Report by mondoo

State of Vulnerability Remediation

66 FINDINGSPublished Oct 21, 2025
View Original Report →

Key Findings

Companies that experience tool sprawl report 51% lower remediation confidence compared to those who did not experience tool sprawl in 2025.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

22% of respondent organizations are using their CI/CD pipelines to deliver fixes and remediations.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

35% of respondent organizations are not currently using their CI/CD pipelines for remediation but want to in 2025.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

4% of organizations took more than 15 days to remediate critical vulnerabilities in 2025.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

60% of respondents reported that fewer than 5% of vulnerabilities and misconfigurations recurred within a month of remediation in 2025.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

35% of respondents cited rollbacks of patches as a cause of vulnerability recurrence.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

91% of respondents agreed or strongly agreed that their organization is improving in its ability to remediate vulnerabilities in 2025, according to a survey of respondents.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

1% of respondents reported being 'not at all confident' in their organization's ability to remediate known vulnerabilities in a timely manner.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

Tool sprawl reduces confidence in remediation by 51% in 2025.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

28% of organizations report that IT operations is primarily responsible for remediating vulnerabilities and misconfigurations reported by security.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

42% of IT and security professionals reported working in both IT operations and security in 2025, according to a survey of 125 respondents

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

52% report on their remediation efforts ‘quarterly’, ‘rarely’, or ‘never’ in 2025, while only 18% run weekly reports.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

26% of respondents stated that the recurrence of vulnerabilities and misconfigurations was between 6% and 10% within a month of remediation in 2025.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

44% of security and IT operators indicated that auto-creating tickets with all relevant information would improve remediation in 2025.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

18% of organizations surveyed reported tracking and reporting their remediation efforts on a weekly basis while 30% reported doing so monthly.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

39% of respondents reported not using a vulnerability remediation tracking tool in 2025, relying instead on manual tracking using spreadsheets.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

48% of respondents reported being 'fairly confident' in their organization's ability to remediate known vulnerabilities in a timely manner.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

18% of respondents identified lack of scanning in CI/CD as a main reason for the recurrence of vulnerabilities in 2025.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

71% of organizations reported that they remediate critical vulnerabilities within 24–72 hours in 2025.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

33% of organizations reported remediating critical vulnerabilities within one to three days in 2025, compared to 32% for high-importance vulnerabilities.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

Only 9% of security and IT operators being 'very confident' in their remediation capabilities in 2025.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

38% of organizations reported remediating critical vulnerabilities within 24 hours in 2025, compared to 35% for high-importance vulnerabilities.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

Almost 50% of organizations reported using more than five security tools in 2025.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

60% of IT and security operators do not have any remediation SLAs in 2025, and among those that track SLAs, 65% have to analyze data manually.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

53% of security and IT teams experiencing tool sprawl reported low confidence in remediation in 2025, compared to 35% who do not experience tool sprawl.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

33% of respondents stated that more remediation guidance and code snippets would help them remediate significantly faster in 2025.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

33% of respondents reported using manual processes, such as spreadsheets, for tracking vulnerability remediation marking a significant reliance on non-automated methods.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

27% of respondents reported using the Atlassian Suite/JIRA for tracking vulnerability remediation.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

14% reported using Azure DevOps for tracking vulnerability remediation.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

Seventy-eight percent of organizations reported finding fewer than five vulnerabilities per machine per month, according to a survey of IT and security teams.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

Ten percent of organizations report finding between six and ten vulnerabilities per machine per month.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

37% of respondents expressed concern about lack of traceability or rollback options as a pain point for automation.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

Only 11% of organizations reported finding more than ten vulnerabilities per machine per month in 2025.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

Ten percent of organizations reported that the DevOps/Product engineering team is primarily responsible for remediating vulnerabilities and misconfigurations reported by security.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

Fourteen percent of organizations indicated that the security team is primarily responsible for remediating vulnerabilities and misconfigurations reported by security.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

At 46% of companies, vulnerability remediation is a shared responsibility between security and IT operations teams.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

40% of respondents reported 'too many siloed tools' as a significant pain point in vulnerability remediation.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

40% of respondents indicated 'not enough visibility' as a significant pain point in vulnerability remediation.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

52% of organizations surveyed reported their remediation efforts either quarterly, rarely, or never.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

9% of respondents indicated that their organizations experienced a security incident due to a delay in vulnerability remediation.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

11% of respondents reported that the recurrence of vulnerabilities and misconfigurations was between 11% and 30% within a month of remediation in 2025.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

44% of respondents reported that the manual effort needed to find the owner of an artifact and fix it is one of the biggest pain points for remediating vulnerabilities and misconfigurations.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

42% of respondents indicated that tickets don’t include enough remediation information.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

44% of respondents indicated that vulnerabilities are reintroduced during the redeployment of software.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

34% of respondents stated that vulnerabilities are being fixed in runtime, but not in the source code.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

Between 6% and 10% of vulnerabilities recur according to 26% of respondents.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

42% of respondents reported being 'slightly confident' in their organization's ability to remediate known vulnerabilities in a timely manner.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

Fewer than 10% of respondents reported being 'very confident' in their ability to remediate known vulnerabilities in a timely manner in 2025, while 43% reported being either 'slightly confident' or 'not confident at all'.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

54% of organizations with SLAs define their target MTTR as less than 24 hours.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

Only 20% of organizations with SLAs consistently meet their MTTR SLA.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

40% of respondent organizations have set Mean Time to Remediation (MTTR) SLAs.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

26% of organizations have a one-to-three day SLA for MTTR.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

Only 2% of organizations reported that their remediation processes are fully automated.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

44% of respondents reported that lack of visibility made it hard to know what was remediated, when, and why.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

40% of organizations stated that their remediation processes are manual and ad-hoc in 2025.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

31% of respondents believe that instantly seeing the owner of an artifact would help them remediate significantly faster.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

40% of respondents stated that better prioritization would help them remediate significantly faster.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

44% of respondents indicated that auto-creating tickets with all relevant info included would help them remediate significantly faster in 2025.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

24% of respondents believe that more ownership from DevOps/platform engineers would help them remediate significantly faster in 2025.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

22% of respondents cited basic organizational resistance as a pain point for automation.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

Two-thirds of respondent organizations lack an automated method for reporting on SLAs.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

29% of respondents indicated that lack of clean integration with existing CI/CD and ITSM tools was a concern in 2025.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

36% of organizations indicated that their remediation processes are mostly automated with some manual steps.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

34% of respondents believe that automated remediation integrated into a CI pipeline would speed up remediations.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

50% of respondents identified the risk of breaking applications or dependencies as a pain point for automation.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation

28% of respondents indicated that automated ticket tracking instead of just 'fire and forget' would help them remediate significantly faster.

mondooState of Vulnerability Remediation·Oct 21, 2025
Vulnerability Remediation