Vulnerability scanners can find thousands of problems. Many are marked “critical” or “high.” But that does not mean attackers are using all of them. Some serious vulnerabilities may never be used in real attacks. At the same time, some exploited flaws may not show up quickly in public risk lists. For MSSPs and enterprise security teams, this creates a daily challenge: knowing what to fix first.
Proofpoint has launched
Active Exploits Protection, a new cybersecurity product that helps organizations focus on the vulnerabilities attackers are already using. The product is designed to help security teams decide what to fix first. Instead of relying only on severity scores, it looks at real attacker activity. That matters because attackers are moving faster. Vulnerabilities can be found, turned into attacks, and used before many organizations have time to patch their systems.
Proofpoint shifts the focus to active exploitation
Active Exploits Protection uses Proofpoint’s threat data to spot vulnerabilities that attackers are already targeting. Proofpoint says that data comes from hundreds of millions of daily email interactions and more than 5,000 sensors worldwide. The company says these sources have produced more than 3 million exploit-related alerts in 2026. The product uses all that information to help security teams decide what to fix first.
Most organizations cannot patch everything at once. Patch management is still important, but teams need to know which vulnerabilities create the biggest immediate risk and which ones can wait for the normal patching process. Many customers still depend on scheduled patch cycles, maintenance windows, and internal approval processes. Those controls exist for good reasons, but they can leave organizations exposed when attackers move faster than IT operations can respond.
Sara Pan, director of product marketing at Proofpoint, said the pressure on security teams is increasing because AI is shrinking the time defenders have to respond.
“AI is compressing the time between vulnerability disclosure and active targeting in a way we haven’t seen before,” Pan said. “What used to take weeks or months can now happen in hours. For organizations still operating on traditional patching windows, this creates a widening exposure gap. It’s not that patching is unimportant, but the cadence of patch cycles was built for a different threat era.”
Why severity scores are not enough
Security teams often use severity ratings to decide what to patch first. Those ratings help, but they do not show everything. A vulnerability can be marked as serious because it could cause major damage. But that does not always mean attackers are using it. Another vulnerability may look less urgent at first, but it can become a bigger risk if attackers start using it.
Proofpoint says this is where exploit intelligence can help. The company says fewer than 6% of disclosed vulnerabilities are seen being used in real attacks. That means security teams do not just need more vulnerability data. They need a clearer view of what attackers are actually doing.
Pan said the main issue is not only the speed of attacks, but the lack of clarity around what deserves immediate attention.
“The biggest operational gap today isn’t simply speed, it’s prioritization clarity,” Pan said. “Security teams are overwhelmed by high- and critical-rated vulnerabilities, yet only a small percentage are ever actively targeted in the wild. When organizations rely primarily on severity scores or public frameworks that lag behind real attacker behavior, they risk allocating resources toward theoretical risk while active threats move elsewhere.”
That challenge is familiar to managed security providers. Many customers expect help translating vulnerability reports into action. A service provider that can say, “Patch this first because it is being actively exploited,” offers more value than one that simply forwards scanner output.
“The real challenge is knowing which vulnerabilities are actually being used so teams can focus on reducing exposure where it materially matters,” Pan said.
Protection before patching is complete
Proofpoint says Active Exploits Protection can turn exploit intelligence into protection in about 35 seconds. The company says that protection can spread across the network in under 18 minutes. That matters because patching is not instant. Many organizations need time to test patches, schedule updates, and avoid breaking important systems. Some older or business-critical systems cannot be patched quickly. Temporary protection does not replace patching. But it can reduce risk while teams work on the fix.
For MSSPs, this could help speed up response. They could use the intelligence to update detections, start response workflows, alert customers, and prioritize tickets. Its value will depend on how well it connects with the tools MSSPs already use.
Pan said the speed of protection creates an opening for MSSPs to move beyond advisory services.
“For MSSPs, the opportunity is both operational and commercial,” Pan said. “The ability to translate real-world targeting intelligence into protective controls within minutes allows service providers to reduce customer exposure during the patch window rather than simply advising on remediation timelines. That shift from monitoring to measurable exposure reduction can be a meaningful differentiator.”
MSSPs could package exploit prioritization as a service
Active Exploits Protection could fit into several service areas, including vulnerability prioritization, threat-informed remediation, incident response, SOC automation, and exposure management. Proofpoint says the solution integrates with existing SOC tools, vulnerability management platforms, and automation pipelines through APIs. That integration will matter for partners because MSSPs typically operate across complex customer environments with multiple security stacks.
Pan said MSSPs can use the capability to reshape how they deliver vulnerability management services.
“MSSPs can absolutely think about packaging this capability into managed vulnerability prioritization or exposure reduction services,” Pan said. “Instead of delivering long lists of vulnerabilities ranked by severity, they can anchor remediation guidance in observed attacker activity. That strengthens conversations with customers because it ties action directly to real-world attack behavior.”
That would mark a shift from traditional vulnerability reporting toward a more active managed defense model. Rather than sending customers a backlog of critical findings, an MSSP could prioritize vulnerabilities based on active exploitation, customer exposure, and available protective controls.
“Speed also becomes tangible value, demonstrating that protections can be deployed rapidly across multiple customer environments while patching catches up,” Pan said.
Automation needs context and explainability
The automation angle is also important. Proofpoint says Active Exploits Protection is designed to support AI-driven workflows and operationalize exposure reduction at scale. For MSSPs, automation can help reduce manual triage, but it also introduces questions about trust.
MSSPs need to know why a vulnerability is being prioritized before they make recommendations across customer environments. Customers also need clear explanations. A provider cannot simply say a system was prioritized because an algorithm said so. It needs to explain the attacker activity, the affected assets, the protection applied, and the remediation steps that remain.
Pan said the workflow can begin by feeding exploit targeting signals into the tools MSSPs already use.
“In practice, MSSPs can use Active Exploit Protection’s API access and integrations to bring real-world exploit targeting signals into centralized SOC workflows, vulnerability management platforms, asset inventories, and automation pipelines,” Pan said. “That helps providers correlate actively exploited vulnerabilities with the customer-specific exposure data they already manage, then prioritize remediation and protection based on attacker behavior rather than severity scores alone.”
That workflow could help providers triage across multiple customers without treating every high-severity vulnerability the same way. It also gives MSSPs a way to connect threat intelligence to customer-specific exposure, which is often where vulnerability management programs struggle.
Pan said much of the process can be automated, provided the intelligence is high confidence and explainable.
“A significant portion of signal ingestion, prioritization, workflow routing, and protection deployment can be automated, particularly for high-confidence intelligence grounded in Proofpoint telemetry,” Pan said. “Active Exploit Protection is designed to translate exploit intelligence into protection quickly and operationalize exposure reduction at scale.”
Still, automation should not remove human accountability from managed security services. MSSPs need defensible workflows, especially when their decisions affect patching priorities, customer communications, and risk acceptance.
“That said, trust and explainability remain essential in managed service environments,” Pan said. “MSSPs need clear context on why a vulnerability is being prioritized, what attacker activity supports that determination, what protection has been applied, and what remediation guidance should be communicated to each customer.”
AI increases pressure on vulnerability teams
Proofpoint is also connecting the launch to the rise of AI-driven threats. The company says AI can help attackers find and use vulnerabilities faster.
But AI is not the only issue. Security teams were already dealing with too many vulnerabilities, too many alerts, and not enough staff. AI could make that problem worse by helping attackers move faster. Data on active exploitation can help because it shows what attackers are doing right now.
Proofpoint says its 2026 research found 12 actively exploited CVEs, compared with eight listed in CISA’s Known Exploited Vulnerabilities catalog at the time of the announcement. That does not mean teams should ignore CISA KEV. It means some organizations may want more sources of exploit intelligence to spot risk earlier.
Proofpoint’s Active Exploits Protection addresses a real problem: security teams are overloaded, and attackers often move faster than patch cycles. For MSSPs, this is important. Instead of treating every critical vulnerability the same way, they can help customers focus on the flaws attackers are actually using and reduce risk while patching catches up.
