Cisco Kenna EOL: The end of the RBVM era and the move toward exposure management

Cisco’s decision to sunset its risk-based vulnerability management (RBVM) platform (Cisco Vulnerability Management, also known as Kenna Security) is more than an EOL notice. It’s the end of the RBVM era.

If you’ve been in the security game for a while, you know Kenna helped evolve how we work. It pulled us out of the "CVSS 10" panic by using threat signals (like active exploitation, weaponization in exploit kits, and associations with known malware) to prioritize CVEs and reduce the volume of work we shipped for remediation.

But as we look toward the June 2028 sunset, we have to acknowledge a hard truth: the problem has grown beyond what RBVM was designed to handle. We need to apply risk-based prioritization and context not just to vulnerabilities, but to infrastructure misconfigurations, identities, and SaaS, creating a unified exposure management strategy.

In this post, we cover why moving beyond RBVM is the logical evolution, and how Axonius can help migrate from Kenna toward a continuous and scalable exposure management program.

The "math of burnout"

Before we talk about strategy, let's look at the numbers. Most security teams are dealing with a scalability crisis. That's because security resources grow linearly, while security work grows exponentially:

• 224: The projected number of new CVEs published every single day in 2026.

• 16,000: The ratio of assets (devices, identities, serverless functions, etc.) to safeguard per security professional, based on Axonius proprietary research.

• 8-12%: The projected growth in security budgets for 2026.

Why is this happening? Organizations are adopting new technologies (systems, cloud services, SaaS tools, AI solutions) faster than security teams can safeguard them.

The organization gets to pick the stack; security gets to own the risk with grace. Responsibility without control over the scope creates a scalability crisis.

The compounding effect goes beyond CVEs

The real danger isn't only vulnerabilities we know about; it's the compounding effect of the "shadow" environment. RBVM was built for a world of scanned servers, and frequently even known assets lack context in traditional RBVM tools, but today’s attack surface is dominated by:

• The SaaS explosion: The average enterprise now manages 275 SaaS applications. But that’s just what’s in the books.

• The shadow IT surge: Research shows organizations often utilize up to 8x more apps than those officially sanctioned by IT. In fact, 55% of employees admit to adopting SaaS tools without security's involvement.

• The identity crisis: Non-human identities (tokens, API keys, service accounts) now outnumber humans by a ratio of 144 to 1.

The items above are just a few of the places risk is expanding to, and that shift requires organizations using RBVM to evolve their strategy. The Kenna EOL is the kickoff of that migration.

Standard vulnerability scanning and RBVM assume 100% coverage and treat risk as something that exists only on devices and CVEs. That’s why the Kenna EOL is more than a migration. It’s the trigger for a complete strategy evolution.

The playbook for scale

Kenna’s great contribution was reducing CVE noise using threat intelligence and driving tickets.  But the problem has compounded beyond vulnerabilities alone. To close the exposure loop, you need a Continuous Threat Exposure Management process that handles discovery, prioritization, and remediation as a single lifecycle.

1. Discovery beyond the scan

Scanners/RBVMs only look at what they are told to look for. To manage exposure, you must first discover every asset interfacing with your data (including the ones scanners miss). Identifying the “blind spots” gives you situational awareness and lets you deploy proactive defenses, like making sure your SSO, MFA, endpoint protection, and scanners are in place for all users, apps, and devices.

2. Prioritization based on business reality

Prioritization isn’t just a threat intelligence score. A "critical" vulnerability on a honeypot box is a distraction; a "medium" vulnerability on a system in your PCI DSS environment, a crown jewel, or your data scientist's laptop processing PII is a fire. That awareness only comes when you have business, asset, and security contacts in the same place.

3. Automated remediation (with a human in the loop)

Remediation at scale requires going beyond tickets in Jira or ServiceNow. Security teams must leverage automation to fix the no-brainers, like deploying missing EDR agents and ensuring employees are using phishing-proof MFA.

4. Continuous assessment and improvement

This cycle (asset discovery, security prioritization, and automatic remediation) should run continuously and quickly throughout your technology, because environments change every day. Repetition drives continuous improvement and scale, creating a flywheel to combat the scalability crisis.

How Axonius can help

Axonius is the Asset Intelligence Platform that powers the evolution to Continuous Threat Exposure Management. Through our platform, you can continuously discover all the assets interfacing with your data and processes, aggregate and prioritize security findings (CVEs and non-CVEs) based on what truly matters (based on your business, asset, and security context), and drive effective actions beyond tickets.

Our platform gets customers in production in 14 days on average, providing a quick go-forward path for Cisco Vulnerability Management/Kenna customers. 

And to make it even better, our solution integrates with over 1,200 systems to bring these signals across 40+ asset types, integrating with anything you have, from ground to cloud.

Ready to see how Axonius can help your Kenna migration? Get a demo and strategic session with us.