Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect

Tenable Research built a directed graph linking 600+ threat groups to CVEs, techniques, and exposures across 7,800 U.S./Canadian organizations, finding that 68% of organizations have at least one CVE previously exploited by a named adversary and identifying 242 ‘Elite Arsenal’ CVEs (critical VPR ≥9, CISA KEV-listed, and threat-group exploited) that are nearly universally present; non‑CVE issues (misconfigurations, weak credentials, EOL software) are also ubiquitous and often map to adversary techniques, prompting a recommendation to prioritize remediation using adversary-technique reachability rather than per-CVE scores.