Written by: Dr. Ferhat Dikbiyik, Chief Research & Intelligence Officer

“What percentage of CVEs do you cover?” 

It’s a question we hear a lot at Black Kite. It’s reasonable on the surface, but ultimately misleading.

It’s like asking a meteorologist how many weather events they track. The number might be high, but it tells you nothing about whether a severe storm is headed for your house. The same logic applies here. The total count of vulnerabilities a platform covers—or claims to cover—doesn’t actually tell you how well it assesses risk to your business.

At Black Kite, we don’t optimize for volume. We optimize for relevance, discoverability, and actionability. Because when it comes to third-party risk, more data is not necessarily better data. It’s just more noise.

CVE ‘Coverage’ Doesn’t Tell the Whole Story

More than 40,000 CVEs were published in 2024. Narrow it down to those with a CVSS score above 9.0, and you’re still looking at more than 4,400 critical issues.

Understandably, many security teams start with scale: How much of that are we tracking? However, “coverage” is a flawed metric. Here’s why:

1. It depends entirely on the scope.
What’s being covered? Every CVE ever published? Just critical ones? Only those with active exploitation? The definition of “coverage” varies so widely that it becomes almost meaningless.

2. Visibility is variable.
We identify vulnerable software versions only when they’re visible via OSINT—through headers, banners, exposed services, and so on. Not every version leaves enough of a fingerprint to be seen externally (i.e., discoverable by bad actors). As detection techniques evolve, our coverage evolves. This isn’t a static number.

3. More CVEs don’t mean better insight.
If a system is severely outdated, it’s already high-risk. Tagging it with 500 additional CVEs doesn’t make it more actionable. In fact, it often dilutes the signal. What matters is knowing the right vulnerabilities, not all of them.

The takeaway? CVE count is a distraction. What’s important is whether the vulnerabilities you can see are the ones that matter—and whether they’re likely to be exploited in the wild.

What Actually Matters in Vulnerability Intelligence

At Black Kite, our job isn’t to show you every CVE (although we do offer quite a robust CVE database with TPRM insights to the public). For our customers, our job is to surface the few dozen vulnerabilities that truly matter for your vendor ecosystem—so you can act quickly and decisively.

We get there in two ways.

1. Auto-Scanning for Patch Management Risk

Our platform continuously scans exposed infrastructure using passive OSINT techniques like banner grabbing, protocol response analysis, and header inspection. From that, we extract product and version data (when available), match it to known Common Platform Enumerations (CPEs), and map it to vulnerabilities from NIST’s National Vulnerability Database.

We apply strict filters to keep the output meaningful:

  • Focus on CVEs from the past two years unless they’re especially high-impact.
  • Exclude low-severity vulnerabilities.
  • Prioritize CVEs likely to be discoverable via OSINT.
  • Limit the number of CVEs associated with a given asset.

For example, if we find a server running Windows Server 2008 R2, we flag the 10 most relevant CVEs. We don’t tag all 500-plus known vulnerabilities for that product. The additional volume wouldn’t change the risk signal. It’s already high.

2. FocusTags™ for High-Priority Threats

Some vulnerabilities warrant immediate action. For these, we created FocusTags™—a curated set of CVEs selected for their real-world risk based on exploitability, exposure, and threat actor interest.

For example, in 2024, more than 40,000 CVEs were published.

  • Around 1,000 passed our initial risk filters.
  • Of those, 780 were designated high-priority.
  • 295 received FocusTags based on their visibility in OSINT and likely impact.

These tags often overlap with known exploited vulnerabilities—many of which we flagged before public exploitation was confirmed. In certain cases, we used advanced techniques like TLS certificate analysis or favicon hash matching to surface assets that don’t respond to traditional scanning methods.

A note: Black Kite is not a vulnerability scanner. We do not perform authenticated internal scans. Instead, we use OSINT to identify whether systems appear susceptible to known vulnerabilities. Our goal is to measure risk exposure—not confirm exploit paths or patch status.

Rethink Third-Party Vulnerability Management with Black Kite

Yes, the threat landscape is growing more complex. But so are the tools we have to manage it.

We no longer need to chase every vulnerability across every vendor. With the right intelligence, we can take a more targeted, more effective approach. That means better prioritization, smarter remediation, and stronger overall cyber resilience.Want to see what that looks like in practice? Read our full 2025 Supply Chain Vulnerability Report.

Dr. Ferhat Dikbiyik is the Chief Research & Intelligence Officer at Black Kite, where he leads BRITE, the team behind third-party risk intelligence, ransomware trend analysis, and the tools helping organizations stay three steps ahead of their next threat.



Read our full 2025 Supply Chain Vulnerability Report: Navigating a New Era of Managing Vulnerability Risk in Third Parties – accessible instantly, no download required.




Read Now