cybersecurity

What's the difference between vulnerabilities, exploits, and exposures?

Clarifying some popular terms.

Mike Berggren

Jan 3, 2025 — 2 min read

In the cybersecurity field, it's common to hear some terms used interchangeably: vulnerability, exploit, and exposure. Although these concepts are related to one another, they're not actually the same. I'd like to clarify a little.

A vulnerability is weakness or flaw in a system.
- Vulnerabilities can happen for a wide variety of reasons (e.g. user error, software development flaws, etc).
- A target with a vulnerability can be any number of things including (but not limited to): systems, applications, networks, devices, and even people.
An exploit is a technique or tool used by a threat actor to take advantage of a vulnerability.
- Think of it as the actual method of carrying out the attack.
- Examples: Malicious code, a phishing email that convinces users to reveal credentials, SQL injection attack, etc.
An exposure is something (e.g. condition, situation, etc) that could lead to a vulnerability being exploited.
- Think of this as basically the state of being susceptible to an attack.
- An exposure can often arise from vulnerabilities but can also include other risky situations.
- Examples: Having insecure protocols or services accessible by the public internet.

Security is ultimately a discussion about risk. The cyber industry and various frameworks use these data points in risk formulas. Here are a couple popular ones:

RISK = LIKELIHOOD x IMPACT

RISK = THREAT x VULNERABILITY x ASSET VALUE

I'll save deep-diving into those formulas for another day. 😄 In the meantime, if you're curious about this topic, check out these articles below: