Edgescan 2023 Vulnerability Statistics Report

The 2023 report is our 8th edition and provides a statistical model of the most common weaknesses
faced by organizations across the globe to enable data-driven decisions
for managing risks and exposures more effectively. 


This year's report delves into Risk Density, Mean Time to Remediate (MTTR) critical vulnerabilities, and the convergence of vulnerability management and penetration testing output. The report outlines the importance of visibility in controlling risks, as well as the need for patching and maintenance in protecting against known exploitables. 

Additionally, the report emphasizes the importance of Risk Based Vulnerability Management, taking into account asset criticality to prioritize risks, and the difference between compliance and security. Finally, the report provides insight into the most common vulnerabilities in the web application, API, and Device/Host layers and how to prioritize them for remediation.


Interesting Findings Include:

  • Non-internet facing systems have a significant risk density 
  • Mean Time To Remediation (MTTR) for Critical Severity vulnerabilities is 65 day
  • 1/3 of all vulnerabilities across the full stack discovered in 2022 were either High or Critical Severity
  • The most common application layer and API vulnerabilities are still Injection related
  • 13.5% of vulnerabilities in an enterprise’s backlog are either high or critical severity
  • 12% of all Risk accepted vulnerabilities in 2022 were considered (in isolation) Critical Risks


Mean Time to Remediate by Industry



Get Your Copy

Edgescan requires the data you provide in order to share product information. By submitting this form, you agree to our collection and use of your information in accordance with our Privacy Policy. You may opt out at any time.



About the Vulnerability Statistic Report
Since 2015 Edgescan has annually produced the Vulnerability Statistics Report to provide a global snapshot of the overall state of cybersecurity using intelligence obtained from the Edgescan data lake. This yearly report has become a reliable source for approximating the global state of vulnerability management and enterprises security postures.
This is exemplified by our unique dataset being part of the Verizon Data Breach Report (DBIR), which is the de facto standard for insights into the common drivers for incidents and breaches today.
The vulnerability data analyzed for this report was collected from thousands of security assessments and penetration tests performed on millions of assets utilizing the Edgescan Platform. Vulnerability data was sourced from over 250 companies of various sizes, Fortune 500 to medium and small businesses, across 30 industry verticals.


Copyright © 2023 Edgescan  All Rights Reserved  |  Privacy Policy
Dublin: Unit 701 Northwest Business Park, Dublin 15, D15  CH256   |   New York: 33 West 60th Street, New York, NY 10023