PlexTrac, an offensive security management and reporting automation platform, helps track signal through the noise and break down communication silos. Combining “plexus” and “track.” PlexTrac exists to network and coordinate all people and parts of a security program and to better track progress toward maturity.
Dan DeCloss is the founder of PlexTrac, an Exposure Management Platform company. Dan started his career in the Department of Defense and then moved on to the private sector, where he worked for various companies, including Telos, Veracode, Mayo Clinic, and Anthem. Dan’s background is in application security and penetration testing, involving hacking networks, websites, and mobile applications for clients. Prior to founding PlexTrac, Dan was the director of cybersecurity for Scentsy.
Digital IT News: NIST announced in April that the National Vulnerability Database (NVD) will prioritize enrichment for a narrower set of CVEs going forward, citing a 263% surge in submissions between 2020 and 2025. What does that break for enterprise security teams whose triage logic depends on fast, comprehensive enrichment arriving for every record?
Dan: A couple things break. One, security researchers who’ve relied on NVD as a venue for their work now have to get into the prioritized set to have the same impact, and that changes the incentive structure to even report CVEs.
But more broadly for enterprise teams, the immediate operational problem is that you can no longer count on tailored enrichment arriving for every record. You have to rely more deeply on tailored risk ratings and internal enrichment and validation. AI can be a helpful resource in triaging CVEs and understanding how they may impact the organization based on the AI’s knowledge of the environment. But that’s what work teams are going to have to own rather than waiting around for NVD to provide it.
Digital IT News: Many vulnerability management programs were quietly built on the assumption that every CVE would arrive with standardized enrichment from NVD. But when that assumption no longer holds across the long tail of disclosures, what falls apart first inside a typical enterprise SOC?
Dan: Much more internal analysis has to be done to determine the impact that a CVE would have on the enterprise. I think it’ll essentially function as a (needed) wakeup call for many organizations. Cybersecurity researchers can claim anything they want related to severity and impact in a CVE submission, so this must now be treated as unreliable without the NVD enrichment. The vulnerability prioritization problem becomes that much more important due to the lack of any enriched context.
Digital IT News: What context actually predicts business risk better than CVSS, and why has the industry been so slow to move past severity-only triage even before NIST’s announcement forced the issue?
Dan: The context that predicts more accurate business risk could be a variety of elements that may be unique to that business. Obvious ones include asset criticality, where the asset sits in the environment, or the sensitivity of data on specific assets. But the reason adoption has been slow is pretty straightforward…the issue lies in the sheer volume of vulnerabilities and not having an easy mechanism for applying unique context into a customized risk scoring capability that is then applied uniformly across the enterprise. This allows for a more subjective approach that can be applied in a fairly objective manner.
That’s a harder problem to solve than simply sorting by CVSS score, and not many teams have had a good mechanism for it. It’s essentially the problem we built PlexTrac’s risk scoring engine around.
Digital IT News: Attackers increasingly log in rather than break in, which puts identity at the center of modern exposure alongside software flaws. How should that change the way teams think about what to prioritize?
Dan: This really shouldn’t change much, because these are fundamental principles. Routine access reviews reduce scope creep, and the principle of least privilege is more important than ever, given how attackers are operating. Prioritizing how an attacker may take advantage of lateral movement via account abuse should always be a focus. That’s not new. What has changed is that credential abuse has become the dominant initial access vector because it works and it’s quiet, so if your program hasn’t elevated identity hygiene to the same level as patch management, that’s the gap worth closing.
Digital IT News: AI-driven prioritization is one of the loudest pitches in cybersecurity right now. Where does automation actually deliver in vulnerability triage, and where does it run into limits that more tooling can’t solve?
Dan: I think automation can deliver through most of the lifecycle up until the point of true remediation. This is where a human needs to step in because most organizations will not trust automated remediation, and rightfully so. We’re still a long way from trusting automation to patch systems. (I heard this come up constantly in conversations at RSA this year, where AI actually helps versus where it just adds noise.) From there, automation can pick back up in terms of validation testing and either closing out the finding or re-opening it if the validation phase identifies a problem.
That validation loop is something we’ve invested heavily in at PlexTrac, because closing a ticket and confirming a fix are very much not the same thing. The limits that more tooling can’t solve are mostly organizational; if a team doesn’t have the internal context to weigh business risk properly, more automation just means a broken process moves faster.
Digital IT News: What does a mature exposure management program look like in 2027, once teams have stopped treating vulnerability lists as the primary unit of work?
Dan: I think it looks like exposures broken down into categories with context-driven risk prioritization and a proactive understanding of what an attacker can actually do in the environment. The unit of work stops being the CVE list. It becomes about the items and factors (not just CVEs) that will actually get you breached. That’s the focus. Most programs just aren’t there yet, honestly.
Find out more about PlexTrac here.
Related News:
Commvault Outlines Resilience Strategies for the Frontier AI Era
