A common practice that most organisations adopt as part of their security hygiene is identifying vulnerabilities on their machines and patch them as soon as one is made available. What we discovered was that the most critical vulnerabilities often get patched first before the other severities are looked at.

Without fully understanding the exposure of these exploits and its connectivity to other systems, severity levels may offer a false sense of security since an attacker could leverage multiple low and medium exploits and eventually find their way to the crown jewels.

Therefore, it is important to have a complete view of the connectivity to these vulnerabilities so that patching of systems that are highly connected despite having a lower severity vulnerability, could potentially be prioritised.