• Platform
    Platform
    Nucleus Platform
    Scale and automate your vulnerability and exposure management program
    Vulnerability Intelligence Platform
    Access centralized and enriched vulnerability intelligence
    Nucleus Insights Intelligence Feed
    AI-powered, expert-validated threat and vulnerability intelligence
    Integrations
    Discover our ecosystem of 160+ connectors
    Capabilities
    Vulnerability Aggregation
    Unify and operationalize your vulnerability data in one platform
    Risk Prioritization
    Prioritize with asset context and threat intelligence
    Vulnerability Remediation
    Automate workflows to prioritize and mitigate critical exposures
    Vulnerability Intelligence
    Enrich vulnerability findings with real-world threat intelligence
    Asset Management
    Unify asset data to automate your vulnerability and exposure management
    Plan of Action and Milestones (POAM)
    Automate POA&M compliance at scale
    Compliance Frameworks
    Align with compliance framework controls and requirements.
    MCP Server
    Interact with your data using natural language and AI tools
  • Solutions
    Public Sector
    Federal Government
    Vulnerability and exposure management for government agencies
    State, Local, and Education (SLED)
    Centralize security and simplify compliance for state and local government
    Use Cases
    Exposure Management
    Scale and automate your exposure management program
    Risk-Based Vulnerability Management
    Address vulnerabilities with risk-based context and prioritization
    Application Security
    Shift left application security with production risk context
    Cloud Vulnerability and Exposure Management
    Conquer critical exposures across hybrid clouds
    Featured Report
    Gartner EAP MQ
    Nucleus Security Recognized as a Challenger in 2025 Gartner® Magic Quadrant™ Report

    We have been recognized for our Completeness of Vision and Ability to Execute.

    GET THE REPORT
  • Partners
    Partner Program
    Program Overview
    Learn more about our growing partner program
    MSSPs
    Explore opportunities for MSSP partnerships
    Marketplaces
    Find Nucleus on leading industry marketplaces
    Partner Resources
    Partner Directory
    Explore our ecosystem of partners
    Become a Partner
    Submit your request to join our partner program
    Deal Registration
    Easily register deals with Nucleus
    Partner Portal
    Log in to our dedicated Partner Portal
    Partner Case Study
    Orange Cyberdefense
    Case Study: Orange Cyberdefense

    Orange Cyberdefense leverages Nucleus to streamline vulnerability management, reduce costs, and drive impactful security insights for its customers.

    LEARN MORE
  • Resources
    Resources
    Resource Library
    Discover customer stories, reports, research, and more
    Blog
    Stay informed with the Nucleus Node blog
    Webinars
    Learn from industry experts and Nucleus leaders
    Events
    Meet with us virtually and in-person
    CISA KEV Enrichment Dashboard
    Quickly analyze vulnerabilities identified by CISA
    Featured Resources

    Gartner Exposure Assessment Platform Magic Quadrant

    LEARN MORE

    Omdia Technical Validation

    LEARN MORE
    Featured Articles

    Kenna Lit the Spark on the Exposure Management Fire and It’s Time for the Next Generation

    READ MORE

    Elevating the Channel: Recognition, Relationships, and Continuous Improvement

    READ MORE
    Featured Webinars

    What’s Next in Cyber Economics

    OPEN WEBINAR

    CMMC Readiness in Action

    OPEN WEBINAR
    Featured Events

    Cycode Product Security Summit

    LEARN MORE
    Featured Content

    Kenna Lit the Spark on the Exposure Management Fire and It’s Time for the Next Generation

    LEARN MORE

    Elevating the Channel: Recognition, Relationships, and Continuous Improvement

    LEARN MORE
  • Company
    About
    About Nucleus
    Learn more about who we are as a company
    Careers
    Explore our current openings and join the team
    News
    Read the latest news and articles
    Contact
    Contact Us
    Reach out to the Nucleus team
    Watch a Demo on Demand
    Watch our on-demand video demo
    Schedule Custom Demo
    Request a customized demo suited to your business' needs
    Pricing
    Get a quote based on your unique requirements
    Featured Content
    Omdia Tech Validation Report
    Omdia Technical Validation

    Omdia’s Technical Validation, commissioned by Nucleus, details how Nucleus helps organizations build successful vulnerability and exposure management programs.

    LEARN MORE
Watch A Demo

Kenna Lit the Spark on the Exposure Management Fire and It’s Time for the Next Generation

Steve Carter
December 15, 2025
Industry Perspectives
Kenna Lit the Spark

When Kenna launched more than a decade ago, it reshaped an industry that had grown numb to vulnerability overload. Back then, vulnerability management meant looking at mountains of CSV files, scanner reports, and a never-ending backlog of unprioritized issues. Kenna introduced the idea that risk instead of raw counts should determine what gets fixed first.  

For many security teams, it was the first time they realized they didn’t have a vulnerability problem. What they really had was a prioritization problem. 

The recent announcement that Cisco will retire the Kenna product line over the next several years is more than an operational update. It marks the end of the first era of risk-based vulnerability management and the beginning of what comes next: Exposure Management. 

Kenna Started a Movement 

Kenna’s core insight was profound for its time: not all vulnerabilities matter equally, and machine learning can help predict which ones are truly dangerous. It was a major conceptual leap forward; one the market responded to. Every major vendor today uses the language Kenna helped popularize. Words like “risk-based,” “predictive,” “likelihood of exploit,” and “contextual prioritization” are now the norm. 

Kenna changed the conversation. 

As is very often the case, technology pioneers eventually face the limits of the era they helped define. Kenna was built at a time when: 

  • Infrastructure was largely on-premises.
  • Applications were monolithic, not ephemeral.
  • Exposure meant “vulnerabilities” and little else.
  • Scale meant thousands of assets, not millions. 

It was never designed to unify modern attack surfaces, orchestrate remediation end-to-end, or operate as real-time exposure fabric for the enterprise. That was no fault of the team at Kenna. It merely reflected the reality of building a decade too early. 

The Market Moved and Exposure Expanded 

Fast-forward to today. The attack surface is no longer a list of vulnerabilities. It’s much more complex, consisting of: 

  • Cloud misconfigurations
  • AppSec and container vulnerabilities
  • Identity exposures
  • Outdated dependencies
  • Third-party and vendor exposures 

The definition of “exposure” has grown faster than the tools built to understand and reduce it. The market now needs a platform that does more than score vulnerabilities. It needs one that continuously discovers, correlates, evaluates, and orchestrates remediation across any exposure vector. In essence, it needs to bridge security, IT, DevOps, cloud, and product engineering. 

This is the core reason exposure management has replaced vulnerability management as the strategic program CISOs are now building. 

Where Kenna Inspired Us and Where We Chose a Different Path 

Kenna proved that unification and prioritization are essential. It validated the idea that vulnerability management could be analytics-driven instead of spreadsheet-driven. But from day one at Nucleus, we recognized that effective exposure reduction requires much more. 

It demands automation that not only scores risk but drives actual remediation; performance and multitenancy built for enterprise-scale, globally distributed environments; and context that connects vulnerabilities with threats, identities, and configurations in a way that reflects how organizations really operate.  

It also depends on real-time exposure intelligence rather than next-day reports, along with a closed-loop remediation engine that keeps security, IT, and DevOps aligned on what needs to be fixed and when. Above all, achieving meaningful outcomes requires a true platform approach, not another isolated point solution. 

In other words, to truly reduce exposure, you must operationalize it. Simply measuring the problem does nothing to help solve it. 

The Legacy Lives on While the Mission Has Evolved 

Cisco sunsetting Kenna is not a story about a product ending. It is the story of an era ending. The modern enterprise requires a system of record for exposures, just as CRM became the system of record for revenue and SIEM became the system of record for logs. Risk-based vulnerability management will always be part of the playbook, but Exposure Management is the new operating system for security. 

We owe a debt to Kenna for sparking a movement. Their work inspired a generation of security practitioners to think differently about vulnerability risk. And that spark is what helped shape the foundation for what Nucleus is building today. 

The next chapter of exposure management is here. And we are building the platform designed to lead it.

Steve Carter
Steve is the CEO and Co-founder of Nucleus Security, helping organizations to automate, accelerate, and optimize vulnerability management workflows. This includes working with vulnerability management and DevSecOps teams at enterprises of all sizes, application security teams, MSSPs, and solution providers.

See Nucleus in Action

Discover how unified, risk-based automation can transform your vulnerability management.

Schedule a Demo

© 2025 Nucleus Security. All rights reserved

Introducing Nucleus 3.0 | Faster, Smarter AI-Driven Exposure Management