53% of CNAPP detections are still open, and the number is growing.
Most organizations follow the same playbook after deploying a new security tool or CNAPP. Roll it out, expand coverage, and get visibility across cloud environments, pushing remediation to Phase 2.
The logic feels reasonable. See the full picture first, then start fixing. But the data tells a different story. The State of Cloud Remediation 2026 report analyzed 14.86 million detections across production cloud environments. The open share of findings grew from 41% in 2025 to 53% in 2026. Alerts are being created faster than they’re being resolved.
Every month a team waits to start remediating, the backlog grows faster than any team can clear it. And backlogs don’t age well.
Early remediation pays off when teams understand the data, the cost of delay, and the right place to start before exposure, backlog, and board pressure grow.
Why Remediation Keeps Getting Pushed Back
It usually starts with good intentions. A security team deploys a CNAPP and the first months are all about onboarding cloud accounts, integrating workloads, and tuning detection policies.
Remediation is on the roadmap, but it’s downstream. “We’ll get there once we have full visibility.”
This is the Phase 2 trap. Full visibility is a moving target in cloud environments where new workloads spin up, configurations drift, and your CNAPP keeps finding new problems while old ones sit unresolved. The backlog is already compounding, whether Phase 2 is ready or not.
We already know the open share has held at 40-50% for years, even as closure rates improved across most categories. Easy alerts get closed first. What remains concentrates on harder, more coordination-heavy work.
What Delay Actually Costs
The cost of waiting shows up in three places, each compounding the others.
The Exposure Window Keeps Growing
The gap between attacker speed and mean time to remediate (MTTR) is the core risk. The median time to exploit a known vulnerability is now under five days. Meanwhile, critical alerts sit open an average of 150 days before a fix ships. That number increased 17% year-over-year.
That’s a window measured in months where an attacker has a known path into your environment, and your team hasn’t closed it yet.
These aren’t exotic zero-days. Open source risk is moving deeper into the dependency chain, with more than 60% of cloud-native vulnerabilities now sitting in transitive libraries your teams may not even know they are using.
The Backlog Feeds Itself
Without root-cause fixes, the same problems regenerate. Our research found that the top eight misconfigurations this year are nearly identical to the 2025 list. They represent roughly 20% of all alerts. Teams are re-detecting the same issues year after year because the underlying configuration was never restructured.
And the heaviest category is getting heavier. Vulnerability Management MTTR increased 22% since last year, from 230 to 282 days. It’s the one remediation category that got slower.
The reason matters. Vulnerability Management depends on vendor patch windows, regression testing, and change approvals that security teams don’t control. Faster scanning doesn’t help when the bottleneck is downstream of detection. The only lever is sustained orchestration, and that requires a remediation workflow that runs from day one.
Critical Alert Volume Has Outpaced Human Capacity
Detection keeps getting better. That’s a good thing. But it means alert volume is accelerating, and the composition of that volume is shifting.
Critical-tagged alerts jumped from roughly 1.4% to 13% of all new alerts since last year. If your team’s operating model was built for a backlog where 1-2% of alerts carried a Critical tag, a 10X increase breaks that model. SLAs, escalation thresholds, on-call rotations, and developer handoff processes all need a reset.
That reset is harder when the backlog is already deep, and your team is already stretched thin.
Outcome Metrics Require Outcomes
Here’s where the cost of delay hits CISOs hardest: board reporting.
If remediation hasn’t started, the only metrics a CISO can bring to the boardroom are detection metrics. Alerts found, scans completed, and coverage percentage. Those are activity metrics. They describe effort, not actionable results.
And yet, boards have moved past activity reporting. PwC’s 2026 Global Digital Trust Insights survey found that only 50% of executives say they are measuring the financial impact of cyber risks to a significant or large extent. The other half are walking into board conversations without the language leadership actually cares about.
The questions boards ask now:
- How much exposure did we reduce this quarter?
- How fast are we resolving critical issues?
- Are the same problems coming back?
- Are our highest-value assets covered?
Those questions can only be answered with remediation data. And that data only exists if remediation is running.
Our research makes this point concrete: the board-relevant metric shouldn’t be “alerts closed this quarter.” It’s open alerts on Crown Jewel assets by age range. Our report found that 6.3% of open alerts touch a Crown Jewel asset. That’s the number a board cares about. But you can only report it if you’re actively tracking, triaging, and remediating against asset criticality.
Early remediation gives CISOs the data to have a business conversation instead of a technical briefing. Without it, every board meeting defaults to “we found more problems” with no clear answer for what the team did about them.
You Don’t Need to See Everything to Start Fixing
The most common objection to starting remediation early: “We need full visibility first.”
The counter is straightforward. You don’t need to see every finding across every cloud account to start fixing the findings you already have. The detections from month one are real. They represent real risk in real production environments. Waiting for a completeness threshold that keeps moving means known risks sit open while the team chases coverage.
The right model is to remediate in parallel with expanding detection coverage. Start closing findings from the accounts and workloads already onboarded while the CNAPP team continues rollout. Treat detection and remediation as parallel workstreams, not sequential phases.
The second objection is about trust. “We tried automation before and it broke things.” This one is fair. Failed patches and misconfigured automation have created a lasting fear of pushing changes to production systems. That fear adds weeks to every remediation cycle.
The answer is automation with built-in safety controls, so remediation moves faster without creating new risk. This includes human validation for high-risk changes, confidence scoring before execution, and full audit trails so every action is traceable. Speed without safety isn’t a solution. But neither is safety without speed.
Build the Remediation Engine Before the Backlog Wins
The data points in one direction. Detection keeps scaling, alert volume keeps growing, critical findings keep increasing as a share of the total, and every month without a remediation engine in place makes the eventual start harder.
This is the problem Tamnoon was built to solve. Tamnoon ingests findings from whatever CNAPP coverage is live today and collapses them into prioritized initiatives based on asset criticality. Tami, Tamnoon’s AI remediation agent, investigates each finding and generates root-cause fixes, the kind that prevent the same eight misconfigurations from regenerating year after year. Every action is scored by the Remediation Confidence Indicator and validated by CloudPros, Tamnoon’s human cloud security experts, before anything touches production.
Related Content: How Agentic Cloud Remediation Actually Works in 5 Stages
For CISOs, this means having a board conversation that sounds different, one where you can show exposure is trending down, MTTR shrinking, and Crown Jewel coverage is quantified and improving. That’s the difference between reporting activity and reporting outcomes.
Tamnoon finishes what CNAPPs start. Book a demo today to see what your backlog looks like after the first 90 days.