In 2025, AI is making it easier for attackers to exploit weaknesses, while businesses are contending with expanding attack surfaces due to a multitude of factors including shadow IT, supply chain risk, and sprawling cloud infrastructure.
Faced with these challenges, how well are defenders keeping up? The data highlights progress in some areas, but also pressures in the wider threat environment that are stretching lean security teams to their limits.
Intruder’s Exposure Management Index analyzes data from 3,000 small and midsize businesses (1 to 2,000 employees) to understand how the threat environment is changing and how vulnerability response differs across company sizes, industries, and geographies.
Read on for three key trends shaping exposure management in 2025, and download the full report for more insights, expert commentary and advice for staying secure amidst an intensifying threat landscape.
High-Severity Vulnerabilities Up 20%
The average number of identified critical vulnerabilities per organization has stayed steady compared with last year, so organizations aren’t necessarily facing more “all hands on deck” crises.
But the number of high-severity issues has jumped by almost 20% year-on-year. That means security and engineering teams are contending with a greater volume of serious issues.
In most cases, however, there hasn’t been a corresponding increase in staff or budget. The knock on effect has been increased pressure on already-stretched security and engineering teams.
Generative AI has played a role in this increase by making it easier for attackers to write new exploits. Attackers are also seeing an opportunity to exploit old vulnerabilities that remain unpatched.
Andy Hornegold, VP of product at Intruder comments that “we are seeing the back catalog of CVEs and vulnerabilities being weaponized with increased frequency”.
The threat environment is intensifying and attackers are moving faster with AI.
Built on insights from 3,000+ organizations, Intruder’s 2025 Exposure Management Index reveals how defenders are adapting. Get the full analysis and benchmark your team’s time-to-fix.
Download the Report
89% of Critical Vulnerabilities Fixed Within 30 Days
The good news is that teams are fixing critical issues faster. In 2025, 89% of resolved critical vulnerabilities were remediated within 30 days, up from 75% in 2024.
The push is likely linked to the high-profile incidents that hit headlines this year in healthcare, retail, and automotive. Those incidents made the cost of delay visible far beyond the IT department, driving executives and boards to demand faster action.
The improvement suggests that security processes are maturing, and that better tooling and clearer ownership are making a difference.
Smaller Companies Still Fix Faster, But the Gap Is Closing
Company size also plays a role in how quickly vulnerabilities are fixed. In 2024, small businesses (under 50 employees) resolved critical issues in an average of approximately 20 days – nearly twice as fast as mid-sized organizations, which averaged 38. In 2025, both groups have improved significantly, cutting critical vulnerability remediation times to 14 and 17 days respectively, narrowing the gap even further.
The difference comes down to complexity.
Larger, older estates often run a mix of legacy systems, bespoke integrations, and more heterogeneous environments. Patches require extra testing and coordination, while approvals and ticketing processes can add further delays.
Security teams might detect vulnerabilities quickly, but patching usually depends on infrastructure, DevOps, or product engineering teams and every handoff introduces friction that slows things down.
Smaller organizations, with fewer systems and less bureaucracy, can act with more agility. As companies grow, the challenge is to put processes and tools in place that reduce bottlenecks and help remediation keep pace.
Where Defenders Stand in 2025
This year’s data shows defenders are adapting, but are also under strain.
Beyond the trends discussed here, the Index explores the impact of regulation in Europe, how sectors differ when it comes to remediation times and how attackers are weaponizing older vulnerabilities using AI. It also looks back at the most notable vulnerabilities that shaped the threat environment in 2025.
Download the full report to get the complete analysis and see how your organization stacks up.
Sponsored and written by Intruder.
