Navigating Change: Evolving Your Exposure Management Strategy in a Post-Kenna World with Qualys

Kaustubh Jagtap
Kaustubh Jagtap, Senior Manager, Product Marketing, Qualys
- 6 min read

Table of Contents

Key Takeaways

  • Cisco is ending support for it vuln management product (formerly Kenna Security) by June 2028
  • Risk-based vulnerability management (RBVM) used to be adequate, but is no longer sufficient
  • Exposure assessment platforms allow you to assess risks from all organizational risk surfaces 
  • SOC centralizes post‑attack response, the ROC centralizes pre‑attack exposure management
  • Build your ROC with Qualys ETM

Cisco recently announced the end-of-sale for its Vulnerability Management solution (formerly Kenna Security). For security teams that have relied on Kenna as the vulnerability aggregation engine powering their risk-based prioritization, this moment is less about replacing a tool and more about rethinking how vulnerability programs should work in 2026.

The truth is, Cisco had begun phasing out investment in Kenna well before this announcement. While Kenna’s real innovation was pioneering EPSS for risk scoring, the platform remained fundamentally a vulnerability aggregation engine—ingesting data from vulnerability scanners but lacking native coverage for cloud environments or application security. As organizations’ attack surfaces expanded into multi-cloud, containers, identity, and modern application stacks, Cisco/Kenna’s siloed add-ons felt like afterthoughts rather than integrated solutions. Many customers recognized this gap and were already exploring alternatives, held back only by inertia and hope. This official end-of-sale removes that inertia.

The reality is clear: a solution that doesn’t account for the holistic attack surface cannot be an effective tool for preventive cyber risk management in 2026. Aggregating vulnerability scanner data was valuable in 2018, but today’s threat landscape demands unified visibility across infrastructure, cloud, application security, IoT, and identity—not disconnected programs that are managed separately.

The RBVM Foundation Was Important—But the World Has Changed

Risk-based vulnerability management (RBVM) was an incremental enhancement to an existing vulnerability management program in 2018. By layering exploit intelligence, asset criticality, and threat context onto raw CVE lists, it helped security teams prioritize vulnerabilities. But it is nearly 2026, and the world has evolved where:

  • Attack surfaces have expanded. Cloud workloads are short-lived and constantly shifting. Containers and microservices reshape infrastructure by the minute. SaaS applications introduce third-party risk that traditional scanners can’t see. The perimeter isn’t just porous, it’s constantly morphing.
  • Threats outpace patch cycles. Adversaries weaponize vulnerabilities within hours of disclosure. AI-driven attack chains probe thousands of targets simultaneously. By the time traditional scan-score-ticket-patch workflows complete, the exploitation window has closed.
  • Risk extends beyond CVEs. Misconfigurations cause breaches. End-of-life software creates unmanageable exposure. Overprivileged identities enable lateral movement. Comprehensive risk visibility requires looking beyond the CVE database.
  • Remediation must be orchestrated, not just ticketed. Exposure management demands tightly coupled integrations for patch management and deploying compensating controls—not manual workflows with weeks of lag. When adversaries move at AI speed, orchestrated risk response is the difference between having a kill switch and watching the breach unfold while tickets queue.

The Opportunity for Exposure-First Risk Management

Exposure assessment platforms aren’t just a rebranding of vulnerability management. It’s a fundamental shift in how we think about cyber risk. Traditional vulnerability management catalogs vulnerabilities. Assessing exposures and managing them involves identifying exploitable conditions and the fastest path to eliminating them. This difference matters because it changes everything about how security teams operate:

  • Comprehensive visibility — Discover and track every asset across cloud, containers, APIs, SaaS, identity (human and non-human), and traditional infrastructure (IP-based and non-IP-based) in a unified view. You can’t manage exposure on assets you don’t know exist.
  • Contextual prioritization — Step away from the black-box risk scoring to a flexible and customizable approach that allows you to surface the right risk signals and suppress the noise.
  • Validation and verification — Confirm exposures are exploitable in your configuration and that remediation indeed closed the gap. Trust, but verify—at scale.
  • Operational integration — Connect exposure insights directly to natively integrated remediation workflows, patch management, and configuration tools. Insight without action is just expensive reporting.
  • Business-focused reporting – Quantify risk in business terms executives understand, financial exposure, operational impact, and resilience metrics — not CVE counts and severity scores.

The Risk Operations Center (ROC) – A Framework for Modern Security

Organizations navigating the Cisco Kenna transition can use this moment to adopt a proactive cyber risk management program—the Risk Operations Center (ROC). A ROC unifies security, IT, and risk management teams around a shared language of verified risk reduction, linking continuous exposure visibility, validated remediation, and business-aligned reporting in a single operational workflow. Just like how a SOC streamlines the post-attack, threat detection, and incident response strategy across siloed solutions, the ROC unifies the risk telemetry (across an ever-growing list of tools deployed to assess the security posture of diverse asset types) to provide a similar centralized approach for proactive, risk reduction programs to operate at scale. It operates on the following principles:

  • Continuous exposure visibility — Real-time discovery and assessment across your entire attack surface, not point-in-time snapshots.
  • Risk-driven prioritization — Combining threat intelligence, business context, and environmental factors to focus remediation efforts where it matters most.
  • Measurable outcomes — Tracking risk reduction over time in terms executives demand – reduced exposure, faster remediation, and improved resilience.
Qualys

Read More

To learn more about how organizations can build business resilience to achieve strategic risk reduction and quantifiable ROI, download our ROC eBook.

Read More

Operationalizing the ROC with Qualys ETM

The Qualys Enterprise TruRiskTM Platform is purpose-built to enable this evolution, delivering comprehensive visibility across IT, cloud, and application environments enriched with real-time threat intelligence and contextual risk scoring.

Qualys Enterprise TruRisk Management (ETM)  powers the Risk Operations Center  and gives organizations a clear pathway from concept to operational reality. As a centralized risk management engine, ETM ingests data from Qualys modules (VMDR, CSPM, EASM, WAS/SCA) and third-party sources to build a holistic view of enterprise risk. It goes beyond traditional vulnerability lists by:

  • Unifying asset inventory and risk telemetry across hybrid environments
  • Normalizing and enriching risk data with threat intelligence, exploitability indicators, and business context
  • Prioritizing risk using TruRisk™ scoring that factors exploitability, business impact, and asset criticality—aligning security actions to business objectives
  • Orchestrating remediation and tracking outcomes through automated workflows integrated with ticketing and patch management systems
  • Take action based on a unified language of risk using cyber risk quantification that evaluates every exposure in terms of dollars

Next Steps for Cisco/Kenna Customers

For customers now evaluating alternatives to Cisco’s Kenna stack, the transition is more than a “feature replacement” project — it’s a chance to rethink how vulnerability and exposure insights translate into business outcomes. Qualys ETM and the ROC offer a path that allows organizations to:

  • Make real-time, business-aligned risk decisions across security, compliance, and operations
  • Break down silos by aligning teams around a unified “risk language” of financial impact
  • Scale reporting from tactical remediation dashboards to board-level risk KPIs
  • Accelerate remediation cycles with AI-driven automation that reduces manual workload

Ready to see it in action? Start a trial and discover how a Risk Operations Center can transform your security program.

Try Qualys ETM Today
Share your Comments

Comments

Your email address will not be published. Required fields are marked *