Why it needs to be easier for security teams to fix vulnerabilities [Q&A]

Agentic AI and rising attack speed are putting new pressure on security teams that already struggle with growing backlogs of vulnerabilities. Many organizations have improved detection but fixes still move slowly because workflows remain manual and teams operate in silos.

To explore why remediation lags and how automation can help, we spoke with Dom Richter, co-founder of Mondoo and a long-time practitioner at the intersection of security and platform engineering.

BN: Cybersecurity teams say they are drowning in vulnerabilities but still struggle to fix the issues that matter. Why do you think remediation remains so difficult?

DR: Security teams put in a ton of effort to find weaknesses, but things trickle to a halt once the fixes need another team to step in. Security and platform teams usually operate on different tracks with different pressures. That separation creates long handoffs and delays, even when the issue itself is simple. Early in my career, I saw how often preventable weaknesses remained open because the teams responsible for remediation were already stretched thin.

Tooling creates delays as well. It’s common for organizations to rely on scanners. But the problem with scanners is that they produce long lists of security vulnerabilities without the context and remediation guidance needed for quick action. In our 2025 State of Vulnerability Remediation Report, 42 percent of respondents listed ‘Lack of access to remediation steps and code’ as the major pain point when remediating vulnerabilities. Without this information, remediation is slowed and exposure is increased.

BN: You’ve spoken about the cultural divide between security and operations. How can organizations make collaboration easier?

DR: The easiest way to improve collaboration is to treat vulnerability management as a shared effort. Security teams often concentrate on exposures, while platform teams focus on keeping services stable. Leaders can help by fostering open conversations about what each side needs. When teams understand where the other is coming from, communication becomes less antagonistic and more constructive.

Some organizations build cross-functional roles that blend experience from both domains. Others co-locate teams or establish shared goals and success metrics. Good tooling also helps because teams act more quickly when they receive clear context and well-prepared fixes. When communication moves smoothly in both directions, remediation becomes more predictable.

BN: CVSS scores are widely used but often fail to guide action. How should teams think about prioritization?

DR: CVSS scores are great for giving you a baseline that you can measure progress or regression against, but they’re a poor tool for prioritization because they don’t give you business and technical context.

Teams need to know which assets support critical services and which ones play a smaller role. A production database carries more weight than a test server, even if the CVSS score is identical. Teams also need detail about configurations, access paths, and system relationships. This context determines which issues merit immediate attention.

Threat activity is part of the picture as well. A vulnerability that is actively scanned for in the wild requires faster action. When teams combine business impact, technical detail, and threat intelligence, they take action based on true risk. This reduces alert fatigue and directs time toward the fixes that matter most.

BN: Many organizations are curious about autonomous remediation but worry about unintended consequences. What safeguards are most important?

DR: Safeguards ensure that automation improves security without creating new risks. It needs to start with teams defining which actions can be automated and which require human approval. A lot of the organizations we work with start with low-impact changes so they can evaluate how the system behaves. This helps teams learn how remediation steps are generated, how validation works, and how exceptions are handled. As teams get more comfortable, confidence grows and the scope expands.

Accountability is essential, though. Automated actions need clear logs so teams can review them later and adjust if needed. Rollback options help when changes need to be reversed. Secure design is also important because an agent with wide permissions becomes a target. Careful scoping of privileges and regular review of agent behavior keeps the system predictable.

BN: You’ve spent years working at the intersection of security and automation. How do you see the balance between human and machine evolving in the next few years?

DR: I’d expect teams to use AI more often for the repetitive parts of the job: things like scanning and early triage. These are tasks that follow clear patterns, making them a good fit for automation. People will still guide the decisions that carry real weight. They will continue to review changes to important systems and decide how those changes affect risk. But the role of automation will grow as teams gain experience. Teams will start small, learn from results, and adjust and expand their approach. Over time, automation will become a part of normal operations.

Towards the end of the decade vulnerability management will move toward a shared data model that gives teams the full context needed for effective remediation. Continuous monitoring will get better, highlighting exposures sooner, while richer insights will help teams be more confident in their decision.

I think it’s inevitable that AI will be involved, handling a lot of the day-to-day tasks while people can guide the areas that shape long-term security (architecture, governance, etc.). This will create a more stable process and reduce the fire fighting that gets in the way of productivity. The goal is to resolve key issues quickly and give people room to focus on improvements that build resilience.

Image credit: Leowolfert/Dreamstime.com