9 Realms Cybersecurity
All Posts
Security Fundamentals

You Can't Protect What You Can't See: The Vulnerability Gap in Mid-Market Security

Chuck Flynn
You Can't Protect What You Can't See: The Vulnerability Gap in Mid-Market Security

Most security incidents don't start with a zero-day exploit or a nation-state attacker. They start with something embarrassingly simple - a server that IT forgot was still running, a VPN appliance that missed two years of firmware updates, a file share that was supposed to be internal but had been misconfigured to allow anonymous access.

I've reviewed hundreds of security environments over my 20+ working years. The pattern is consistent: organizations that get hit aren't necessarily the ones with the smallest budgets or the least sophisticated tools. They're often the ones that stopped looking at their own environment the way an attacker looks at it.

That's the visibility gap. And it's more common than most mid-market organizations realize.

The asset inventory problem

Before you can protect something, you have to know it exists. That sounds obvious. In practice, it's one of the hardest problems in security.

Networks grow organically. A server gets spun up for a project and never decommissioned. A cloud instance gets provisioned by a developer and never makes it into the CMDB. A contractor connects a device during an engagement and it stays on the network long after the engagement ends. Shadow IT, cloud applications, personal devices, unsanctioned SaaS tools all add assets that IT has no visibility into by definition.

Attackers don't limit themselves to the assets you know about. They scan everything. And they have time, the industry median dwell time before detection is still measured in months, not days. That's months of an attacker mapping your environment, finding the forgotten server, the misconfigured share, the credential that was never rotated.

If you don't know what's in your environment, you cannot know what's exposed.

Why vulnerability scanning and penetration testing answer different questions

Once you have visibility into your assets, you need to understand their exposure. This is where organizations most commonly confuse two tools that serve different purposes.

A vulnerability scan is a systematic check against known CVEs and misconfigurations. It tells you: this version of this software has this known vulnerability, rated at this severity. It's fast, it's repeatable, and it gives you a prioritized list of things to fix. Every organization with an external presence should be running them at minimum quarterly.

A penetration test is adversarial. A qualified and certified tester, operating under a signed Rules of Engagement document, actively attempts to compromise your environment. They chain vulnerabilities together. They find the path from an external foothold to your domain controller. They identify the combination of a misconfiguration, an over-permissioned service account, and a weak network segment that no automated scanner would flag as critical because no single element looks severe in isolation.

Scans tell you what's broken. Pen tests tell you what's exploitable. You need to know both.

The 90-day benchmark

A vulnerability that exists in your environment today will be attempted by an automated scanning tool within days of a public CVE disclosure. Threat actors maintain their own scanners. They index the internet continuously. When a new CVE drops for a widely deployed product; a firewall, a VPN concentrator, a mail server, they're identifying vulnerable targets faster than most patch cycles can respond.

The 90-day scan cadence exists because quarterly gives you a reasonable window to catch new exposures before they become incidents. It's not a magic number, but it's the practical minimum for an environment that changes regularly. If your last scan was more than 90 days ago, you have blind spots you don't know about.

What attackers see when they look at your perimeter

From outside your network, a threat actor using freely available tools can identify your external IP ranges, enumerate open ports and services, identify software versions from banner responses, check those versions against public vulnerability databases, and flag systems running end-of-life software with no available patches.

This takes minutes. It is not sophisticated. It requires no credentials, no inside knowledge, and no special skill beyond the ability to run a tool.

If you haven't done this yourself, or hired someone to do it for you, you don't know what that picture looks like. And someone else does.

Closing the gap

The entry point for most mid-market organizations is a combined external and internal vulnerability assessment. A systematic look at what's exposed, what's misconfigured, and what the remediation priority order should be. From there, a penetration test validates whether the exposures that look theoretical are actually exploitable in your specific environment.

Neither of these requires a seven-figure security budget. They require a decision to look.

The organizations that get hit aren't always the ones that looked and found too much. They're often the ones that never looked at all.

Tags:vulnerability managementpenetration testingasset inventorymid-market securityMSSPvulnerability scanningcybersecurity basics