TL;DR: Accuracy, not tool count, is now the governance bottleneck, according to Netwrix research from a survey of 720 IT professionals. It found that 70% of organisations already use a vulnerability assessment tool, while 70% bought one primarily for proactive security and 52% would switch if false positives dropped.
NHIMG editorial — based on content published by Netwrix: 2022 Vulnerability Assessment Analytical Note
By the numbers:
- 70% of organizations have a vulnerability assessment tool, either deployed internally or provided as a third-party service
- 70% said the primary reason for purchasing the tool was the need for proactive security measures
- 52% of respondents said they would consider changing to a new solution if it would reduce the volume of false positive alerts
Questions worth separating out
Q: What breaks when vulnerability assessment tools generate too many false positives?
A: False positives break the operational value of vulnerability assessment because teams spend time validating noise instead of fixing exposure.
Q: Why do organisations invest in vulnerability assessment if compliance is not the main driver?
A: Many organisations invest in vulnerability assessment to reduce exposure before incidents happen, not just to satisfy audit requirements.
Q: How do security teams know whether vulnerability assessment is actually working?
A: Teams should look for short triage cycles, high-confidence findings, and a clear link between scan results and remediation action.
Practitioner guidance
- Measure alert precision before expanding coverage Track false-positive rate, analyst rework time, and the percentage of findings that reach remediation rather than being suppressed.
- Attach assessment findings to ownership and closure paths Route high-confidence findings into the same remediation workflow used for patching, exception review, and compensating controls.
- Use assessment output to inform privilege review When vulnerabilities affect management interfaces, service accounts, or privileged systems, require an explicit review of access scope and temporary restriction options.
What's in the full report
Netwrix's full analytical note covers the survey detail this post intentionally leaves for the source:
- The underlying survey methodology and respondent breakdown across 720 IT professionals.
- The full set of diagrams showing why organisations adopted vulnerability assessment and what would prompt a tool change.
- The survey's supporting analysis on budget priorities and accuracy expectations.
- The original wording of the questions and answer categories used in the research.
👉 Read Netwrix's 2022 vulnerability assessment analytical note →
False-positive heavy vulnerability assessment: what teams should fix?
Explore further
False-positive overload is a governance failure, not just a tooling annoyance. When half the value of a scanner is spent separating signal from noise, security teams are no longer operating a control. They are operating a review workload. The practical implication is that vulnerability assessment must be judged by decision quality, not by issue volume.
A few things that frame the scale:
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
- A separate finding from the same survey shows that only 44% of organisations have implemented any policies to manage their AI agents, even though 92% agree that governing AI agents is critical to enterprise security.
A question worth separating out:
Q: Should organisations replace a vulnerability assessment tool if it creates too much noise?
A: Replacement is justified when false positives consistently consume more effort than the tool saves. The decision should be based on analyst workload, remediation throughput, and whether the findings support risk-based action. If the product cannot be tuned into a trusted decision input, switching may be the most efficient option.
👉 Read our full editorial: Vulnerability assessment still fails where false positives dominate