Surviving the Vulnerability Abyss: A CISO’s Perspective on Costly Vendor Solutions, Politics, Prioritization, and the limits of Pentesting

No ratings

Presented at GrrCON 2025 by

Jason Bevis

Every CISO has a story about that cool penetration test finding or the one vulnerability—the one that’s embarrassing, technically unfixable, buried under bureaucracy, or whose true risk is dangerously misunderstood. This is a story about navigating that abyss and questioning the value of our most prized security practices, including penetration tests. Join me for a short journey through the real-world challenges of vulnerability management, from the boardroom to the command line. We’ll explore the chaos of coordinating multiple costly vendor solutions and internal teams, the political minefields that kill remediation, and the emerging challenge of leveraging SBOMs for true visibility. This session is a survival guide for security leaders and a wake-up call for testers looking to advance their careers, both of whom are tasked with protecting their organizations from a threat landscape that never sleeps