Report uncovers direct link between remediation toil and rise in cyber incidents
NEW YORK, Feb. 04, 2025 (GLOBE NEWSWIRE) — ZEST Security, provider of an Agentic-AI Cloud Risk Resolution platform, today released its “Cloud Risk Exposure Impact Report” an industry-first, examining the relationship between remediation delays and incidents.
The report found that over 62% of incidents are directly related to risks known to the organization. This means security teams were previously aware of the issue and had an open ticket for remediation when the incident occurred, but the fix had not been implemented.
Based on insights from a comprehensive survey of over 150 security decision-makers working in large U.S. enterprises, the report highlights how the increase of risk backlogs and slow remediation processes magnify the volume and impact of cyber incidents.
Key findings include:
- Most incidents are tied to risks known to the organization. Over 62% of incidents originate from risks that the security team had previously identified, researched fixes for, and had open tickets for remediation in the backlog
- Remediation takes months, attackers only need days. Organizations reported that it takes 10X longer to remediate vulnerabilities than it takes for attackers to exploit them, highlighting a significant attacker advantage
- The true cost of remediation is staggering. The annual cost of remediation, based on the time, resources and effort reported by respondents, amounts to over $2 million. This excludes additional indirect costs as a result of incidents, insurance and regulatory requirements
“There is a direct correlation between delays in remediation and the rise in security incidents,” says Snir Ben Shimol, CEO and co-founder of ZEST Security. “Before this research, there was very little data quantifying just how much backlogged vulnerabilities and misconfigurations contribute to cloud incidents. The findings from this survey make it clear that visibility alone is not enough. Organizations require a more effective approach to remediation and mitigation to reduce cloud incidents.”
Top factors contributing to the high number of incidents tied to risks known to the organization:
- 87% of survey respondents reported a typical backlog of over 100 critical and under SLA security tickets
- 6+ weeks is the average time it takes to remediate an application vulnerability in production
- 56% of risks cannot be remediated (no patch available, legacy system cannot support an upgrade, etc.)
Organizations are shifting focus to reduce cloud incidents. The survey found that respondents are adopting specific strategies to increase remediation efficiency, reduce risk acceptance and minimize exposure. Effort-based prioritization was a top approach with 53% reporting that more effective outcomes were a result of prioritizing remediation based on the number of issues resolved with a single fix. Automation was another with a third or more of respondents reported wanting to adopt automation for triage and root cause analysis, identifying the owner of open tickets and prioritization efforts. Additionally, 84% reported researching mitigating controls, such as cloud-native services or tools like web application firewalls (WAFs), to reduce the risk or severity of vulnerabilities when remediation is not immediately feasible.
“The findings of this report emphasize how important it is for organizations to develop risk remediation plans, similar to incident response plans, with stricter SLAs for addressing critical and high-risk vulnerabilities to reduce incidents,” says Shimol. “This shift will also be influenced by regulations, which are likely to shorten recommended timelines due to the rapid decrease in the time it takes for attackers to exploit vulnerabilities, now in just days.”
ZEST’s complete research and additional findings on cloud risk exposure can be found here: https://zestsecurity.io/the-impact-cloud-risk-exposure-2025/
To schedule a demo, please visit: https://zestsecurity.io/schedule-demo/
About ZEST Security
ZEST Security offers an Agentic-AI risk resolution platform that redefines cloud risk remediation for security and DevOps teams. ZEST resolution paths provide both remediation and mitigation using code and existing controls to eliminate cloud vulnerabilities and misconfigurations. With ZEST, it’s not about opening tickets; it’s about closing them. Backed by leading VCs, ZEST is introducing Agentic AI into security architecture and engineering. ZEST was founded in November 2023 and has offices in New York City and Tel Aviv. For more information visit www.zestsecurity.io
Research Methodology
This survey was conducted by a global third-party research firm and surveyed 150 security decision-makers working in enterprise organizations based in the United States. To qualify for this survey, respondents had to be manager level or above, with decision-making authority in one of the following areas: security engineering, vulnerability management, product security, application security, or DevOps. Further, surveyed organizations had to have a cloud production environment and in-house development teams.
