How to cut your vulnerability backlog without ignoring real risk

Open any mature scanning program and you’ll find the same thing: a backlog in the thousands, a team that closes a few dozen a week, and a gap between those two numbers that only ever widens. Sorting by severity feels like progress, but it’s the reason the backlog exists. A CVSS 9 on an internal test server outranks a CVSS 6 on your payment gateway, even though one could end your quarter and the other can’t reach anything.

The backlog isn’t a volume problem you can grind down. It’s a prioritization problem wearing a volume costume.

Rank by what it could cost

A vulnerability matters in proportion to the damage it could do if someone used it — the exploitability, whether the asset is actually reachable, and what’s behind that asset in dollars. Price the backlog that way and it reorganizes itself. The thousands collapse into a few dozen findings that carry almost all the real exposure, and a long tail that can wait.

That’s the move FAIR makes possible: translating a wall of CVSS scores into annualized loss exposure your board recognizes. Suddenly “we have 4,000 open findings” becomes “$3.1M of that sits in eleven of them,” and the queue has an obvious top.

Open criticalsAverage MTTR (days)Headcount

Modeled annual exposure from your open criticals

P50$648KtoP95$3.2M

modeled / illustrative — an estimate, never a measured figureBring this to the demo →

How we estimate this

A simple FAIR-flavored model, kept transparent on purpose. Each open critical carries a modeled annual loss-exposure. We scale it by how long findings stay open and by org size:

P50 = criticals × $9K × (MTTR ÷ 30d) × (headcount ÷ 1,000)P95 = P50 × 5 (tail spread)

The MTTR and size factors are bounded so the number stays sane at the edges. These are illustrative inputs. A demo replaces them with your own findings and your own FAIR parameters.

Run a few numbers above and watch how quickly a backlog’s risk concentrates. The point isn’t the exact figure; it’s that exposure is wildly uneven, and treating every finding as equally urgent guarantees you spend your week on the wrong ones.

Then prove the top of the queue is gone

Cutting a backlog only counts if the findings you close stay closed. Every fix at the top gets an independent re-test — a re-scan, a second scanner, an API probe — before it leaves the queue, so the number that drops reflects risk that’s actually retired. The long tail gets scheduled or excepted with a time box and an owner, which keeps it visible without letting it crowd out the work that matters.

A backlog you’ve prioritized by dollars and verified on closure is a different object than a backlog you’ve sorted by severity. One shrinks because the risk is gone. The other just gets re-sorted.