The Missing Handoff: How KIX and Greenbone Turn Vulnerability Scans Into Action

For the first time, attackers are exploiting unpatched vulnerabilities more often than they’re stealing credentials. According to Verizon’s 2026 Data Breach Investigations Report, vulnerability exploitation now accounts for 31% of breaches, ahead of credential theft at 13%. And the gap is moving in the wrong direction for defenders: the median time to fully patch a vulnerability climbed to 43 days, up from 32 the year before, while organizations patched only 26% of the vulnerabilities on CISA’s Known Exploited Vulnerabilities list, down from 38% in 2024 (we broke down what’s driving this shift here).
Scanners aren’t the bottleneck here. Finding a vulnerability and actually fixing it have turned into two separate problems, and the second one is losing ground.
Two trend charts: median time to fully patch a vulnerability rose from 32 days in 2025 to 43 days in 2026, while the share of known exploited vulnerabilities actually patched fell from 38 percent in 2024 to 26 percent in 2026.
Detection was never the hard part
Greenbone’s OPENVAS has spent nearly two decades getting good at the first half: scanning a network, identifying what’s exposed, and scoring how dangerous it is. Elmar Geese, Greenbone’s CEO, likes to compare it to a swarm of robots checking every door and window in a house. They’re fast and thorough, and when they find a broken lock, they sound the alarm.
But an alarm only matters if someone acts on it. In most organizations, that’s where things stall. A scan result lands in a report, or an inbox, or a spreadsheet nobody opens until the next audit. Someone has to read it, work out what it actually means for their specific systems, decide who owns the fix, and turn that into a tracked piece of work with a deadline. That step requires security expertise that not every IT team has sitting around, and it’s exactly where things get lost: severity gets misjudged, tickets get duplicated or never created, ownership gets argued over after the fact instead of decided up front.
This is the part of vulnerability management that doesn’t show up in scanner marketing, but it’s where most of the real delay lives.
What the integration actually changes
KIX CEO Rico Barth puts it simply: the partnership closes the gap “between the detection and the resolution of vulnerabilities.” That gap is where a security finding used to need a translator. Now it doesn’t.
KIX, the open-source ITSM platform, and Greenbone have built a direct line between the two halves of the problem. When OPENVAS flags a vulnerability, it doesn’t generate a report and stop there. It opens a ticket in KIX automatically: classified as a security incident, tied to the specific device or software it affects, and sent to the team that owns that asset. The fix-it workflow, with deadlines, reminders, and escalations, starts the moment the vulnerability is confirmed, not whenever someone gets around to reading the scan output.
It also means an IT admin opening a ticket isn’t starting from zero. The asset, the affected system, who needs to be told, and how this fits into everything else currently open are all sitting right there. Nobody has to cross-reference three different tools to figure out what’s actually going on.
Flow diagram showing urgency decreasing as a vulnerability moves from detection, in red, to an automatically created ticket, in amber, to tracked resolution, in green.
The bonus nobody asked for: finding the stuff you didn’t know you had
There’s a side effect that turns out to matter almost as much as the ticketing itself. OPENVAS scans more than the systems IT already knows about. It finds the laptop a department bought without asking IT, or the server someone spun up two years ago and forgot about. That inventory now flows straight into KIX’s asset database.
Shadow IT is usually framed as a policy problem. In practice, it’s a visibility problem that gets worse as networks grow. Greenbone customers are routinely surprised by what shows up the first time their environment gets properly scanned. Folding that discovery into the same system that already handles tickets and ownership means an unknown device gets absorbed into the normal IT process right away, instead of sitting in its own blind spot.
Why this matters more given who’s actually doing the work
IT and security teams are stretched thin almost everywhere, and the manual interpretation step in vulnerability management has always assumed there’s enough specialized staff to do it well. That assumption is getting shakier every year. Take away the step where a human has to manually triage, classify, and route every finding, and smaller or generalist IT teams no longer need to borrow security expertise they didn’t have in-house just to keep up.
It also helps with something that eats more time than it should: proving you did the work. Documentation, deadlines, and resolution history land automatically in KIX, which makes audits against frameworks like NIS-2, ISO 27001, or BSI-Grundschutz considerably less painful, since the evidence trail already exists instead of getting reconstructed after the fact.
Try it where it counts
If your team is running OPENVAS and KIX separately today, or evaluating either one, this integration is worth a closer look specifically because it removes a step rather than adding one. Get in touch with us to see how the handoff from scan to fix works in your own environment, and what it would take to set up. And if you’re not scanning with OPENVAS yet, OPENVAS BASIC is a reasonable place to start before connecting the rest.
About KIX Service Software
KIX develops and markets the IT service management software of the same name, one of the leading open-source ITSM systems on the market. Founded in 2006, the company employs more than 50 people across Germany and serves over 400 customers across industries for IT service management and technical support. More at kixdesk.com.
About Greenbone
Greenbone develops OPENVAS, the most widely used open-source solution for vulnerability management, with more than 100,000 installations worldwide. Founded in 2008 and based in Osnabrück, Greenbone focuses on proactive IT security and data sovereignty through fully on-premises deployment. Greenbone is certified to ISO 9001, ISO 27001, and ISO 14001. More at greenbone.net.



