Cisco Vulnerability Management (formerly known as Kenna) Is Going Away: PlexTrac Can Help Teams Move Forward

If you’ve been around vulnerability management for a while, you probably saw the news: Cisco is sunsetting Cisco Vulnerability Management (fka Kenna Security). 

Key Dates:

• March 10, 2026 – End of Sale: Final date to purchase the product through Cisco.
• June 11, 2026 – End of Service: Last date to renew or extend service contracts.
• June 30, 2028 – End of Support: Final date for all subscription entitlements, service, and support; the product becomes obsolete after this date.

This may come as a surprise to some, but it reflects a broader shift already underway. Risk-based vulnerability management is no longer just about scoring vulnerabilities—it’s about understanding exposure, orchestrating remediation, validating fixes, and continuously aligning teams around what actually matters. This evolution has led us to focus on threats and prioritized remediation strategies. The loss of Kenna may present some challenges for existing customers, but PlexTrac can offer a solution.

Kenna became popular because it solved a real problem: drowning in scanner data with no direction. Its risk-based approach helped teams move from thousands of findings to what actually matters. But when a platform like that goes away, the gap isn’t just technical, it’s also operational.

Teams lose:

• Prioritization logic they’ve fine-tuned over years
• Workflow habits built around the product
• A shared mental model of “how we decide what to fix first”

If you don’t replace those things deliberately, you fall right back into alert fatigue and spreadsheet chaos.

Why Risk-Based Vulnerability Management Isn’t Enough Anymore 

Risk-based vulnerability management (RBVM) was an important step forward, but it has a ceiling. At its best, RBVM aggregates findings and assigns relative severity scores. At its worst, it leaves teams staring at dashboards full of disconnected data points, still asking the same question, “What actually matters?”

Security teams don’t suffer from a lack of data. They suffer from a lack of clarity.

While RBVM may centralize findings, it rarely normalizes or deduplicates them across sources. Vulnerabilities, misconfigurations, and control gaps remain fragmented by tools, methodologies, and scoring systems. The result is visibility without understanding, and noise without prioritization. You can see everything, but you still can’t compare it consistently or act with confidence.

True exposure management requires more than aggregation. It requires context, correlation, and validation.

From findings to insight

PlexTrac approaches exposure management from the attacker’s point of view. We connect and normalize findings across vulnerability scanners, cloud posture tools, red team activity, and—critically—human-led pentest results. This creates a unified, deduplicated view of exposure that reflects how real attacks happen, not how individual tools score risk in isolation.

The shift is subtle but powerful. It’s the difference between tracking disconnected weaknesses and understanding how those weaknesses combine into real, exploitable attack paths.

Too often, teams burn cycles debating patch priority and negotiating remediation across dozens of systems. When exposure is validated and contextualized, the answer becomes obvious because the risk is real, provable, and actionable.

That’s what PlexTrac delivers: clarity on the toxic combinations that actually put the business at risk.

Cutting through noise to stop real attack paths

Most breaches don’t happen because of a single “critical” vulnerability. They happen because multiple small weaknesses are chained together over time. Aggregation-based tools struggle to surface these paths because they weren’t designed to think offensively.

By mapping how vulnerabilities, misconfigurations, identities, and access paths intersect—validated through offensive testing—PlexTrac enables teams to move from reactive firefighting to proactive risk reduction. Instead of chasing endless alerts, teams focus on breaking the few attack paths that truly matter.

This is how exposure management becomes operational, not theoretical.

An exposure management maturity model that meets you where you are

Effective exposure management shouldn’t be reserved for the most mature or well-funded organizations. PlexTrac is designed to scale from early-stage security programs to advanced CTEM initiatives without forcing a rip-and-replace of existing tools or locking you into the big scanners.

Whether you’re:

• Reactively responding to pentest reports and scan results
  
• Managing multiple tools that don’t align or speak the same language
  
• Or trying to operationalize CTEM across offensive and defensive teams
  

PlexTrac provides a common fabric that ties it all together.

By standardizing, normalizing, and enriching security data with real-world offensive context, organizations can progress from ad-hoc reporting to continuous, insight-driven exposure management, at their own pace.

Exposure management isn’t about seeing more. It’s about understanding better and acting faster.

Where PlexTrac Can Help

PlexTrac isn’t a scanner and we don’t do penetration testing. What we are is the platform that helps teams make sense of everything they’re already finding, including the most critical exposures identified through penetration tests.

That means:

• Pulling in results from scanners, pentests, BAS, cloud checks, etc.  
• Giving you a place to actually work the findings, instead of just drowning in them
  
• Helping you prioritize based on your context, not a generic score
  
• Keeping the remediation loop tight: assign → fix → retest → close the loop
  

This is the part that often gets missed when people talk about “exposure management.” You can have all the data in the world, but without a process to take action, you’re still exposed. And truly, once everything has been identified and prioritized, you still have to do the important work of remediation. PlexTrac ensures you have visibility across the entire lifecycle of every exposure, including its real-time status, who’s doing what, and estimated time to completion. This leads to a real-time view of your security posture and risk.

That’s the problem PlexTrac was built to solve, long before CTEM became a buzzword. We also believe that it’s one of the reasons Gartner® recently recognized PlexTrac in its first Magic Quadrant™ for Exposure Assessment Platforms.

A Practical Way to Move Forward

If you’re a Kenna customer wondering what’s next, here’s my honest take:

You don’t need a like-for-like replacement. You need a platform that actually helps you run your vulnerability and exposure program, highlighting your most critical risks to be prioritized first.

PlexTrac can be that solution and help you through transitioning off of Kenna. We’ll help you:

• IIngest your findings
  
• Rebuild your prioritization workflows
  
• Map out your remediation process
  
• Get your engineers, SOC, and pentesters aligned in one place
  Losing a tool like Kenna is always disruptive, but it’s also a chance to rethink how your program runs.  If you want to talk through what this means for your environment—even if you don’t choose PlexTrac—my door’s always open.

We built PlexTrac to help teams move faster, stay aligned, and actually close the loop on remediation. If that’s a direction you want to go, we’re here to help.
Contact us, today.

Dan DeCloss PlexTrac Founder/CTO Dan has over 15 years of experience in cybersecurity. Dan started his career in the Department of Defense and then moved on to consulting where he worked for various companies. Prior to PlexTrac, Dan was the Director of Cybersecurity for Scentsy where he and his team built the security program out of its infancy into a best-in-class program. Dan has a master’s degree in Computer Science from the Naval Postgraduate School with an emphasis in Information Security. Additionally, Dan holds the OSCP and CISSP certifications.