In 2022, the Qualys Threat Research Unit (TRU) detected more than 2.3 billion anonymized vulnerabilities around the globe to bring you industry-bending insights collected and curated within the 2023 Qualys TruRisk Threat Research Report.
In this Report, Qualys explores the most common ways adversaries exploit vulnerabilities and render attacks. With analysis performed by TRU throughout 2022, this report provides security teams with data-backed insights that help them gain victory without battle now and into the future.
Download The 2023 TruRisk Threat Research Report to better understand your organization's cybersecurity needs and how to better communicate threat data to executives and leaders who might need help understanding cybersecurity within a cyber risk context.
Key findings and risk facts within the report are:
On average, weaponized vulnerabilities are patched within 30.6 days yet only patched an average of 57.7% of the time. These same vulnerabilities are weaponized by attackers in 19.5 days on average. This means that attackers have 11.1 days of exploitation opportunities before organizations begin patching.
The mean time to remediation of weaponized vulnerabilities related to Chrome or Windows is 17.4 days, with an effective patch rate of 82.9%. Windows and Chrome are patched twice as fast and twice as often as other applications.
IAB vulnerabilities have a mean time to remediation of 45.5 days, compared to 17.4 days for Windows and Chrome. The patch rates are also lower, patched at a rate of 68.3% compared to 82.9% for Windows and Chrome.
This report includes anonymous detections in 2022 from the Qualys Web Application Scanner, which globally scanned 370,000 web applications and correlated data against the OWASP Top 10. The scans revealed more than 25 million vulnerabilities, 33% of which were classified as OWASP Category A05: Misconfiguration.
Misconfigurations - errors that are unintended actions by an internal party - make up a large part of weaknesses in web applications and are one of the top reasons for data breaches.