debugging information, which may contain authentication tokens and other sensitive information.
  • CVE-2025-34025 with a CVSS score of 8.6 (high): a container-escape vulnerability that would allow an attacker with access to a container on the Concerto system to break out of that container and execute code and commands in the outer environment.

These vulnerabilities affect various components of Concerto and, when used together, would allow a remote, unauthenticated attacker to execute arbitrary code on the vulnerable system.

Versions 12.1.2 through 12.2.0 are known to be affected, but other versions may also be vulnerable.

Note that, as of writing, this vulnerability has not been publicly addressed by the vendor.

What is the impact? #

Successfully exploiting this vulnerability would allow a remote attacker to execute arbitrary code on the vulnerable system and retrieve potentially sensitive logging and debugging information.

Are updates or workarounds available? #

As of this writing, this vulnerability has not been addressed by the vendor. Users are strongly encouraged to implement network access controls to limit access to these systems to trusted networks.

How to find potentially vulnerable systems with runZero #

From the Services Inventory, use the following query to locate systems running potentially vulnerable software:

_asset.protocol:http AND protocol:http AND has:favicon.ico.image.md5 and favicon.ico.image.md5:="0e8efa5cf285db81f1389ef48fb0bec2"

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

How to find TP-Link Archer AX50 routers on your network

vulnerability has been disclosed in TP-Link Archer AX50 routers. This vulnerability would allow a remote, unauthenticated attacker to execute arbitrary code with root privileges on vulnerable devices.

This vulnerability has been designated CVE-2025-40634 and has a CVSS score of 9.2 (critical).

What is the impact? #

Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code on vulnerable routers, allowing them to take complete control of affected devices.

Are any updates or workarounds available? #

Reports indicate that versions of the Archer AX50 firmware after 1.0.15 are no longer vulnerable, but this has not yet been confirmed by TP-Link.

From the Asset Inventory, use the following query to locate potentially impacted assets:

hw:="TP-Link Archer AX50"

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

How to find DrayTek Vigor routers

Latest DrayTek Vigor router vulnerability #

previously disclosed vulnerability (CVE-2024-12987), has recently been confirmed to be under active exploitation in the wild.

This vulnerability, with a CVSS score of 7.5 (high), would allow a remote, unauthenticated attacker to inject arbitrary commands to be run on the underlying operating system of DrayTek Vigor2960 and Vigor300B routers.

This vulnerability has been designated CVE-2025-2567 and has been assigned a CVSS score of 9.8 (critical).

What is the impact? #

Successful exploitation of this vulnerability would allow an attacker to execute arbitrary commands on vulnerable routers, allowing them to take complete control of affected devices.

Are any updates or workarounds available? #

DrayTek has released an updated version of the affected firmware, and advises all users to upgrade immediately.

How do I find vulnerable DrayTek Vigor routers with runZero? #

From the Asset Inventory, use the following query to locate vulnerable DrayTek Vigor assets:

(hw:"DrayTek Vigor2960" OR hw:"DrayTek Vigor300b" OR hw:"DrayTek Vigor 2960" OR hw:"DrayTek Vigor 300b") AND osversion:<"1.5.1.5"

Previous DrayTek Vigor router vulnerability (CVE-2022-32548) #

The Trellix Threat Labs Vulnerability Research team recently published vulnerability details affecting almost 30 models of DrayTek Vigor routers. This vulnerability resides in the management interface login page and is trivial to exploit via buffer overflow. An unauthenticated attacker can easily gain control over vulnerable Vigor devices, doing so remotely if the management interface is exposed to the Internet.

What is the impact? #

Tracked as CVE-2022-32548 with a CVSS “critical” maximum score of 10, successful attackers can potentially leverage device control to execute code, establish a foothold on the network for further exploration, exfiltrate sensitive data, add the device to a botnet, and more. Trellix researchers found over 200k vulnerable Vigor devices with management interfaces exposed to the Internet, putting them at risk of remote exploitation. Even with external access to the management interface disabled, vulnerable devices are still susceptible to exploitation via the local network.

Are updates available? #

DrayTek has provided patched firmware for affected Vigor devices. Admins should ensure that affected models are updated to the latest firmware version. The Trellix research team also provided additional mitigation recommendations, including disabling public-facing access to the management interface (see Recommendations).

How do I find DrayTek Vigor routers with runZero? #

From the Asset Inventory, use the following pre-built query to locate DrayTek Vigor assets that may need remediation:

hw:"DrayTek Vigor"
Prebuilt query is available in the Queries Library

As always, any prebuilt queries are available from our Queries Library. Check out the library for other useful inventory queries.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

How to find Samsung MagicINFO Server installations on your network

Latest Samsung MagicINFO Server vulnerability #

Samsung has issued a security advisory for its MagicINFO Server product, used to control intelligent signage and displays. Versions of the server prior to 21.1052 contain a path-traversal vulnerability that would allow a remote attacker to upload potentially malicious executables to a vulnerable server to arbitrary paths. Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code with SYSTEM privileges. This would allow an attacker to gain complete control over the vulnerable system.

This vulnerability has been designated CVE-2025-4632 and has a CVSS score of 9.8 (critical).

Note that there is evidence that this vulnerability is being actively exploited in the wild.

What is the impact? #

Successfully exploiting this vulnerability would allow a remote attacker to execute arbitrary code on  the vulnerable system with SYSTEM (that is, administrative) privileges.

Are updates or workarounds available? #

Samsung has released updates that address these issues and urges all customers to update as quickly as possible.

How to find potentially vulnerable systems with runZero #

From the Services Inventory, use the following query to locate systems running vulnerable software:

_asset.protocol:http AND protocol:http
    AND (
        (has:tls.subject AND tls.subject:"MagicInfo")
    OR
        (has:http.head.server AND http.head.server:="MagicInfo Premium Server"))

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

CVSS, EPSS, and SSVC: How to Read Between the Vulnerability Scores

Vulnerability scores promise precision, clarity, and objectivity. But often, the results they deliver can just add noise to an already cacophonous symphony of security alerts.

Security teams today are drowning in high-severity findings, yet still miss critical exposures. Why? Because the three most commonly used systems — CVSS, EPSS, and SSVC — weren’t built to tell the same story. And relying on just one is like reading a fortune with only half the cards.

In our new report, Divining Risk: Deciphering Signals From Vulnerability Scores, we break down these scoring systems to help defenders understand not just what each tells us, but also what they don’t.

Here’s a preview of the strengths and limitations of each scoring system — and how to best leverage them to inform your triage strategy.

CVSS: The Foundational and Familiar #

The Common Vulnerability Scoring System (CVSS) is the foundation of most vulnerability management programs. Built to provide a consistent, objective description of a vulnerability’s severity, CVSS distills technical characteristics into a tidy number from 0.0 to 10.0. But what does a “critical” score really mean? It can be hard to find out.

Strengths

  • Universally adopted and widely understood

  • Easy to parse with vector strings (AV:N, AC:L, PR:N, etc.)

  • Useful for filtering: attack vectors like AV:P (physical) or PR:H (high privileges required) let you quickly down-prioritize low-likelihood threats

Limitations

  • Scores reflect theoretical severity, not real-world exploitability

  • The distribution is oddly consistent — collections of CVEs cluster around 7–8 regardless of when they were disclosed, creating an illusion of predictability

  • Nearly never accounts for context or environmental impact

CVSS gives information, not strategy. You can use it to narrow down the list, but not necessarily how to prioritize it.

EPSS: The Statistically-Driven Newcomer #

Where CVSS is static, EPSS (Exploit Prediction Scoring System) is dynamic. Updated daily, it uses machine learning to estimate the probability that a vulnerability will be exploited in the next 30 days. It’s a probability, classically expressed as a decimal from 0 to 1. But this score is not a crystal-clear prediction. It’s a probability model fed by thousands of data points.

Strengths

  • Captures real-world signals of exploitation: honeypots, IDS alerts, exploit chatter, and more

  • Helpful in identifying “movers”—CVEs with big score jumps that may indicate emerging threats

  • Offers additional triage value when used in time series

Limitations

  • Highly opaque—exact inputs and weights are not publicly understood

  • Can be misinterpreted as certainty when it’s actually probability

  • Predicts exploitation activity, not necessarily successful exploits

If CVSS describes the storm, EPSS tells you whether or not it’s headed your way. But rather than a guarantee, it’s a prompt to dig deeper.

SSVC: The Human-Centric Decision Framework #

SSVC (Stakeholder-Specific Vulnerability Categorization) is more of a decision framework, less of a “score.” Designed for situational awareness, it walks you through decision trees to determine whether you should Track, Monitor, Attend, or Act. Unlike CVSS or EPSS, SSVC leans heavily on local context: mission impact, asset exposure, and environmental risk.

Strengths

  • Forces organizations to bring context into the decision-making process

  • Supports meaningful prioritization aligned to business risk

  • Integrates nicely with structured sources like CISA’s Vulnrichment

Limitations

  • Requires deep asset visibility and environmental awareness

  • Demands time and expertise—hard to scale across large CVE volumes

  • Subjectivity can lead to inconsistent results across analysts or teams

SSVC works best when paired with mature asset inventory and clear business objectives. In the right hands, it’s a powerful prioritization tool rather than a replacement for broader coverage.

No Silver Bullets #

CVSS, EPSS, and SSVC each offer valuable clues, but none of these scores tell the whole story. The real power comes from learning how to combine them, filter the noise, and surface what matters most for your environment.

Our report, Divining Risk: Deciphering Signals From Vulnerability Scores, helps you do just that. In it, you’ll get:

  • A clear-eyed breakdown of CVSS, EPSS, and SSVC — how they work, where they mislead, and what signals are actually useful

  • Data-backed insights from analyzing 270,000+ CVEs, including the biggest EPSS score movers and what they reveal

  • Practical guidance on combining score systems with PoCs, asset context, and data to triage smarter

We’re unpacking this data in a lot of channels this week and next. I’ll be diving into these insights live at the NorthSec Conference in Montreal on Friday, May 16 at 11:30AM EST—come join me if you’re attending! In the meantime, you can dig into the full report here

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

How to find Ivanti EPMM (MobileIron Core)

How to find Ivanti Endpoint Manager Mobile (EPMM) with runZero  

On July 24th, Ivanti announced that their Endpoint Manager Mobile (EPMM, formerly MobileIron Core) product versions 11.10 and prior contain a critical authentication bypass vulnerability. Successfully exploiting this vulnerability would allow an unauthenticated remote attacker to access users’ personally identifiable information (PII) and make changes to the vulnerable server.

There is evidence that this vulnerability is being exploited in the wild.

What is Ivanti Endpoint Manager Mobile (EPMM)?

Ivanti Endpoint Manager Mobile (EPMM) is a mobile management software product that helps organizations set policies for mobile devices, applications, and content. It was formerly known as MobileIron Core.
What is the impact?
An unauthenticated remote attacker who successfully exploited this vulnerability would be able to retrieve users’ personally identifiable information (PII) and make changes to the vulnerable server. This is due to an authentication bypass vulnerability, meaning that in some cases an attacker can bypass authentication controls.

With a CVSS score of 10.0, this vulnerability is considered critical. There is evidence that this vulnerability is being exploited in the wild and this vulnerability has been added to the CISA Known Exploited Vulnerabilities catalog.

Are updates available?

Ivanti has released a patch for this vulnerability and issued guidance for customers on how to upgrade.

How do I find potentially vulnerable Ivanti Endpoint Management Mobile services with runZero?

EPMM can be found by navigating to the Services Inventory and using the following pre-built query to locate EPMM services on your network:

	_asset.protocol:http AND protocol:http AND html.title:"Ivanti User Portal: Sign In"

Starting with runZero 3.10.10, from the Asset Inventory use the following pre-built query to locate EPMM services on your network:

	product:”Ivanti Endpoint Manager Mobile”

Results from the above query should be triaged to determine if they require patching.
As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.