<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Exposure Management on FIR Risk Advisory | Risk Intelligence. Engineered.</title><link>https://firrisk.ai/tags/exposure-management/</link><description>Recent content in Exposure Management on FIR Risk Advisory | Risk Intelligence. Engineered.</description><generator>Hugo</generator><language>en-us</language><lastBuildDate>Fri, 17 Jul 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://firrisk.ai/tags/exposure-management/index.xml" rel="self" type="application/rss+xml"/><item><title>INTEL-32: When the Sellers Agree</title><link>https://firrisk.ai/intel/intel-32-when-the-sellers-agree/</link><pubDate>Fri, 17 Jul 2026 00:00:00 +0000</pubDate><guid>https://firrisk.ai/intel/intel-32-when-the-sellers-agree/</guid><description>&lt;h2 id="the-intel" class="heading "&gt;The INTEL&lt;a href="#the-intel" aria-labelledby="the-intel"&gt;








&lt;!-- &lt;i class="fas fa-link anchor"&gt;&lt;/i&gt; --&gt;
 &lt;svg class="svg-inline--fa fas fa-link anchor" fill="currentColor" aria-hidden="true" role="img" viewBox="0 0 576 512"&gt;&lt;use href="#fas-link"&gt;&lt;/use&gt;&lt;/svg&gt;&amp;nbsp;
 &lt;/a&gt;
&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;Three 2026 threat reports, from three unrelated corners of the security industry, independently reached the same conclusion: the window between when a threat appears and when it hurts you has collapsed. Every one of those companies sells the cure for the disease it diagnoses — so we tested the thesis against the one dataset with nothing to sell. The neutral breach data agrees. That is what turns three sales pitches into a pattern you can take to the board.&lt;/strong&gt;&lt;/p&gt;</description></item><item><title>INTEL-30: The Pre-Disclosure Window</title><link>https://firrisk.ai/intel/intel-30-the-pre-disclosure-window/</link><pubDate>Wed, 15 Jul 2026 00:00:00 +0000</pubDate><guid>https://firrisk.ai/intel/intel-30-the-pre-disclosure-window/</guid><description>&lt;h2 id="the-intel" class="heading "&gt;The INTEL&lt;a href="#the-intel" aria-labelledby="the-intel"&gt;








&lt;!-- &lt;i class="fas fa-link anchor"&gt;&lt;/i&gt; --&gt;
 &lt;svg class="svg-inline--fa fas fa-link anchor" fill="currentColor" aria-hidden="true" role="img" viewBox="0 0 576 512"&gt;&lt;use href="#fas-link"&gt;&lt;/use&gt;&lt;/svg&gt;&amp;nbsp;
 &lt;/a&gt;
&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;Nearly three in ten actively-exploited vulnerabilities in 2025 were being weaponized on or before the day they were disclosed. For those, &amp;ldquo;patch faster&amp;rdquo; was never an option — exploitation arrived before the fix existed. Stop planning your vulnerability program around a reaction window that, for the vulnerabilities that matter most, no longer exists.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;VulnCheck&amp;rsquo;s 2026 Exploit Intelligence Report puts a hard number on the fear defenders couldn&amp;rsquo;t previously quantify: &lt;strong&gt;28.96% of the vulnerabilities added to CISA&amp;rsquo;s Known Exploited Vulnerabilities (KEV) catalog in 2025 were exploited on or before the day their CVE was published&lt;/strong&gt; — up from 23.6% the year before. The 2026 Verizon DBIR, working from a completely separate dataset, put the same figure at &lt;strong&gt;29%&lt;/strong&gt;. Two independent sources, the same fraction — which is exactly the kind of agreement worth trusting.&lt;/p&gt;</description></item><item><title>E91 - The Window Closed</title><link>https://firrisk.ai/tuesday/e91-the-window-closed/</link><pubDate>Tue, 14 Jul 2026 00:00:00 +0000</pubDate><guid>https://firrisk.ai/tuesday/e91-the-window-closed/</guid><description>&lt;h2 id="one-report-is-a-claim-three-is-a-pattern" class="heading "&gt;One report is a claim. Three is a pattern.&lt;a href="#one-report-is-a-claim-three-is-a-pattern" aria-labelledby="one-report-is-a-claim-three-is-a-pattern"&gt;








&lt;!-- &lt;i class="fas fa-link anchor"&gt;&lt;/i&gt; --&gt;
 &lt;svg class="svg-inline--fa fas fa-link anchor" fill="currentColor" aria-hidden="true" role="img" viewBox="0 0 576 512"&gt;&lt;use href="#fas-link"&gt;&lt;/use&gt;&lt;/svg&gt;&amp;nbsp;
 &lt;/a&gt;
&lt;/h2&gt;
&lt;p&gt;Any single vendor threat report is easy to discount. The company publishing it sells the cure for the disease it diagnoses, and it has every reason to make the disease sound terminal. We read them anyway — carefully, and against each other — because when reports that share nothing but a publication quarter start telling the same story from opposite ends of the industry, the story stops being marketing and starts being signal.&lt;/p&gt;</description></item></channel></rss>