Vulnerability scanning has a place in every security program. But the data is clear: most breaches do not start with an unpatched CVE. They start with stolen credentials, misconfigured cloud environments, exposed sensitive data, and compromised supply chains. Organizations that focus their exposure management on vulnerability scanning alone are measuring the wrong thing – and leaving the most common entry points unmonitored.
How Breaches Actually Start
The Verizon 2025 Data Breach Investigations Report found that credential abuse was the leading initial access vector in non-error, non-misuse breaches at 22%, ahead of vulnerability exploitation at 20% and phishing at 16%. Sophos data tells a similar story: compromised credentials accounted for 41% of attacker TTPs used to gain initial access, followed by vulnerability exploitation at 22% and brute force attacks at 21%. The pattern is consistent. Attackers are not waiting for a CVE. They are using credentials harvested from infostealers and data breaches, probing cloud environments for misconfigurations, identifying exposed sensitive data, and working through third-party and supply chain relationships to find a way in. Vulnerability scanning does not see any of that. This is not an argument against patching. It is an argument against assuming that patching is enough.The Gap Between Vulnerability Scanning and Reality
A vulnerability scanner answers one question: do we have known unpatched software vulnerabilities? That is a useful question. But, it is not the only question that matters. Attackers operate across the full MITRE ATT&CK Initial Access category. They abuse valid accounts obtained through credential stuffing and infostealer logs. They exploit misconfigured cloud infrastructure. They identify sensitive data that has been inadvertently exposed. They move through DNS abuse, third-party relationships, and supply chain compromise. An organization that only scans for vulnerabilities has visibility into one slice of how attackers actually operate. The rest of the attack surface remains untested.Testing the Full Attack Surface
Understanding exposure means testing it the way an attacker would: across every realistic initial access path, not just the ones that have a CVE assigned to them. watchTowr’s Automated Red Teaming engine was built to do exactly that. It covers the full spectrum of MITRE ATT&CK Initial Access techniques – every vector an attacker would realistically use to gain a foothold, tested continuously and automatically against your environment. That includes:- Credential stuffing and reuse, including credentials harvested from infostealers and third-party data breaches
- Cloud vulnerabilities across AWS, Azure, Alibaba Cloud, and other providers
- Sensitive data and PII exposure, including inadvertently exposed internal documentation and credentials
- Exploitable applications and infrastructure beyond what a CVE scanner covers
- Known Exploited Vulnerabilities (KEVs), mapped to what attackers are actively using
- DNS analysis and abuse
- Third-party and supply chain risk
