Meet vRx live on June 24th! Register now!

Vulnerability Management

Introducing vRx 2.0: the platform that scans, scores, and fixes

June 22, 2026
vRx 2.0 is here. The first platform to close the loop between detection and remediation. Discover, score, validate, and fix in one workflow. Book a demo.

For two decades, the vulnerability management industry has been selling enterprises a half-finished product.

Scanners find problems. Dashboards rank them. Tickets get filed. Someone, somewhere, has to fix the thing.

That someone is almost always you.

vRx has been closing that gap for years. Today we're shipping vRx 2.0, the most significant evolution of the platform since Vicarius started. It's the first platform built from day one to close the loop between detection and remediation, and 2.0 is where that thesis gets sharper, faster, and broader than it has ever been.

No handoffs. No queue. No quarterly patch window where critical CVEs sit exposed because the scanner vendor's job ended at the report.

Here's what's in 2.0, what changed from the platform 1,000+ customers already run in production, and why a remediation-first Exposure Assessment Platform is the only honest way to build security software in 2026.

TL;DR

For the skimmers, here's what matters in 90 seconds:

  • vRx 2.0 is shipping across the full Vicarius platform
  • The thesis: True Remediation means closing the loop, not just finding the problem
  • The architecture: Six stages, one platform, one accountable workflow
  • New in 2.0: AI red-team validation (vIntelligence), the Remediation Policy engine, Open API, SBOM, AI Grouping, AI Search
  • Expanded in 2.0: vPatch coverage spans 20,000+ apps and OS versions, Multi-Tenancy and site management are deeper
  • Who it's for: Security leaders, vulnerability analysts, patch engineers, MSP and MSSP operators, and compliance leads
  • The CTA: Book a demo and see it run against your environment

Now for the long read.

The category has been moving toward us for years

The market has been renaming itself, and each rename has been a step closer to admitting that detection alone isn't enough:

  1. Vulnerability Management (VM). Formalized in the early 2000s as CVE disclosures climbed past 100 per month and compliance regimes like PCI DSS (2004) made scanning a requirement.
  2. Risk-Based Vulnerability Management (RBVM). Emerged as a Gartner-tracked category around 2018, formalized in Gartner's 2019 Forecast Analysis: RBVM, Worldwide.
  3. Exposure Management. Popularized starting around 2017 and gradually adopted across the industry.
  4. Continuous Threat Exposure Management (CTEM). Coined by Gartner in 2022 as a five-stage program framework.
  5. Exposure Assessment Platforms (EAP). Formalized as a Gartner product category in 2024, replacing the long-running Market Guide for Vulnerability Assessment with the new Magic Quadrant for EAP in late 2025.
  6. Preemptive Cybersecurity. Named a Gartner Vanguard trend for 2026.

Each rename promised the same thing: less noise, sharper prioritization, real risk reduction.

The promises were honest. The architectures weren't.

Most of the category grew out of scanning. Scanner-heritage vendors evolved into "exposure assessment" platforms by adding scoring models on top of their scan engines without ever shipping the remediation layer underneath. They report what's broken. They benchmark you against peers. They produce dashboards your board likes.

What they don't do is fix anything.

Where CTEM exposes the gap

Gartner's CTEM framework defines five program stages:

Mobilization is the work of moving from "we know what's wrong" to "the risk is closed." It's where the security team has to convince IT, open tickets, wait on change windows, and re-scan to confirm. CTEM puts a name on the chasm that legacy tooling created and asks vendors to cross it.

Vicarius has been crossing it natively since the company was founded. vRx 2.0 widens the crossing.

Why this matters in numbers

The average enterprise critical CVE remediation time still sits well over 120 days, even at organizations spending seven figures on RBVM, CTEM, and exposure tooling. The scan-and-report model creates work, it doesn't finish it.

  • Security teams inherit findings
  • IT teams inherit tickets
  • The vendor inherits the renewal check

Vicarius was built on a different premise, that a vulnerability platform's job is not finished until the vulnerability is gone. Every product decision we've made over the company's history flows from that one conviction.

What True Remediation means

Remediation-first sounds like a tagline. In practice it's a sequence of six things, and a platform either does all six or it doesn't get to use the word.

1. Discover

You can't fix what you can't see. vRx 2.0 sees everything, two ways that complement each other:

Agent-based discovery runs locally on Windows, Linux, and macOS endpoints. The agent generates the vulnerability data at the source, produces the SBOM, and reports back continuously. This is how vRx achieves deep, accurate visibility on managed endpoints without waiting for a scan window.

Agentless discovery covers everything an agent can't reach: routers, IP cameras, printers, network appliances, OT and IoT devices, unmanaged endpoints, and any host where an agent isn't deployed or supported. The platform runs asset discovery, network scans, vulnerability scans, and compliance scans against these targets remotely.

The combined coverage means you don't have to choose between depth on the managed estate and visibility into everything else. Both feed the same inventory, the same scoring engine, the same remediation workflow.

What ships in vRx 2.0:

  • Asset discovery across managed and unmanaged environments
  • Network, vulnerability, and compliance scans (agent-based and agentless)
  • Well known compliance framworks such as, PCI-DSS, HIPAA, Cyber-Essentials and more
  • 100+ CIS benchmarks out of the box
  • AI assisted dynamic or static grouping by software, asset class, Patches
  • SBOM generation from the agent on every supported endpoint
  • MITRE &TTACK frameworks 

2. Score

Raw CVE counts are noise.

  • vScore combines CVSS, EPSS, KEV and env context signals
  • Prioritizes what's exploitable in your environment, not someone else's
  • This is RBVM done the way the analyst frameworks always described it

3. Validate

This is where most platforms stop pretending.

  • vIntelligence runs AI powered exploit simulation as validation, chaining MITRE ATT&CK techniques the way real adversaries do
  • Confirms which vulnerabilities are genuinely exploitable given your configuration
  • Theoretical risk becomes confirmed risk, the only kind worth your team's attention

This is also where the category moves from reactive exposure assessment into preemptive security, you're acting on validated exploitability before an attacker proves it for you.

4. Prioritize

Confirmed exploitable vulnerabilities ranked by what attackers do, not just what scanners can find.

  • Ranked by business impact and asset criticality
  • Mapped to attack groups and threat actors via the enrichment layer
  • Aligned to the MITRE ATT&CK framework, with technique-level mapping showing which TTPs each confirmed exposure enables
  • Connected to active campaigns, so prioritization reflects the threat landscape today, not last quarter

The result is a list your team can defend in front of the board. Every entry comes with a confirmed exploit path, a named adversary that uses it, and the ATT&CK techniques it enables.

5. Remediate

This is the CTEM Mobilization stage, native to the platform.

  • vPatch deploys patches across Windows, Linux, and macOS
  • vScript handles custom remediation logic
  • vShield - Patchless Protection covers the cases where you can't patch yet, intercepting exploit attempts at the DBI layer

6. Verify

The loop closes when the risk is confirmed closed.

  • Not when a ticket is marked resolved
  • Not when a scan picks up the patch on its next cycle
  • When vRx confirms the exposure no longer exists

The pipeline in one line: Discover, Score, Validate, Prioritize, Remediate, Verify. Anything less is scan-and-report wearing a remediation costume.

What ships in vRx 2.0

vRx 2.0 is a major release, not a point update. Every capability area has been expanded, deepened, or rebuilt. Several modules are net-new.

New in 2.0

Expanded and deepened

Platform foundation

The rest of the capability set, available across the platform:

  • vScript: custom remediation logic for the edge cases every environment has
  • Inventory: assets, software, and SBOM with AI-driven query, vTags for organization
  • Reports: CSV, PDF, and XLSX exports, scheduled or on demand
  • Enrichment layer: attack groups, threat actors, and attack vectors mapped to your confirmed vulnerabilities

A platform with a track record, sharpened

vRx 2.0 doesn't arrive in a vacuum. The platform has been running in production for years across 1,000+ organizations in 60+ countries, from mid-market security teams to global MSPs managing thousands of endpoints. The remediation engine, vPatch, vShield, and vScript have been closing risk at scale for that entire time.

What 2.0 changes is the connective tissue, and adds the layers the platform was missing:

  • vRadar brings agentless native discovery and scanning, into the platform for the first time
  • vIntelligence adds AI exploit simulation and validation, closing the gap between "this looks exploitable" and "this is exploitable here"
  • AI throughout the workflow with natural-language search across assets, software, and patches, plus AI-assisted static and dynamic groups so operators stop building rule logic by hand
  • Remediation Policy engine unifies vPatch, vScript, and vShield into a single orchestrated workflow
  • Open API opens the platform to every adjacent tool in the security stack
  • Multi-tenancy and multi-site harden the platform for MSP and MSSP delivery at scale, across customer deployments and geographies

For existing customers, 2.0 is an upgrade to a platform you already trust. For new buyers, it's the first time the full architecture, discovery through verified closure, is available in a single release.

Why the loop matters

A confirmed-and-closed vulnerability is the only output that reduces risk. Everything else is process theater.

Look at what scanner-heritage platforms produce:

  1. A list of CVEs
  2. Severity scores
  3. Asset mappings
  4. Recommended actions

That output then goes to a ticketing system. Gets parsed by IT. Gets prioritized against business-as-usual work. Gets scheduled into a patch window. Gets deployed (sometimes). Gets re-scanned in the next cycle to confirm.

Each handoff is a place where work goes to die.

vRx 2.0 collapses that chain into a single platform, on a single timeline, with one accountable workflow. The same system that found the vulnerability deploys the fix and confirms it's gone.

The MTTR drop isn't marginal. It's structural.

Analyst validation

The category Gartner formalized in 2024 is the one Vicarius has been building for since day one. Both major analyst houses now recognize that position:

Both rankings reflect what 1,000+ customers across 60+ countries already know, the loop matters, the loop is closeable, and Vicarius has been closing it longer than most of the category has been talking about it.

Built for the operators, not the dashboards

Security leadership gets the executive deliverables:

  • Cleaner reporting
  • Real MTTR numbers for the board
  • Analyst-validated positioning for auditors and regulators

That's table stakes. The bigger shift is for the operators who run the platform:

  • The vulnerability analyst who used to spend Tuesday mornings re-prioritizing a spreadsheet because EPSS scores moved
  • The patch engineer who maintained three separate tools for Windows, Linux, and macOS
  • The MSP technician who needed multi-tenant separation that didn't require six clicks per customer
  • The compliance lead who exported CSVs into a separate platform just to generate an audit-ready report

vRx 2.0 was built by talking to those people. Every feature in the release answers a complaint that came back to us in writing, in a Slack channel, in a customer call.

  • The Open API exists because customers asked for it
  • vScript exists because no policy engine covers every environment
  • vShield Patchless Protection exists because patching is sometimes impossible, and pretending otherwise is dishonest

What this means for the category

Exposure assessment is fragmenting along a simple line.

On one side: vendors who scan, score, and report, then hand the rest off, leaving the CTEM Mobilization stage as an exercise for the customer.

On the other: platforms that own the outcome from discovery through verified closure, and use AI exploit simulation and validation to act on threats before attackers do.

The second model wins.

Not because remediation is harder to build (though it is). Not because the marketing is more interesting (though it is). Because the math doesn't work the other way.

You cannot reduce risk by reporting on it. You reduce risk by closing it.

Any platform that doesn't close it is, structurally, a research tool dressed as a security product.

Vicarius has held this position since day one. vRx 2.0 is that position, sharpened.

Get hands-on

The fastest way to evaluate whether True Remediation delivers on what we've described is to see it run against your environment.

Not a sandbox. Not a slide. Your network, your assets, your CVEs, your remediation backlog.

Book a vRx 2.0 demo

A solutions engineer will walk you through:

  • The full pipeline running on your data
  • AI exploit simulation and validation against vulnerabilities currently sitting in your queue
  • What confirmed-and-closed looks like end to end

Book your vRx 2.0 demo

The loop is real. Come watch it close.

Sagy Kratu

Sr. Product Marketing Manager

Subscribe for more

Get more infosec news and insights.

Related Posts

Vulnerability Management

10 consolidated vulnerability platforms for SaaS in 2026

A side-by-side look at the vulnerability management platforms mid-market SaaS teams actually shortlist this year, scored against the same five-criteria framework.
June 10, 2026
Vulnerability Management

10 Consolidated vulnerability management platforms for mid-market security and IT teams

Compare 10 leading vulnerability management platforms for mid-market security teams. See which solutions combine scanning, exploit-aware prioritization, automated patching, and patchless protection to truly reduce risk, not just report it.
May 13, 2026
Vulnerability Management

Software supply chain attacks have gone viral: preparing for the era of self-propagating worms

Software supply chain attacks are evolving into self-propagating worms that spread across dependencies in hours. Learn how these threats work and why fast, automated remediation is critical to stop them.
May 11, 2026
1000+ members

Turn security converstains into remediation actions

Request a demo
Vicarius Logo
GDPR badge SOC for service organizations
Copyright © Vicarius. All rights reserved 2024.
Linkedin
X
Youtube
Instagram
Privacy Policyterms of use

Request a demo!