Subscribe to the Non-Human & AI Identity Journal
Home FAQ Threats, Abuse & Incident Response How should security teams decide which vulnerabilities matter…
Threats, Abuse & Incident Response

How should security teams decide which vulnerabilities matter when runtime data is available?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 6, 2026 Domain: Threats, Abuse & Incident Response

Teams should prioritise vulnerabilities that are both present and executed, because runtime evidence separates theoretical exposure from active risk. A package in a dependency tree is not enough on its own. Use function calls, load state, and anomalous behaviour to decide whether a finding belongs in urgent remediation, monitored acceptance, or closure.

Why This Matters for Security Teams

Runtime data changes vulnerability management from a static exposure review into a risk decision. A package can look dangerous on paper but never load, never execute the vulnerable function, and never touch sensitive paths. Security teams that ignore execution evidence usually waste effort on dormant findings while active abuse is missed. This is especially true in software supply chains and credential-driven systems, where attacker speed can be measured in minutes, as seen in the LLMjacking research from NHI Management Group. Guidance from the NIST Cybersecurity Framework 2.0 supports this shift by tying prioritisation to impact and risk context, not just inventory presence. The practical question is no longer “is it vulnerable?” but “is it reachable, executed, and observable in production?” In practice, many security teams encounter the real risk only after an exploit path has already been exercised in production, rather than through intentional review.

How It Works in Practice

The most effective workflow combines vulnerability intelligence with runtime telemetry so teams can separate theoretical exposure from active exploitability. That means correlating package and image scans with signals such as process execution, library load state, network reachability, file access, function calls, and abnormal control flow. If a vulnerable component exists only in a dependency tree and never loads, it may justify monitored acceptance. If the same component is loaded inside a live service path, it moves into urgent remediation. A practical triage model usually looks like this:
  • Confirm whether the vulnerable code path is actually loaded at runtime.
  • Check whether the affected function or endpoint is reachable from an external or internal trust boundary.
  • Look for execution evidence, such as stack traces, unexpected child processes, or anomalous API sequences.
  • Weight the finding by asset criticality, privilege level, and blast radius.
  • Use runtime context to suppress noise from dormant libraries, test code, and unused transitive dependencies.
This approach aligns with the NHI Management Group’s broader research on real-world abuse patterns, including the DeepSeek breach, where exposed data and credentials created concrete attack paths rather than abstract risk. It also fits current guidance from NIST Cybersecurity Framework 2.0, which encourages outcome-based prioritisation. Runtime evidence is most valuable when paired with ownership rules, remediation SLAs, and exception handling so that “low priority” does not become “never fix.” These controls tend to break down in short-lived container fleets and serverless environments because workloads can start, stop, and redeploy faster than manual triage can keep up.

Common Variations and Edge Cases

Tighter runtime-based triage often increases instrumentation overhead, requiring organisations to balance better precision against collection cost and operational complexity. That tradeoff becomes sharper in environments with heavy autoscaling, ephemeral containers, or mixed managed and self-hosted services, where telemetry may be incomplete or delayed. Current guidance suggests treating missing runtime data as an uncertainty signal, not proof of safety. There is also no universal standard for how much runtime evidence is “enough” to downgrade a vulnerability. Some teams require direct function execution, while others accept load-state plus network reachability for low-complexity flaws. The right threshold depends on exploitability, privilege level, and whether the vulnerable component can be invoked through indirect chains such as plugins, schedulers, or message queues. This is where the Ultimate Guide to NHIs — Key Research and Survey Results is useful for understanding how runtime identity and access patterns shape exposure in modern systems. For teams handling secrets-heavy workloads, the State of Secrets in AppSec findings reinforce that remediation should focus on what is both present and actively used, not merely stored. In practice, the hardest edge case is a dormant vulnerability inside a component that becomes reachable only during rare failure handling, because that is where exploit paths often hide.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0ID.RA-5Runtime evidence improves risk assessment beyond static vulnerability presence.
OWASP Non-Human Identity Top 10NHI-04Execution context helps distinguish active NHI abuse from dormant exposure.
NIST AI RMFAI risk decisions should account for observed behaviour and operational context.

Use live telemetry to rank findings by actual exposure and exploitability before assigning remediation priority.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org