patched · 1,184
still open · 33
01 / 11
a story · in numbers
sekura
A true story about
1217 critical vulnerabilities, one that sat open for 7 years, and the moment somebody owned it.
scroll · or press → to begin
A CISO ran a vulnerability scan
across the organisation's estate.
20,000
total findings
1,217
critical
20,000 findings
1,217 critical · 6.09%
The oldest critical vulnerability had been open for
7
years
1
month
ticket raised
still open
deferred ×3
deferred ×3
deferred ×3
deferred ×3
deferred ×2
14 deferrals. 6 different business owners. Zero escalations to the CISO.
CISO
We have 1,217 critical vulnerabilities. How?
IT Director
Every time we try to patch something, a business owner says we can't take their system down.
CISO
All 1,217 of them?
IT Director
Welcome to enterprise patching.
The CISO pulled the trail.
- T+0Ticket raised85 months ago · 7y 1m
- ×14Deferred14 separate occasions
- ×6Business owners objected6 different owners
- ×2Escalated to IT directorboth times: deadline extended
- —Escalated to the CISOnever
- —Presented to the board as accepted risknever
FINDING · OLDEST
CVE · INTERNAL-2024-0001
system
Customer-facing payment processing
vulnerability
Remote code execution
exposure
Public internet
CVSS
9.8
critical
sitting open · customer-facing · exploitable · for 7 years.
Nobody had made it anyone's problem to solve.
"
CVSS 9.8 on our payment processing system.
Open 7 years.
I found out today.
two demands
i.
A maintenance window this weekend.
Regardless of business objection.
ii.
A new policy.
Critical vulnerabilities cannot be deferred beyond 30 days without board-level risk acceptance — in writing.
vulnerability SLAs — by severity
critical
30days
high
60days
medium
90days
deferral past SLA
→
requires CISO sign-off
deferral past 2× SLA
→
requires board risk acceptance · in writing
business owner objections
→
do not stop the clock
18
days
now
accepted
risk
01
Q2 · '26
accepted
risk
02
Q3 · '26
documented · countersigned · on file
six months · same team, same tools, new accountability.
Unpatched vulnerabilities aren't
a technical problem.
They're a prioritisation problem
dressed as one.
- → Every deferral is a decision.
- → Every decision has an owner.
- → Until someone is accountable for the age of a vulnerability — nobody is.
What's the oldest critical finding open
in your environment right now?
Does your board know it exists?
sekura · autonomous pentesting
We find them.
We rank them.
We tell you which one to fix first.
Continuous, evidence-graded scans of your real estate — every finding aged, owned, and SLA-tracked. No more 27-month surprises.
see the managed scan →sekura.ai/#scan
end · 11 / 11