Threat Intelligence Drives Effective Vulnerability Management

Organizations value cyber threat intelligence (CTI) because it helps their security teams stay focused on, and ahead of, the most impactful threats. CTI plays a critical strategic and tactical role in tracking, analyzing, and prioritizing software vulnerabilities that could potentially put an organization’s data, employees and customers at risk.


A Different Approach

To help ensure our customers can effectively prioritize vulnerabilities, Mandiant Threat Intelligence takes a different approach to vulnerability classification. Our experienced, insightful analysts consider qualitative factors to focus more on what matters to security operations instead of applying a purely algorithmic solution. Our vulnerability analysts consider a variety of intensifying and mitigating factors when rating a vulnerability, such as actor interest, availability of exploit or proof of concept (PoC) code, exploitation in the wild, ease and reliability of exploitation and software ubiquity.

Female looking at code

2019: “Year of the Zero Day”

Zero-day vulnerabilities are especially dangerous due to lack of available patches or workarounds. In recent research, Mandiant Threat Intelligence found that more zero-day vulnerabilities were exploited in 2019 than in any year since peaking in 2016 with 20 exploits. While not every instance of exploitation can be attributed to a tracked group, a wider range of actors appeared to have gained access to these capabilities. Mandiant analysts also saw a significant increase in the number of zero-day exploits from groups suspected to be customers of companies that provide offensive cyber capabilities. Finally, we saw a marked increase in zero-day exploits being used against targets in the Middle East, by groups with suspected ties to this region.


Stealth Falcon (aka FruityArmor) is an espionage group suspected to be linked to the Middle East. In 2016, this group targeted a human rights activist using malware sold by NSO group, which leveraged three iOS zero-day vulnerabilities. From 2016 to 2019, this group targeted more zero-day vulnerabilities than any other group.

Vulnerabilities Exploited with Increasing Speed

The speed with which malicious actors exploit vulnerabilities emphasizes the importance of patching as quickly as possible. However, the number of vulnerabilities disclosed each year, can make it difficult for organizations with limited resources and business constraints to implement an effective strategy for prioritizing the most dangerous vulnerabilities. Mandiant Threat Intelligence analyzed 60 vulnerabilities that were exploited in 2018 or 2019, or assigned a CVE number during the same period. On average, the vulnerabilities were exploited three days before a patch was available.

For more information on how Mandiant Threat Intelligence can help your organization minimize vulnerability exploits and related threats, visit