Teams should prioritise vulnerabilities that are reachable in the current runtime state, not just those that score highest in abstract. That means correlating scanning results with live process behaviour, network paths, and application function usage. If an issue cannot be reached, it may still matter, but it should not outrank an exposure that can be exploited immediately.
Why This Matters for Security Teams
Cloud vulnerability queues are noisy because scan severity is not the same as live exploitability. A critical issue in an image, package, or service account is often lower priority than a medium issue that is actually reachable from an exposed workload path. That gap is especially dangerous in environments where identities, permissions, and network routes change faster than remediation cycles. NHI Management Group has repeatedly shown how credential and access misuse can turn a seemingly ordinary weakness into a real incident, including in The 52 NHI breaches Report and the Guide to the Secret Sprawl Challenge.
The practical problem is that cloud teams often triage by CVSS alone, then discover later that the highest-severity issue was unreachable from the runtime path that mattered. A better model weighs whether the vulnerable component is actually loaded, invoked, or exposed in the current deployment state. This is consistent with current guidance from runtime-focused security work and with the direction of least-privilege cloud governance. In practice, many security teams encounter the real blast radius only after a workload is already probed through an unintended path, rather than through intentional prioritisation.
How It Works in Practice
Prioritisation starts by correlating vulnerability data with runtime context: active containers, running processes, open ports, exposed endpoints, attached identities, and observed application function usage. Static scan results still matter, but they should be enriched with evidence of whether an issue is reachable from the network, callable through the app, or chained through a credentialed action. Security teams commonly use cloud posture tooling, eBPF or process telemetry, service mesh observations, and workload identity mappings to answer a simple question: can an attacker touch this flaw from where they are likely to stand?
That runtime view is also where identity becomes decisive. A vulnerable service that is not exposed may still become high priority if its NHI has broad access, if its token can reach sensitive APIs, or if it sits on a path to secrets. The same logic is reflected in NHI research from 230M AWS environment compromise and Codefinger AWS S3 ransomware attack, where exploitability depended on real access paths, not abstract severity alone. For benchmark thinking, the CISA Known Exploited Vulnerabilities Catalog is useful because it pushes teams toward evidence of active abuse, while CVSS remains only one input, not the decision.
- Prioritise vulnerabilities that are reachable from internet-facing or lateral paths before isolated issues.
- Raise urgency when a weakness sits behind privileged NHI credentials, API keys, or service tokens.
- Downgrade issues that are not loaded, not invoked, or blocked by current policy and network controls.
- Re-evaluate after deployment changes, because runtime exposure can change faster than scan cadence.
These controls tend to break down in autoscaling microservice estates with weak telemetry, because the runtime path can change between scans and the exposure evidence becomes stale.
Common Variations and Edge Cases
Tighter exposure-based triage often increases tooling overhead, requiring organisations to balance better prioritisation against telemetry cost and operational complexity. The tradeoff is worth it, but current guidance suggests using confidence levels rather than pretending every asset has the same quality of runtime data. A vulnerability with uncertain exposure should not be ignored, but it should usually fall below a confirmed reachable issue unless compensating factors exist, such as known exploit activity or sensitive identity adjacency.
One edge case is a dormant flaw in a library that is not currently loaded but is part of a feature flag path or blue-green rollout. Another is a low-severity issue in a service that owns a highly privileged NHI, where compromise could still enable secret theft or privilege escalation. Best practice is evolving here, especially for ephemeral workloads and serverless functions, because there is no universal standard for deciding how much runtime evidence is “enough.” Teams should treat exposure as a scoring modifier, not a replacement for vulnerability management.
For broader cloud identity context, the The State of Non-Human Identity Security report highlights how limited visibility and weak monitoring can obscure real risk. The same is true in AI-driven operations, where the Anthropic report on AI-orchestrated cyber espionage shows how quickly automated workflows can exploit what is actually reachable at runtime.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.RA-01 | Runtime exposure is a risk analysis problem, not a scan-only problem. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Exploitability depends on NHI exposure, privilege, and credential path. |
| NIST AI RMF | Risk-based prioritisation needs context-aware governance and continuous monitoring. |
Correlate runtime reachability with vulnerability data before assigning remediation priority.
Related resources from NHI Mgmt Group
- How should security teams decide which vulnerabilities matter when runtime data is available?
- How should security teams decide which vulnerabilities need runtime blocking first?
- How should security teams prioritise vulnerabilities when identity access is part of the exposure path?
- How should security teams prioritise patching when Microsoft vulnerabilities affect identity and cloud controls?