When it comes to securing the enterprise, many organizations still suffer from what we call "CVE Myopia." It's the over-reliance on Common Vulnerabilities and Exposures (CVEs) as the primary lens for measuring and improving security. Vulnerabilities are important, yes, but reducing risk by chasing CVE scores alone is like patching every crack in the pavement while ignoring the sinkhole forming underneath.
CVE Myopia manifests in security programs that organize around patch lists, scorecards, and raw exposure inventories. Teams are tasked with closing every vulnerability with a high CVSS score, regardless of whether adversaries are actually exploiting it in the wild. The result is a whack-a-mole game: high effort, low impact, and a continuous backlog of "critical" issues that may never be weaponized against you.
Studies consistently show that only a fraction of published vulnerabilities is ever weaponized by attackers1. Yet, CVE-driven security programs demand cycles on all of them, diverting resources away from the threats that matter most.
CVE scoring is static and context-agnostic. It tells you nothing about how adversaries chain together tactics and techniques to achieve their objectives. In real attacks, exploits are just one step in a multi-tactic kill chain.
CVE Myopia slows teams down. By treating every exposure equally, defenders lose the ability to prioritize. Mean time to detection (MTTD) and mean time to prioritize (MTTP) stretch out as analysts grind through endless queues of alerts tied to raw CVEs.
In short, CVE Myopia traps organizations in a cycle of reactive defense, rather than proactive, threat-led risk reduction.
To move past CVE Myopia, we need to zoom out. Instead of looking at vulnerabilities in isolation, defenders should examine the chain of tactics and techniques adversaries actually use and their behavior.
The MITRE ATT&CK framework provides a powerful model for this. It catalogues adversary behavior, techniques, and sub-techniques used at every stage of an intrusion, from initial access to exfiltration. Importantly, ATT&CK reveals that:
By aligning defenses to ATT&CK techniques and the specific procedures adversaries employ, organizations can prevent real-world attack paths, even if some CVEs remain unpatched.
This is where Tidal Cyber's Threat-Led Defense platform breaks the cycle of CVE Myopia. Instead of treating every CVE equally, Tidal helps security teams align defenses to adversary behavior and the threats that matter most to a particular organization or industry.
Using a threat-led approach, organizations see measurable improvements2a-2c.
These are not hypothetical gains. They reflect a blend of industry benchmarks, MITRE ATT&CK-based evaluations, and real enterprise outcomes. Together, they demonstrate the power of putting adversary behavior, not CVE scores, at the center of defense.
Tidal Cyber used threat-led defense in three critical ways:
Mapping your defensive stack to ATT&CK techniques and adversary procedures shows where you are covered and where gaps exist. This moves the conversation from "how many CVEs are unpatched" to “how exposed are we to the behaviors adversaries actually use?"
By building curated collections of adversary behaviors relevant to your industry, geography, and technology stack, Tidal helps you prioritize the threats most likely to target your organization.
Instead of generic "patch everything" guidance, Tidal ties defenses directly to adversary behavior and the (Sub-)Techniques they use, enabling more efficient tuning of detections, rationalization of overlapping tools, and alignment with control frameworks like NIST CSF and CIS-18.
The result is a shift from reactive patch chasing to proactive, behavior-aligned threat-led defense.
Attackers aren't waiting for you to patch every CVE. They're exploiting weak configurations, phishing users, abusing credentials, and chaining techniques that bypass signature-based defenses. CVE Myopia keeps defenders busy, but not necessarily safer.
Threat-Led Defense, by contrast, gives organizations the clarity to:
In an era of expanding attack surfaces and finite resources, this clarity isn't optional, it's a necessity. Threat-led defense isn't a "nice to have," it is a must have.
CVE Myopia is a trap. It lures organizations into endless vulnerability chases while adversaries quietly maneuver through the ATT&CK chain. To break free, defenders must shift their perspective from static vulnerabilities to dynamic adversary behaviors and how they execute techniques.
Tidal Cyber's Threat-Led Defense platform makes this shift possible. By aligning defenses to adversary behavior and the tactics, techniques, and procedures adversaries actually use, organizations can reduce time to detection by 60%, cut false positives nearly in half, and optimize their defensive stack for real-world threats.
In the end, the question is simple: "Do you want to secure your defenses against CVE scores or against real-world adversary behavior?"
Threat-Led Defense ensures you're always fighting the right fight: defending against the adversary and the real behaviors they use.
1.Mell, Peter, and Jonathan Spring. Likely Exploited Vulnerability. NIST Cybersecurity White Paper, May 19, 2025. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.41.pdf. 1VulnCheck. State of Exploitation: A Peek into the Last Decade of Vulnerability Exploitation. 2024. https://www.vulncheck.com/blog/state-of-exploitation-a-decade.
2a. Gartner. How to Manage Cybersecurity Threats, Not Episodes. August 2023. https://www.gartner.com/en/articles/how-to-manage-cybersecurity-threats-notepisodes.
2b. Forrester. Go Beyond the MITRE ATT&CK Evaluation to the True Cost of Alert Volumes. February 2025.https://www.forrester.com/blogs/go-beyond-the-mitreattck-evaluation-to-the-true-cost-of-alert-volumes.
2c. Forrester. Total Economic Impact™ (TEI) Studies. 2023–2025. Series of commissioned analyses measuring ROI and business benefits of security solutions.