The Origin of Vulnerability Management: From SATAN to Continuous Threat Exposure Management

On April 5, 1995, two security researchers named Dan Farmer and Wietse Venema released a tool they called the Security Administrator Tool for Analyzing Networks. The acronym, SATAN, was deliberately provocative. The tool itself was unprecedented. For the first time, anyone with a Sun workstation and a network connection could run a single command and receive a report listing every known security weakness on a target server: vulnerable services, weak file permissions, out-of-date daemons, anonymous FTP misconfigurations, sendmail flaws.

The reaction was extraordinary. Major newspapers ran front-page stories warning that crackers now had a weapon of mass destruction. Some Internet Service Providers blocked all SATAN downloads. The US Department of Energy briefly suspended Farmer from his job at Silicon Graphics for releasing it. Almost nothing of what the panic predicted actually happened. What did happen is that the entire field of vulnerability management was born.

Thirty-one years later, the discipline that started with one Perl script has grown into a continuous, risk-prioritised, attack-surface-aware capability that scans tens of millions of assets per day, ranks weaknesses against active exploitation telemetry, and feeds remediation directly into IT operations. The path from then to now unfolded in five distinct phases. Each one solved a problem the previous era could not.

Phase 1 (1995-1998): Open-Source Scanners and the SATAN Era

SATAN's release in 1995 established the basic shape of every vulnerability scanner since. A scanner connected to a target, fingerprinted the operating system and services, looked up known issues for that service version in a local database, and produced a report. Within months, ISS Internet Scanner from Internet Security Systems (founded 1994 in Atlanta by Christopher Klaus) launched as the first commercial scanner. Cisco followed with NetSonar. The category was suddenly real and growing fast.

The defining open-source release came in April 1998. A 22-year-old French security researcher named Renaud Deraison released Nessus, a free, open-source vulnerability scanner with a plugin architecture that allowed any researcher to publish a new check as a self-contained NASL script. The plugin model was the breakthrough. SATAN's checks had been baked into the binary. Nessus's plugin format meant that the day a new vulnerability was disclosed, a community-contributed plugin could be live in Nessus within hours. The vulnerability database stopped being a vendor's release schedule and became a living, distributed effort.

By 2000, Nessus was the dominant vulnerability scanner on the planet. It was free, it was extensible, it was widely trusted, and it was running in nearly every security operations team that knew it existed. The scene was set for commercialisation.

Phase 2 (1999-2008): The Commercial VM Pioneers

Three companies founded between 1999 and 2002 would go on to define enterprise vulnerability management for the next two decades. Qualys was founded in 1999 by Philippe Courtot and built around a then-radical idea: deliver vulnerability scanning as a cloud-hosted service. No on-premise scanner appliance, no maintenance, no engine updates to manage. Qualys's QualysGuard platform launched in 2000 and pioneered the SaaS VM delivery model that the rest of the market eventually adopted.

Rapid7 was founded in 2000 in Boston by Alan Matthews and Tas Giakouminakis and grew through the 2000s into a full vulnerability and incident-response platform. Its 2009 acquisition of the Metasploit Framework (created by HD Moore in 2003) gave Rapid7 a unique position: the only major VM vendor that owned the most popular open-source penetration-testing toolkit, blurring the line between scanning for vulnerabilities and proving they were exploitable.

Tenable was founded in 2002 in Maryland by Ron Gula, Jack Huffard and Renaud Deraison himself, the original Nessus author. Initially Tenable continued to ship Nessus as open source. In 2005, Tenable shifted Nessus to a closed-source commercial licence (open-source forks like OpenVAS, now Greenbone, branched off at that point). Tenable.io launched in 2017 as the cloud-native successor to the original Nessus product, and Tenable became one of the dominant enterprise VM platforms.

By 2008, the enterprise VM market had stabilised around these three commercial pioneers, supplemented by IBM (which acquired ISS in 2006), McAfee, and a long tail of niche vendors. The standard enterprise deployment was an authenticated scan of every internal asset on a quarterly cadence, plus a perimeter scan more often, plus PCI-DSS-mandated quarterly external scans by an Approved Scanning Vendor. Reports were measured in thousands of pages. Remediation was measured in months.

Phase 3 (2010-2018): The Prioritisation Crisis

By 2010, vulnerability management had a new, structural problem. Scanners were generating findings faster than organisations could remediate them. A medium-sized enterprise scanned weekly was producing tens of thousands of open findings at any given time. Patching velocity could not keep up. CVSS, the industry-standard vulnerability scoring system, was treated by most teams as a literal patch priority list, but CVSS scored severity in a vacuum and ignored whether the vulnerability was actually being exploited in the wild. The result was that teams patched everything that was rated High or Critical, ignored everything else, and missed many of the vulnerabilities that mattered most.

The breakthrough came from outside the traditional VM vendors. In 2014, Kenna Security (founded as Risk I/O in 2010) launched the first commercial risk-based vulnerability management platform, combining traditional scan data with real-world exploit telemetry to predict which vulnerabilities were most likely to be exploited against the customer's specific environment. The Exploit Prediction Scoring System (EPSS), launched as a public effort in 2019, formalised the same idea: predict the probability of exploitation in the next 30 days for every CVE.

Cisco acquired Kenna in 2021. By 2022, every major VM vendor had added risk-based scoring (Tenable VPR, Qualys TruRisk, Rapid7 Real Risk Score) and most had integrated CISA's Known Exploited Vulnerabilities (KEV) catalogue, launched in November 2021, as a hard prioritisation signal. Patching everything had been replaced with patching what would actually be exploited.

Phase 4 (2018-2022): External Attack Surface Management

The next gap was discovery. Internal scans found weaknesses on assets you knew existed. They found nothing on the assets you did not know existed. Shadow IT, forgotten cloud workloads, exposed staging environments, abandoned subdomains, S3 buckets, public APIs and SaaS tenants accumulated outside the scope of every VM programme.

External Attack Surface Management (EASM) was the answer. EASM platforms continuously discovered every internet-facing asset associated with an organisation by querying DNS, certificate transparency logs, IP ranges, BGP, public code repositories and search engines, then assessed those assets for exposure. The pioneers were Expanse (founded 2012, acquired by Palo Alto Networks in 2020 for USD 800M), Randori (acquired by IBM in 2022), Cycognito and Censys.

By 2022, EASM had been absorbed into most enterprise VM platforms. Tenable acquired Bit Discovery to launch Tenable Attack Surface Management. Microsoft launched Defender External Attack Surface Management on the back of its 2021 RiskIQ acquisition. Qualys, Rapid7 and CrowdStrike all added EASM modules. Discovery, scanning and risk-prioritised remediation became one workflow.

Phase 5 (2022 onwards): CTEM and the Continuous Exposure Era

In July 2022, Gartner introduced a new framework called Continuous Threat Exposure Management (CTEM). CTEM is not a product. It is an operating model that collapses scanning, EASM, attack-path modelling, breach-and-attack simulation, identity-exposure analysis and remediation orchestration into a single, continuously running programme with a five-stage cycle: scoping, discovery, prioritisation, validation and mobilisation.

The reason CTEM matters is that the modern attack surface is no longer just "unpatched CVEs on managed servers". It is misconfigured cloud IAM policies, exposed Kubernetes APIs, over-privileged service accounts, vulnerable SaaS tenants, third-party software supply chains and the human attack surface of phishable employees. Traditional VM products were never designed to see most of those, and CTEM forces the programme to span all of them.

Practical CTEM in 2026 is built from a stack: a modern VM platform (Tenable One, Qualys VMDR, Rapid7 InsightVM) for the asset and CVE layer, a CSPM/CNAPP platform for the cloud-misconfiguration layer (Wiz, Prisma Cloud, Defender for Cloud), an identity-exposure platform (Microsoft Defender for Identity, Semperis), a BAS platform (AttackIQ, SafeBreach, Picus) to validate that detections actually fire, and a remediation orchestration layer (often the SOAR or ITSM ticketing engine) to close the loop. Most enterprises run a hybrid of three or four of those.

What This History Tells UAE Businesses Today

If you are running, replacing or scaling a vulnerability management programme in 2026, the five-phase arc above is not academic. Three things follow directly.

The first is that quarterly scanning is no longer a programme. NESA and NCA ECC compliance still references periodic scanning, but real exploitation timelines now run in days, not quarters. CISA KEV-listed vulnerabilities are typically exploited at scale within weeks of disclosure. Continuous internal and external scanning, combined with KEV-aware prioritisation, is the floor, not the ceiling, of a defensible programme.

The second is that CVSS-only patch lists waste capacity. Roughly 25,000 CVEs are published per year. Around 4-6% are ever observed being exploited in the wild. Treating all High/Critical CVSS findings as equal patch priorities means committing scarce remediation capacity to vulnerabilities no attacker is actually using, while real attack paths sit open. EPSS plus KEV plus environment-specific risk scoring is how a 100-person IT team can keep up with a 100,000-finding scan backlog.

The third is that the scanner is not the programme. The biggest determinant of programme outcomes is integration with patching, change management and ITSM. A best-of-breed VM platform whose findings never make it into the IT remediation queue is an expensive scanner with no operating model. The hard part of VM in 2026 is not detection. It is closing the loop with the people who actually fix the vulnerabilities.

Where Artiflex IT Comes In

Artiflex IT designs, deploys and operates vulnerability and exposure management programmes across the UAE, Oman and Saudi Arabia. We deliver Tenable One, Qualys VMDR and Rapid7 InsightVM as the primary VM platforms, integrated with Microsoft Defender for Cloud or Wiz for cloud-misconfiguration coverage, and connected through ServiceNow, Jira or in-house ITSM for remediation orchestration. We start with discovery (because no scan finds an asset you have not enumerated) and only then deploy scanning at the cadence and depth your environment justifies.

If your VM is generating findings nobody patches, your KEV list is not part of your patch cadence, or your external attack surface has not been enumerated since the last network refresh, we will tell you exactly where you are exposed and what an honest re-design looks like. No upselling, no theatre.