Cisco Just Sunset Kenna. Now What?

What Just Happened?

As we’ve all seen, Cisco’s security portfolio has been evolving for years. Originally acquired as a standalone risk-based vulnerability management (RBVM) platform, Kenna brought threat intelligence, predictive scoring, and a model of prioritization that challenged the old CVSS-only approach. 

But at a time when the industry is moving from vulnerability management to continuous exposure management, RBVM alone is not enough to truly reduce risk.

Here’s the timeline outlined by Cisco:

• End of Sale: March 10, 2026 — last day you can buy new licenses.
• End of Service Contract Renewal: June 11, 2026 — last day to extend support. 
• Last Date of Support: June 30, 2028 — all subscription and support services for the product are unavailable, and the product becomes obsolete.

If you’ve already invested in Kenna, you’ve got time, but the clock is ticking…..  

Why This Matters

Kenna wasn’t just another traditional vulnerability scanner. It helped shift the conversation around vulnerability management by delivering risk-based prioritization.

That mattered because:

• Traditional vulnerability scanners report hundreds to thousands of findings per scan 
• Risk includes more than technical severity
• It enabled more strategic security planning

Many organizations now face a pressing question: What replaces a risk-based vulnerability management tool?

The answer: An Exposure Assessment Platform (EAP)

The Bigger Picture

For many security leaders, this isn’t just a licensing issue — it’s shifting the strategic direction of their security programs.

One industry analysis noted that the end of sale and end of life is an opportunity to rethink how teams approach proactive security. That includes evaluating modern approaches like exposure management — which goes beyond scanning to correlate risk across assets, identities, misconfigurations, and threats.  

Enterprises that made significant investments in Kenna workflows, analytics, and reporting engines now need to:

• Evaluate their overall risk reduction strategies
• Reassess new vendor roadmaps 
• Determine a migration plan
• Evaluate how to port existing vulnerability and prioritization data to something new

So… What Does This Mean?

Kenna helped security teams to think about vulnerabilities in a new way. The bigger question now is: What replaces Kenna?

Just as Cisco evolved with the acquisition of Kenna, the industry has evolved from vulnerability management (which now includes RBVM) to taking a broader holistic approach to exposure management. 

Security teams need comprehensive insight into their environments—all of their assets, vulnerabilities, misconfigurations, and identities, and importantly, the relationships between them. Having this knowledge, along with threat and exploit intelligence, enables them to prioritize the risks based on their business operations.

The Sevco Exposure Assessment Platform is purpose-built to drive continuous exposure management. Sevco can replace Kenna—and more.

Sevco provides:

• Comprehensive Asset Inventory and Intelligence – A real-time, accurate inventory of every user, device, application, and cloud asset
• Unified Exposure Management – One view for CVEs, cloud exposures, misconfigurations, and security control gaps—no more tool hopping
• Correlated Threat & Exploit Intelligence – Exposures mapped to real-world threats, attack paths, and known exploits
• Best-in-Class Prioritization – Real analysis that factors in attack surface context, business criticality, and operational impact
• Data That Drives Action – Delivering the insights needed to mobilize teams and measurably reduce real risk

If you’re a Kenna customer and want to uplevel your vulnerability management, contact us today.