{“lastseen”:”2025-12-17T02:05:15″,”description”:”**Key Takeaways**\\n\\n\\u003e * Cisco is ending support for it vuln management product (formerly Kenna Security) by June 2028\\n\\u003e * Risk-based vulnerability management (RBVM) used to be adequate, but is no longer sufficient\\n\\u003e * Exposure assessment platforms allow you to assess risks from all organizational risk surfaces \\n\\u003e * SOC centralizes post\u2011attack response, the ROC centralizes pre\u2011attack exposure management\\n\\u003e * Build your ROC with Qualys ETM\\n\\u003e \\n\\n\\n* * *\\n\\nCisco recently announced the end-of-sale for its Vulnerability Management solution (formerly Kenna Security). For security teams that have relied on Kenna as the vulnerability aggregation engine powering their risk-based prioritization, this moment is less about replacing a tool and more about rethinking how vulnerability programs should work in 2026.\\n\\nThe truth is, Cisco had begun phasing out investment in Kenna well before this announcement. While Kenna’s real innovation was pioneering EPSS for risk scoring, the platform remained fundamentally a vulnerability aggregation engine\u2014ingesting data from vulnerability scanners but lacking native coverage for cloud environments or application security. As organizations’ attack surfaces expanded into multi-cloud, containers, identity, and modern application stacks, Cisco\/Kenna’s siloed add-ons felt like afterthoughts rather than integrated solutions. Many customers recognized this gap and were already exploring alternatives, held back only by inertia and hope. This official end-of-sale removes that inertia.\\n\\nThe reality is clear: **a solution that doesn ‘t account for the holistic attack surface cannot be an effective tool for preventive cyber risk management in 2026**. Aggregating vulnerability scanner data was valuable in 2018, but today’s threat landscape demands unified visibility across infrastructure, cloud, application security, IoT, and identity\u2014not disconnected programs that are managed separately.\\n\\n## The RBVM Foundation Was Important\u2014But the World Has Changed\\n\\nRisk-based vulnerability management (RBVM) was an incremental enhancement to an existing vulnerability management program in 2018. By layering exploit intelligence, asset criticality, and threat context onto raw CVE lists, it helped security teams prioritize vulnerabilities. But it is nearly 2026, and the world has evolved where:\\n\\n * **Attack surfaces have expanded.** Cloud workloads are short-lived and constantly shifting. Containers and microservices reshape infrastructure by the minute. SaaS applications introduce third-party risk that traditional scanners can’t see. The perimeter isn’t just porous, it’s constantly morphing.\\n * **Threats outpace patch cycles.** Adversaries weaponize vulnerabilities within hours of disclosure. AI-driven attack chains probe thousands of targets simultaneously. By the time traditional scan-score-ticket-patch workflows complete, the exploitation window has closed.\\n * **Risk extends beyond CVEs.** Misconfigurations cause breaches. End-of-life software creates unmanageable exposure. Overprivileged identities enable lateral movement. Comprehensive risk visibility requires looking beyond the CVE database.\\n * **Remediation must be orchestrated, not just ticketed**. Exposure management demands tightly coupled integrations for patch management and deploying compensating controls\u2014not manual workflows with weeks of lag. When adversaries move at AI speed, orchestrated risk response is the difference between having a kill switch and watching the breach unfold while tickets queue.\\n\\n\\n\\n## The Opportunity for Exposure-First Risk Management\\n\\nExposure assessment platforms aren’t just a rebranding of vulnerability management. It\u2019s a fundamental shift in how we think about cyber risk. Traditional vulnerability management catalogs vulnerabilities. Assessing exposures and managing them involves identifying exploitable conditions and the fastest path to eliminating them. This difference matters because it changes everything about how security teams operate:\\n\\n * **Comprehensive visibility** \u2014 Discover and track every asset across cloud, containers, APIs, SaaS, identity (human and non-human), and traditional infrastructure (IP-based and non-IP-based) in a unified view. You can’t manage exposure on assets you don’t know exist.\\n * **Contextual prioritization \u2014** Step away from the black-box risk scoring to a flexible and customizable approach that allows you to surface the right risk signals and suppress the noise.\\n * **Validation and verification \u2014** Confirm exposures are exploitable in your configuration and that remediation indeed closed the gap. Trust, but verify\u2014at scale.\\n * **Operational integration \u2014** Connect exposure insights directly to natively integrated remediation workflows, patch management, and configuration tools. Insight without action is just expensive reporting.\\n * **Business-focused reporting** – Quantify risk in business terms executives understand, financial exposure, operational impact, and resilience metrics \u2014 not CVE counts and severity scores.\\n\\n\\n\\n## The Risk Operations Center (ROC) – A Framework for Modern Security\\n\\nOrganizations navigating the Cisco Kenna transition can use this moment to adopt a proactive cyber risk management program\u2014**theRisk Operations Center (ROC)**. A ROC unifies security, IT, and risk management teams around a shared language of verified risk reduction, linking continuous exposure visibility, validated remediation, and business-aligned reporting in a single operational workflow. Just like how a SOC streamlines the post-attack, threat detection, and incident response strategy across siloed solutions, the ROC unifies the risk telemetry (across an ever-growing list of tools deployed to assess the security posture of diverse asset types) to provide a similar centralized approach for proactive, risk reduction programs to operate at scale. It operates on the following principles:\\n\\n * **Continuous exposure visibility** \u2014 Real-time discovery and assessment across your entire attack surface, not point-in-time snapshots.\\n * **Risk-driven prioritization** \u2014 Combining threat intelligence, business context, and environmental factors to focus remediation efforts where it matters most.\\n * **Measurable outcomes** \u2014 Tracking risk reduction over time in terms executives demand – reduced exposure, faster remediation, and improved resilience.\\n\\n\\n\\n## Operationalizing the ROC with Qualys ETM\\n\\nThe Qualys **Enterprise TruRisk TM Platform** is purpose-built to enable this evolution, delivering comprehensive visibility across IT, cloud, and application environments enriched with real-time threat intelligence and contextual risk scoring.\\n\\n**Qualys Enterprise TruRisk Management (ETM)** powers the Risk Operations Center and gives organizations a clear pathway from concept to operational reality. As a centralized risk management engine, ETM ingests data from Qualys modules (VMDR, CSPM, EASM, WAS\/SCA) and third-party sources to build a holistic view of enterprise risk. It goes beyond traditional vulnerability lists by:\\n\\n * **Unifying asset inventory and risk telemetry** across hybrid environments\\n * **Normalizing and enriching risk data** with threat intelligence, exploitability indicators, and business context\\n * **Prioritizing risk using TruRisk scoring** that factors exploitability, business impact, and asset criticality\u2014aligning security actions to business objectives\\n * **Orchestrating remediation and tracking outcomes** through automated workflows integrated with ticketing and patch management systems\\n * **Take action based on a unified language of risk** using cyber risk quantification that evaluates every exposure in terms of dollars\\n\\n\\n\\n## Next Steps for Cisco\/Kenna Customers\\n\\nFor customers now evaluating alternatives to Cisco\u2019s Kenna stack, the transition is more than a \u201cfeature replacement\u201d project \u2014 it\u2019s a chance to rethink how vulnerability and exposure insights translate into business outcomes. Qualys ETM and the ROC offer a path that allows organizations to:\\n\\n * Make **real-time, business-aligned** risk decisions across security, compliance, and operations\\n * Break down silos by aligning teams around **a unified \\”risk language\\”** of financial impact\\n * **Scale reporting** from tactical remediation dashboards to board-level risk KPIs\\n * **Accelerate remediation cycles** with AI-driven automation that reduces manual workload\\n\\n\\n\\n* * *\\n\\n**Ready to see it in action?** Start a trial and discover how a Risk Operations Center can transform your security program.\\n\\nTry Qualys ETM Today\\n\\n* * *”,”published”:”2025-12-17T00:15:46″,”modified”:”2025-12-17T00:15:46″,”type”:”qualysblog”,”title”:”Navigating Change: Evolving Your Exposure Management Strategy in a Post-Kenna World with Qualys”,”source”:””,”references”:””,”id”:”QUALYSBLOG:4ED63D6E8A7709CE43981EE048F5C6DC”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/blog.qualys.com\/category\/product-tech”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-17T02:05:15″,”description”:”**Key Takeaways**\\n\\n\\u003e * Cisco is ending support for it vuln management product (formerly Kenna Security) by June 2028\\n\\u003e * Risk-based vulnerability management (RBVM) used to…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,120,7,11,5],"class_list":["post-31487","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-qualysblog","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n