Find what matters, fix what's exploitable.
Continuous discovery and risk-based prioritization across endpoints, servers, cloud workloads, and SaaS with remediation tracked to closure.
A complete service, run by people.
Authenticated and external scans across every asset, every day.
Prioritize CVEs with known exploits in the wild, not just high CVSS.
Tie findings to owners, business criticality, and exposure.
Tickets land in Jira, Linear, or ServiceNow with clear instructions.
Auto-rescan on close no more 'fixed' tickets that aren't.
Audit-ready reports for PCI, ISO 27001, SOC 2, and HIPAA.
Why CVSS scores are a poor guide to what to patch first
The Common Vulnerability Scoring System (CVSS) was designed to provide a standardized measure of a vulnerability's intrinsic severity — how serious would this flaw be under worst-case conditions, in a generic environment, assuming an attacker is present and motivated to exploit it? A CVSS base score reflects technical characteristics: attack vector (network vs. local), attack complexity (low vs. high), privileges required, user interaction required, and the potential impact on confidentiality, integrity, and availability. What CVSS explicitly does not measure is whether anyone is actually exploiting this vulnerability, whether exploit code is publicly available, or whether this specific vulnerability has been used in attacks against organizations similar to yours. These are the factors that determine actual risk.
The practical problem with CVSS-driven patching is prioritization inversion. A vulnerability with a CVSS score of 9.8 — rated "Critical" — may have been disclosed years ago with no public exploit, no evidence of in-the-wild use, and no known threat actors targeting it in your industry. A vulnerability with a CVSS score of 6.5 — rated "Medium" — may have a working public exploit published on GitHub the week it was disclosed, active use in ransomware campaigns documented by CISA, and specific evidence of exploitation against SMBs in your sector. Under CVSS-driven prioritization, the organization patches the 9.8 first and the 6.5 sixth. Under exploit-aware prioritization, the order reverses. For an SMB IT team with limited patching bandwidth, this difference is material: patching the wrong vulnerability first under time pressure means the exploited vulnerability remains open while lower-risk items are closed.
Two data sources significantly improve on raw CVSS scores for SMB patch prioritization. CISA's Known Exploited Vulnerabilities (KEV) catalog is a maintained list of vulnerabilities that CISA has confirmed are being actively exploited in the wild. As of mid-2024, the KEV catalog contains over 1,100 entries. A vulnerability on the KEV list should be treated as Priority 1 regardless of its CVSS score, because active exploitation is confirmed. EPSS (Exploit Prediction Scoring System), maintained by FIRST.org, is a probabilistic model trained on millions of vulnerabilities and historical exploitation data that estimates the likelihood that a given CVE will be exploited within the next 30 days. EPSS scores above 0.4 (40% probability of exploitation) represent a much smaller, more actionable set of vulnerabilities than CVSS "High" and "Critical" classifications, which typically cover 15–20% of all CVEs in a given scan.
Quantm builds the weekly remediation priority list using a combination of these signals: KEV presence (immediate priority regardless of score), EPSS score above threshold (elevated priority), CVSS score as a tiebreaker when no exploit data is available, and asset criticality (a vulnerability on a publicly accessible server or a domain controller is more urgent than the same vulnerability on an isolated internal workstation). This approach typically reduces the "must patch this week" list from hundreds of findings to a single-digit or low double-digit set of specific CVEs on specific assets — a volume that a small IT team can actually close within the SLA window rather than accumulating indefinitely as technical debt.
Patching SLA requirements across major compliance frameworks
Most compliance frameworks that touch cybersecurity include explicit or implied patching requirements. The requirements below reflect the current published standards as of 2024. Organizations subject to multiple frameworks should apply the strictest applicable SLA. Note that these are minimum requirements; a risk-based approach — informed by exploit data as described above — will routinely demand faster remediation than any framework minimum.
- PCI DSS 4.0 (Requirement 6.3) — All system components must be protected from known vulnerabilities by installing applicable security patches and updates. Critical patches (as defined by the entity's risk ranking) must be installed within one month of release. High-severity patches must be installed within three months. PCI DSS 4.0, effective as of March 2024, also requires organizations to maintain an inventory of all bespoke and custom software and to have a documented process for addressing vulnerabilities in it — not just vendor-issued patches.
- HIPAA / PHIPA (Technical Safeguard § 164.312(a)(2)(ii)) — HIPAA does not specify a numeric patching SLA, but the HHS has issued guidance indicating that "reasonable and appropriate" technical safeguards include patching known vulnerabilities in a timely manner. In enforcement actions and HIPAA breach investigations, OCR has consistently cited unpatched systems as evidence of failure to implement required technical safeguards. Ontario's PHIPA, which governs health information custodians in Ontario, follows a similar reasonableness standard. In practice, thirty days for critical and high, ninety days for medium is the benchmark used by HIPAA-compliant organizations in breach post-mortems.
- ISO/IEC 27001:2022 (Control 8.8) — The 2022 revision of ISO 27001 introduced explicit vulnerability management requirements in Control 8.8 (Management of technical vulnerabilities). Organizations must obtain timely information about technical vulnerabilities, evaluate exposure, and take appropriate action. The standard does not prescribe specific SLAs but requires that the organization define its own patching timelines in documented procedures and then follow them consistently. Audit evidence of deviation from documented SLAs — regardless of what those SLAs are — constitutes a nonconformity.
- SOC 2 Type II (CC7.1 – System Monitoring) — SOC 2's Common Criteria 7.1 requires that the organization uses detection and monitoring procedures to identify changes to configurations that could create vulnerabilities. SOC 2 auditors evaluate whether vulnerability scanning is continuous, whether findings are tracked to remediation, and whether unresolved findings are risk-accepted with documented rationale. Auditors increasingly request evidence of SLA compliance metrics — the percentage of critical findings closed within the defined SLA over the audit period — as a primary control artifact.
- NIST CSF 2.0 (Respond / RS.MI) — The NIST Cybersecurity Framework's Respond function includes mitigation subcategory RS.MI-3: "Newly identified vulnerabilities are mitigated or documented as accepted risks." For organizations using NIST CSF as their primary security framework — common in Canadian public sector and federal contractor contexts — this subcategory requires a documented process for moving vulnerabilities from discovery to remediation or risk acceptance, with defined timelines and approval authority for risk acceptance decisions.
- Cyber insurance (standard Canadian carrier requirements) — Most Canadian cyber insurance carriers, including Intact Cyber, Aviva, and Northbridge, now include patching questions in renewal applications. Carriers typically ask whether critical patches are applied within thirty days of release, whether the organization has a documented vulnerability management program, and whether internet-facing systems are scanned at least monthly. Organizations unable to demonstrate thirty-day critical patching cadence face premium loading or coverage limitations on first-party ransomware claims — specifically because unpatched vulnerabilities are the most common initial access vector for ransomware operators targeting Canadian SMBs.
External attack surface management for Canadian SMBs
External Attack Surface Management (EASM) is the discipline of continuously discovering and assessing all internet-facing assets associated with an organization — whether or not those assets are known to the IT team. The phrase "whether or not known" is the critical qualifier. Most SMBs have a mental model of their internet exposure that consists of their primary website, their email server, and their VPN gateway. The actual exposure typically includes: forgotten subdomains hosting old marketing microsites or development environments, expired TLS certificates on secondary domains, SaaS applications provisioned by individual employees with no IT involvement, third-party integrations exposing internal APIs, and cloud storage accounts created outside the formal IT process. EASM tooling discovers these assets by querying DNS records, certificate transparency logs, passive DNS databases, and internet-wide scanning infrastructure — the same sources that attackers use to map your exposure before launching an attack.
The gap between self-reported attack surface and actual attack surface in Canadian SMBs is consistently larger than organizations expect. Certificate transparency logs alone — publicly available logs maintained by Google, Digicert, and other Certificate Authorities — record every TLS certificate ever issued for a domain, including certificates for subdomains that an organization may not even remember registering. A threat actor who queries these logs against your primary domain may discover a development environment subdomain running an unpatched CMS, a staging environment with default credentials, or a portal used by a former SaaS vendor that was never decommissioned. Subdomain takeover — where an attacker registers a cloud resource to claim a dangling DNS record pointing to a deleted asset — is a specific and frequently underestimated risk that EASM discovers by identifying DNS records pointing to unclaimed resources.
The operational difference between continuous EASM and annual penetration testing matters significantly for risk management. A penetration test produces a point-in-time snapshot of the attack surface as it existed on the date of the test. Between tests, new assets are provisioned, new vulnerabilities are disclosed for existing assets, certificates expire, and the threat landscape evolves. Continuous EASM scanning detects changes to the attack surface as they occur: a new subdomain created by a developer, a newly disclosed CVE affecting a product version you run on an internet-facing server, a TLS certificate approaching expiry that will generate browser warnings and create an impersonation opportunity. For Canadian SMBs that cannot afford monthly penetration tests, continuous EASM provides ongoing attack surface awareness at a cost point comparable to a single annual test, with the advantage that findings are current rather than twelve months stale.
EASM also captures a category of risk that internal vulnerability scanning misses entirely: exposed credentials and data appearing in third-party breach dumps and paste sites. When an employee's credentials from a breached external service appear in a public data dump, that credential is available to any threat actor who monitors breach data — and if the employee reuses that password on any corporate system, the organization is compromised before the employee or IT team is even aware of the breach. EASM platforms that include breach monitoring surface these exposures in near-real-time, allowing Quantm to issue credential reset notifications before attackers can weaponize the exposure. In environments where password reuse is common — which is the case in the majority of SMBs without a mature password management program — this capability alone justifies the cost of continuous external attack surface monitoring.
What changes after week one.
You'll feel the difference fast fewer alerts, faster response, and a clearer picture of where your real risk lives.
- Cut your real exploitable vulnerability count by 70% in 90 days
- Stop chasing 10,000 CVEs focus on the 50 that matter this week
- Hit patch SLAs your insurer and auditors actually require
- Give engineers tickets they can ship, not vendor PDFs
- Prove remediation with verified rescans, not screenshots
From kickoff to coverage in days.
Inventory every endpoint, server, cloud workload, and SaaS app.
Rank findings by exploitability, exposure, and business impact.
Route fixes to the right team with clear, actionable guidance.
Automatic rescans confirm the fix landed and stayed.
Common questions, answered.
The things buyers ask us most about scope, onboarding, and what you'll see in your monthly report.
Ask us anythingStop drowning in vulnerability noise.
Get a sample 30-day risk-ranked vulnerability report on your real environment. No agents, no commitment.