Kenna is Sunsetting. But the Sun Will Rise Again.

Sharon Isaaci, Co-founder and CEO
December 22, 2025

On December 9, 2025, Cisco announced the end of sale and end of life for Cisco Vulnerability Management, formerly Kenna Security. This marks the close of one of the most influential Risk-Based Vulnerability Management (RBVM) platforms in the industry. 
 
Kenna helped security teams move beyond raw CVE counts and introduced a more disciplined way to prioritize risk. It played a defining role in shaping the RBVM category and laid important groundwork for today’s exposure-centric approaches. 
 
But the threat landscape has evolved faster than traditional RBVM models. 

How Vulnerability Management Became Exposure Management

Vulnerability management didn’t evolve slowly. It evolved under pressure.

  1. Vulnerability Assessment (Scanning): Early programs focused on discovery: scan the environment, list vulnerabilities, rank them by generic technical severity. As environments scaled, this model collapsed under its own weight, producing noise faster than teams could respond.
  2. Risk-Based Vulnerability Management (RBVM): RBVM was the first major breakthrough, and Kenna was a key driver. By factoring in exploitability and asset importance, RBVM helped teams focus on what mattered most. But vulnerabilities remained the core unit of risk, and much of the process relied on manual interpretation with limited context and automation.
  3. UVM and CAASM: As tools multiplied and infrastructure sprawled across cloud, SaaS, and hybrid environments, teams needed consolidation and asset clarity. Unified Vulnerability Management (UVM) brought vulnerabilities together. Cyber Asset Attack Surface Management (CAASM) answered a more fundamental question: what do we actually have? Visibility improved, but it was still largely technical and disconnected from real business impact and adversarial context.
  4. CTEMContinuous Threat Exposure Management reframed the goal. The objective was no longer patching vulnerabilities, but reducing exposure tied to critical business services and attack paths. Risk became dynamic, contextual, and business-driven.
  5. Agentic Exposure Management: Today, exposure management is entering its next phase. Agentic systems go beyond prioritization. They reason across assets, vulnerabilities, identities, configurations, threats, and business context, then take action. This is the shift from managing findings to managing outcomes.

Why This Matters Now

The retirement of Kenna is not just a product sunset. It reflects a generational shift in how organizations think about and act on risk.


Traditional vulnerability-centric approaches have reached their natural limits. The future belongs to exposure management that is continuous, contextual, and increasingly autonomous.

This shift reflects a broader change from managing findings to managing outcomes. Security teams now need solutions like Tonic that: 
• Continuously discover and inventory assets across hybrid environments 
• Assess exposure in full context, including misconfigurations and controls 
• Prioritize based on business impact, not just CVSS 
• Orchestrate and validate remediation, not just report it

For organizations evaluating their next move, this moment is not just about replacing a tool. It is an opportunity to level up. 

What You Get After Migrating

While RBVM tools, like Kenna, helped the industry mature, today teams are being asked bigger questions:

  • What is the fastest way to reduce exposure?
  • Who should do the work?
  • What is blocking remediation?
  • What can be automated?
  • How do we prove risk reduction?

Tonic was built for this new era of agentic exposure management providing:

  • A Security Data Fabric that continuously connects any source and ingests any data - cloud, on-prem, hybrid, structured or unstructured. Tonic harmonizes data from business applications, IT systems, security controls, and homegrown tools into a single, connected model. 
  • Deep automated contextualization that accelerates triage and investigation. Tonic reveals hidden context buried in “tribal knowledge”, helping teams quickly understand ownership, dependencies, likelihood of exploitation, and potential business impact through its security graph. 
  • Smart, context-driven prioritization that surfaces the risks that truly matter. Tonic’s Contextualized Risk indicator goes beyond generic scoring to align remediation with real business outcomes, exploitation likelihood, and mitigation feasibility. 
  • Agentic remediation that turns insight into action. Tonic’s agents identify fixers, open tickets, enforce policies, manage exceptions, track progress, and deploy targeted mitigating controls automatically. 

Migration Risks, and How to Avoid Them

When a platform like Kenna sunsets, teams often experience:

  • Historical trends getting reset
  • Exceptions and compensating controls being lost
  • SLA drift
  • Noisy remediation queues
  • Temporary spreadsheets becoming permanent workflows

A successful migration preserves continuity, prevents context drift, minimizes disruption, and leaves the program stronger than before.

What "Seamless Migration" Looks Like

  • No loss of institutional knowledge: Exceptions, tags, ownership, and prioritization logic carry forward
  • No operational downtime: Remediation continues while Tonic runs in parallel
  • No regression to severity-only prioritization: Fix lists stay actionable from day one
  • A clear upgraded path: From RBVM to agentic, business-aligned exposure management.

The Tonic Playbook for Migrating from Kenna

Tonic's role in a Kenna migration is to capture that context, preserve what matters, and use it to drive faster remediation.

Step 1: Preserve what matters, not just what’s easy to export. We focus on preserving program stability by carrying over:

  • Asset identity and normalization
  • Ownership mapping aligned to real remediation behavior
  • Exceptions and risk acceptance, including rationale and expiration
  • Tags, groupings, and policy logic

This is the difference between migrating data and migrating the program.

Step 2: Run in parallel to de-risk the cutover.Tonic runs alongside Kenna to validate:

  • Coverage parity
  • Queue parity
  • Workflow parity across ServiceNow, Jira, and other systems

We provide clear delta views explaining differences in deduplication, asset matching, ownership, and policy logic, so teams gain clarity instead of surprises.

Step 3: Cut over without losing reporting and trends. We help you avoid resetting the scoreboard by preserving:

  • KPIs such as MTTR, SLA compliance, backlog aging, and recurrence
  • Views of critical applications and crown jewels
  • Audit trails for accepted risk and exceptions

So when leadership asks, “Are we improving?” you can answer with confidence.

A Simple Checklist for a Successful Kenna Migration

Before you move, make sure the answer is yes to all of the following:

  • Can we avoid resetting historical trends and reporting?
  • Can we run in parallel to validate queue parity?
  • Can we keep ServiceNow and Jira workflows stable?
  • Can we improve prioritization using real business context?
  • Can we turn prioritization into execution and automation?

If yes, you are not just replacing Kenna. You are upgrading to agentic exposure management.

Whether you are nearing end of sale or planning ahead for 2026, now is the time to modernize your exposure strategy.

Ready to move forward without disruption?

👉 Speak with a Tonic Security specialist and experience the next generation of exposure risk management.

Cybersecurity
Tonic solution
AI
Exposure Management
Vulnerability Management
Agentic AI
Data Fabric
Contextualized Security
CVE-2025-7775
Citrix NetScaler
Unified Exposure Management
Mind the Gap: Win by Aligning Security Operations with Cyber Strategy
Read more
Getting the Board on Board: Turning Oversight into Advocacy
Read more
The Holy Grail of Cyber: True Business Context
Read more