Vicarius’ “Exposed and Unfixed: The 2026 State of Vulnerability Remediation” Finds Siloed Workflows and Manual Processes Leave 79% of Organizations Vulnerable to Known Exploits

58% of all vulnerability remediation activities still require direct human intervention
75% of critical vulnerability responses simply initiate an administrative workflow rather than resolving the threat

NEW YORK, July 15, 2026 (GLOBE NEWSWIRE) -- Vicarius, a vulnerability remediation company, today released its Exposed and Unfixed: The 2026 State of Vulnerability Remediation report, a comprehensive study analyzing operational metrics from IT and security leaders across the U.S. and U.K. to reveal how organizations manage and struggle to resolve security flaws after they are detected.

Despite industry emphasis on automated scanning, the actual process of fixing vulnerabilities remains trapped behind manual workflows and fragmented toolsets. Drawing from real-world insights from enterprise IT and security executives, the report breaks down why critical flaws sit exposed for months, where organizational handoffs break down, and why traditional ticketing systems are creating a false sense of security.

Key findings:

  1. Remediation is stubbornly manual
    Despite the adoption of automated detection, 58% of all remediation activities still require human intervention. The majority of respondents surveyed reported that their remediation lifecycle remains heavily dependent on manual, repetitive operational tasks, forcing teams to waste valuable time.
  2. Workflows overrun resolution
    When a critical vulnerability is identified, immediate mitigation is rarely the default outcome. Only 25% of organizations deploy an automated remediation action directly from their security platform. The remaining 75% of responses simply pass the buck, defaulting instead to administrative tasks like creating a ticket or routing to security teams for manual review rather than fixing the underlying flaw.
  3. It’s the known flaws that lead to incidents
    Administrative handoffs drain operational momentum, and vulnerabilities sit unaddressed for dangerous stretches of time. 79% of organizations experienced a security incident in the past 12 months involving a vulnerability that was already known and sitting in their inventory.
  4. Success is misdefined as activity, not outcomes
    The industry is misaligned on what "remediated" actually means. Only half (50%) of organizations require a verified rescan or automated check to officially close a vulnerability. The rest clear their dashboards based on purely administrative milestones, such as ticket generation or formal risk acceptance.

"Treating a ticket creation as a security victory is a fundamental operational flaw," said Roi Cohen, CEO of Vicarius. "Our latest report shows that while finding flaws has become automated, fixing them is still held back by human intervention, organizational silos, and tool sprawl. When three out of four critical vulnerability responses result in an administrative handoff rather than immediate mitigation, we shouldn't be surprised that attackers operating at machine speed win the race."

How to Protect Your Organization
The gaps uncovered in this report show that traditional vulnerability management is broken. To stop the endless cycle of manual handoffs and unaddressed risks, organizations must shift from passive scanning to active, automated resolution.

Redefine "remediated" before you report another metric.

  • Only 50% of organizations require a verified fix before closing a vulnerability. The rest close tickets on deployment alone, or even on risk acceptance. If your system allows closure without a rescan, your dashboard is measuring activity, not outcomes. Fix the closure criteria first.

Name an owner before you add another approval step.

  • 38% of organizations say remediation ownership depends on the situation, and 43% can only sometimes fix what they find without pulling in another team. More handoffs won't solve this. Pick your three most critical asset groups and assign one accountable owner to each this quarter.

Count your tools before buying another one.

  • The average organization touches three or more systems per remediation. Every added tool is another point where context gets lost. Map the full path from discovery to verified fix, including the spreadsheets and email approvals nobody counts, before adding anything new.

Methodology

The 2026 State of Vulnerability Remediation report was conducted in April 2026 in partnership with Global Surveyz, an independent market research firm. The study gathered insights from 300 IT and cybersecurity professionals across the United States and the United Kingdom. The respondent pool was evenly distributed among managers, directors, and vice presidents. All participants represent organizations with between 500 and 2,000 employees spanning key industry sectors, including financial services, manufacturing, healthcare, automotive, government, and technology services.

Download Vicarius’ Exposed and Unfixed: The 2026 State of Vulnerability Remediation report, or learn more about vRx for native remediation at scale and vIntelligence for continuous orchestration.

About Vicarius
Vicarius’ mission is to revolutionize vulnerability management by closing the loop between problem detection and proactive resolution. The company’s portfolio is built on two flagship pillars: vRx for advanced, native remediation at scale, and vIntelligence, an agentic validation engine that delivers continuous AI-driven security insight and orchestration.

Now with vRx and vIntelligence, Vicarius offers a full remediation cycle. With 1,000+ customers in 80 countries, vRx by Vicarius streamlines and automates risk mitigation for security teams, SMBs, and Fortune 500 enterprises.

Media contact
Deb Montner
dmontner@montner.com


Primary Logo

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.

Share this page:

Advanced Search Options

Search for:

Search scope:

Type:

Search in:

Date range:

The last

Sort by:

Sign up for:

The UK Jobs Center

The daily local news briefing you can trust. Every day. Subscribe now.

By signing up, you agree to our Terms & Conditions.