The MITRE Funding Fiasco: A Call for Future-Ready Cyber Defense 

The cybersecurity industry has long relied on the MITRE Common Vulnerabilities and Exposures (CVE) program as the backbone of vulnerability management. However, the recent funding crisis has revealed a critical flaw in this dependency. While CVE program funding has been renewed for the next 11 months, the incident serves as yet another warning shot to the cybersecurity industry of the fragility of our current approach to identifying, tracking, and mitigating vulnerabilities.   

To use a simple analogy to share the full gravity of the problem consider this example: 

If the CVE program were to stop enriching vulnerabilities, the impact would be catastrophic—akin to ChatGPT no longer receiving training updates. Imagine a world where ChatGPT relies solely on outdated information without incorporating new knowledge: 

The CVE program would fail to adapt to recent developments, making it less useful and relevant. Users would receive incomplete or incorrect guidance, leading to frustration and inefficiencies. And over time, trust in the system would erode, and users would be forced to look for alternative, fragmented solutions, making the task of tracking and mitigating vulnerability risk even more frustrating for security practitioners. 

The reality is that CVEs continue to play an important role in modern cybersecurity. Just as ChatGPT continuously learns to stay relevant, CVEs provide the ever-evolving foundation for identifying and addressing vulnerabilities. Without them, defenders would be left in the dark, attackers would thrive, and the entire cybersecurity ecosystem would falter. 

What Happens If MITRE Stops Enriching CVEs? 

CVEs are the cornerstone of global vulnerability management. They provide standardized language and a framework for identifying and addressing risks. If MITRE were to stop enriching CVEs, the ripple effects would undermine the cybersecurity industry’s ability to function effectively. 

Key Impacts of a CVE Disruption 

1. Deterioration of National Vulnerability Databases — Databases like the National Vulnerability Database (NVD) rely on CVEs for accurate and standardized vulnerability data. Without CVEs, these databases would become outdated and inconsistent, eroding their reliability. 
2. Disruption to Security Tools — EDR, XDR, Vulnerability scanners, SIEMs, and patch management systems depend on CVE data to detect and respond to threats. A CVE disruption would render these tools less effective, leaving organizations exposed to untracked vulnerabilities. 
3. Impact on Incident Response — Incident response teams use CVEs to assess risk and prioritize mitigations during attacks. Without them, response times would slow, and attacks could cause greater damage. 
4. Critical Infrastructure Risks — Sectors like energy, healthcare, and water rely on CVEs to secure their systems. A lapse in CVE data would increase the risk of successful attacks on these essential services. 
5. Global Supply Chain Vulnerabilities — CVEs provide a common language for supply chain security. Without them, supply chains would become fragmented, increasing the risk of attacks on vendors and suppliers. 
6. Loss of Standardization — CVEs create a shared framework for discussing vulnerabilities. Without them, the industry would face fragmentation, inefficiency, and reduced collaboration. 
7. Erosion of Trust in Cybersecurity — CVEs are a key pillar of the cybersecurity ecosystem. Losing them would erode trust in tools, processes, and vulnerability management practices. 
8. Increased Fragmentation — In the absence of MITRE’s oversight, multiple organizations might attempt to create their own vulnerability tracking systems, leading to inefficiencies and confusion. 

Are There Alternatives to CVE ? 

Globally, CVE alternatives exist — but are they enough? The European Union Agency for Cybersecurity (ENISA) has a vulnerability database along with a coordinated vulnerability team and multi-year funding already in place.  

However, the European Union Vulnerability Database (EUVD) and CVE serve different purposes. CVE provides a global standard and naming convention for vulnerabilities, while EUVD provides a platform that integrates additional data sources for a uniquely EU perspective. EUVD leverages CVE data and naming conventions. 

The National Vulnerability Database (NVD) is hosted by NIST, and is a US-based alternative. The NVD enriches CVEs with detailed metadata. However, like the EUVD, NVD is reliant on CVE data for newly reported vulnerabilities. If CVE went down, NVD can serve as a historical reference point for security practitioners for existing vulnerabilities with highly valuable context like exploitability metrics and severity scores. 

Commercially, VulDB is an independent option that uses a unique ID scheme. It provides its users with detailed timelines, exploit information and patch details, with more robust context for practitioners looking for a backup. 

Open Source Vulnerabilities (OSV) is a database maintained for open source ecosystems. It focuses on version ranges and is ideal for dev teams looking to track supply chain risk or open source vulnerabilities. 

My take: while several public and private databases exist globally, referencing each adds an additional layer of work and consolidation for over-taxed security practitioners. At the end of the day, vulnerability management must become simpler, not more complicated. 

The Flaws in Traditional Vulnerability Management 

The potential disruption to the CVE program has put a spotlight on the deeper flaws in how organizations approach vulnerability management today. While vulnerability management is a critical component of cybersecurity, its traditional approach is inherently reactive, resource-intensive, and insufficient for dealing with modern threats.  

Below, let’s explore the three key flaws in detail: 

1. Over-Reliance on Patching 

Patching has long been the cornerstone of vulnerability management. It involves applying vendor-provided fixes to address security flaws in software or systems. While patching is necessary, the over-reliance on this reactive measure introduces serious challenges: 

Patching Is Reactive 

• Waiting on Vendors: Organizations are forced to wait for vendors to identify vulnerabilities, develop fixes, and release patches. This creates a delay between the discovery of a vulnerability and its resolution. During this period, attackers can exploit the flaw. 
• Reactive Posture: By the time a patch is released, attackers may have already weaponized the vulnerability, leaving organizations in a race against time to deploy it. 

The Mean Time to Patch (MTTP) 

• Lengthy Patch Cycles: Industry studies show that the Mean Time to Patch (MTTP) for most organizations is over 60 days, with some taking as long as 120 days. Every day a vulnerability remains unpatched, it creates an open window for attackers to exploit. 
• Operational Bottlenecks: Even when patches are available, applying them across large, complex environments can be time-consuming and error-prone. Testing, scheduling, and deployment often result in further delays. 

Challenges with Legacy Systems and Critical Infrastructure 

• Unpatchable Systems: Many organizations rely on legacy systems that are no longer supported by vendors, meaning no patches are available for known vulnerabilities. These systems are common in industries like healthcare, manufacturing, and energy, where upgrading infrastructure is costly or impractical. 
• Operational Constraints: Critical infrastructure systems often cannot afford downtime, making it infeasible to apply patches. For example, a patch for an industrial control system may require halting production, which could result in significant financial losses. 

The Consequences of Patching Delays 

• Attackers exploit vulnerabilities faster than organizations can patch them. For example, ransomware groups often capitalize on the patching delay by targeting organizations that haven’t yet applied fixes for known vulnerabilities. 
• Organizations are left exposed to Known Exploited Vulnerabilities (KEVs)—vulnerabilities that are actively being used in attacks. 

2. Slow Response to Zero-Days 

Zero-day vulnerabilities are flaws that are unknown to the public, vendors, or security teams, but they are known to attackers and actively exploited. Traditional vulnerability management struggles to address these threats effectively. 

Attackers Have the Advantage 

• Speed of Exploitation: Attackers move quickly to weaponize zero-day vulnerabilities, often within hours of discovering them. In contrast, defenders require time to identify the vulnerability, develop a mitigation plan, and deploy fixes. 
• Sophistication of Attacks: Modern attackers use advanced techniques, including AI-driven threat discovery, to identify and exploit vulnerabilities that haven’t been disclosed. 

Challenges Without CVEs 

• Difficulty in Identification: Without CVEs, security teams would lack a centralized source of information to identify zero-day vulnerabilities. This would force organizations to rely on fragmented or incomplete data, delaying their ability to respond. 
• Prioritization Issues: CVEs help organizations prioritize vulnerabilities based on severity and exploitability. Without this guidance, teams may struggle to determine which risks require immediate attention. 

The Consequences of Slow Responses 

• Zero-days remain undetected and unpatched, allowing attackers to exploit them for longer periods. 
• Fileless malware and advanced persistent threats (APTs) often leverage zero-days, bypassing traditional defenses and causing significant damage before they are detected. 

3. Lack of Proactive Risk Reduction 

Traditional vulnerability management focuses heavily on detection and patching, often neglecting proactive measures that reduce the overall attack surface. This reactive approach leaves significant gaps in security: 

Misconfigurations 

• A Common Attack Vector: Misconfigured systems, such as open RDP ports or improperly secured cloud services, are among the leading causes of breaches. 
• Overlooked Risks: Vulnerability management programs often focus on software flaws, neglecting misconfigurations that attackers can exploit to gain unauthorized access. 

Privilege Escalation Risks 

• Weak Permissions: Attackers frequently target improperly configured privileges to escalate their access within a system. For example, a compromised user account with administrative rights can give attackers control over an entire network. 
• Insufficient Monitoring: Traditional vulnerability management programs rarely address privilege misuse, leaving organizations vulnerable to insider threats and lateral movement. 

Unpatched Systems 

• Legacy Systems: As mentioned earlier, legacy and unsupported systems often cannot be patched. Without alternative measures, these systems remain easy targets for attackers. 
• Critical Infrastructure: Systems in industries like healthcare and energy often run outdated software that cannot be upgraded or patched without disrupting operations. 

Failure to Adapt to Emerging Threats 

Traditional approaches rely heavily on known vulnerabilities, which means they fail to account for new and emerging threats. Attackers are constantly evolving their tactics, and static, detection-based methods cannot keep up. 

What Does Being “Future-Ready” Mean in Cybersecurity? 

“Future-ready” in cybersecurity refers to the ability of organizations, strategies, and technologies to anticipate, adapt to, and overcome current and emerging threats in an ever-evolving digital landscape. It emphasizes proactive preparedness, resilience, and flexibility to address both known and unknown challenges effectively. 

Key Characteristics of Being Future-Ready in Cybersecurity 

1. Proactive Threat Neutralization 

Anticipating and addressing vulnerabilities and risks before they can be exploited, rather than relying solely on reactive measures like patching or post-breach response. 

2. Adaptability to New Threats 

Leveraging technologies and strategies that evolve dynamically to defend against emerging threats like ransomware, zero-day vulnerabilities, and advanced persistent threats (APTs). 

3. Reducing Dependencies 

Minimizing reliance on external systems, such as traditional vulnerability databases (e.g., CVEs), and instead focusing on self-sufficient, autonomous defense mechanisms. 

4. Holistic Risk Management 

Going beyond traditional vulnerability management by addressing misconfigurations, privilege escalation risks, and weaknesses in processes or infrastructure. 

5. Resilience Under Disruption 

Ensuring continuity of operations even when critical systems or services are compromised, disrupted, or unavailable. 

6. Scalability and Efficiency 

Implementing solutions that can scale with organizational growth while maintaining efficiency in detecting and neutralizing threats across increasing attack surfaces. 

Why Future-Readiness Matters 

In an environment where attackers are constantly innovating, traditional, static defenses are no longer sufficient. A future-ready cybersecurity strategy ensures organizations can: 

• Stay ahead of attackers by neutralizing risks before they materialize. 
• Protect critical systems and data from advanced threats like ransomware. 
• Maintain operational stability even in the face of unexpected disruptions, such as vulnerabilities being untracked or new attack methods emerging. 

In essence, being future-ready is about building a cybersecurity framework that is not just reactive to today’s threats, but resilient and adaptive enough to handle the threats of tomorrow. 

Future-Ready Cybersecurity: A Preemptive Approach 

To mitigate the risks of CVE disruptions, organizations must move beyond traditional vulnerability management and adopt future-ready cybersecurity strategies. These strategies emphasize prevention-first security to reduce reliance on CVE data and patching. 

Morphisec delivers future-ready solutions through: 

• Virtual Patching 
• Patchless Protection 
• Ring-Fencing 
• Adaptive Exposure Management (AEM) 
• Automated Moving Target Defense (AMTD) 

Key Technologies for a Future-Ready Defense 

1. Anti-Ransomware Prevention: The Most Critical Defense 

Ransomware is one of the most devastating cyber threats today, exploiting unpatched vulnerabilities to encrypt systems and demand payment. A future-ready defense must prioritize anti-ransomware strategies that prevent attacks from succeeding. 

Benefits: 

• Stops ransomware payloads before they can execute. 
• Prevents attackers from exploiting vulnerabilities or moving laterally across networks. 
• Protects critical systems and ensures operational continuity, even in the face of advanced ransomware campaigns. 
• Reduces reliance on reactive patching or CVE updates by neutralizing threats proactively. 

2. Preemptive Cyber Defense: Proactively Reducing Risk 

Preemptive cyber defense focuses on reducing the attack surface and neutralizing threats before they can cause harm. This proactive approach includes: 

• Adaptive Exposure Management (AEM): Proactive Risk Reduction 

 AEM identifies and mitigates risks across the attack surface, including misconfigurations, privilege escalation threats, and weak credentials. 

 Benefits of AEM: 

• Detects and addresses vulnerabilities before attackers can exploit them. 
• Dynamically adapts to changes in the environment to maintain a secure posture. 
• Reduces reliance on traditional CVE data by addressing security gaps holistically. 
• Automated Moving Target Defense (AMTD): Stopping Threats Cold 

AMTD dynamically morphs system environments, making vulnerabilities unexploitable and stopping advanced threats, including ransomware and zero-days, in real time. 

 Benefits of AMTD: 

• Neutralizes ransomware and fileless malware attacks by creating unpredictable environments. 
• Prevents exploitation of both known and unknown vulnerabilities. 
• Operates seamlessly with existing security tools to enhance overall resilience. 

3. Virtual Patching: Filling the Gap 

Virtual patching provides temporary protection by blocking exploitation attempts without modifying the underlying software. 

Benefits of Virtual Patching: 

• Shields systems while waiting for vendor patches or CVE data. 
• Requires no downtime, ensuring business continuity and maintaining productivity. 
• Protects legacy systems and critical infrastructure that cannot be updated through traditional patching. 

4. Patchless Protection: Eliminating the Need for Patches 

Patchless protection neutralizes vulnerabilities dynamically, rendering them unexploitable without requiring traditional vendor fixes. 

Benefits of Patchless Protection: 

• Protects against zero-day vulnerabilities and unknown threats. 
• Reduces dependency on CVEs and patch cycles. 
• Provides continuous protection for systems that cannot be easily patched, like legacy infrastructure. 

5. Ring-Fencing: Containing Threats 

Ring-fencing isolates applications and processes to restrict unauthorized access and prevent lateral movement within networks. 

Benefits of Ring-Fencing: 

• Prevents privilege escalation and unauthorized actions by tightly controlling access. 
• Contains threats within isolated processes, ensuring that attacks cannot spread. 
• Secures critical assets during active attacks, minimizing damage and disruption. 

By prioritizing anti-ransomware prevention and adopting preemptive cyber defense strategies like AEM and AMTD, alongside technologies such as virtual patching, patchless protection, and ring-fencing, organizations can build a resilient and proactive defense posture. These technologies ensure protection against both traditional and advanced threats, even in the face of disruptions to vulnerability management systems like CVEs. 

Capabilities Comparison 

Anti-Ransomware Prevention and Preemptive Cyber Defense are foundational and should be the first line of defense to stop attacks like ransomware and reduce organizational risk. 

AEM and AMTD work together to proactively identify risks and neutralize threats dynamically. 

Virtual Patching, Patchless Protection, and Ring-Fencing complement these strategies by addressing specific vulnerabilities, protecting legacy systems, and containing threats in real-time. 

A Call to Evolve Cybersecurity 

The MITRE funding crisis should not be seen as a one-off incident but as a critical warning about the fragility of the current cybersecurity ecosystem. Our reliance on traditional vulnerability management systems, such as CVEs, has left organizations exposed to inefficiencies, delays, and an overdependence on reactive measures. As threats like ransomware grow more sophisticated and attack surfaces expand, it is clear that the old ways of managing vulnerabilities are no longer sufficient. 

To safeguard against future disruptions and advanced threats, the cybersecurity industry must embrace a future-ready approach that prioritizes preemptive defense over reactive patching. This means reducing reliance on external systems like CVEs, proactively identifying and mitigating risks, and implementing advanced technologies such as Adaptive Exposure Management (AEM) and Automated Moving Target Defense (AMTD) to neutralize threats before they can cause harm. 

The stakes are too high to ignore. A failure to adapt will leave organizations vulnerable to ransomware attacks, operational chaos, and escalating cyber risks. Now is the time for the industry to rethink, innovate, and evolve toward a more resilient, adaptive, and proactive security posture—one that ensures continuous protection in an ever-changing threat landscape. 

This is not just a call to action; it is a call to transformation. The future of cybersecurity depends on it. Download the Achieving Cyber Resiliency white paper for more adaptive and proactive cybersecurity strategies to counter an unpredictable threat landscape. 

About the author

Brad LaPorte

Chief Marketing Officer

Brad LaPorte is a seasoned cybersecurity expert and former military officer specializing in cybersecurity and military intelligence for the United States military and allied forces. With a distinguished career at Gartner as a top-rated research analyst, Brad was instrumental in establishing key industry categories such as Attack Surface Management (ASM), Extended Detection & Response (XDR), Digital Risk Protection (DRP), and the foundational elements of Continuous Threat Exposure Management (CTEM). His forward-thinking approach led to the inception of Secureworks’ MDR service and the EDR product Red Cloak—industry firsts. At IBM, he spearheaded the creation of the Endpoint Security Portfolio, as well as MDR, Vulnerability Management, Threat Intelligence, and Managed SIEM offerings, further solidifying his reputation as a visionary in cybersecurity solutions years ahead of its time.