Hire a Virtual CISO

Glossary Term

Vulnerability Management

The continuous, systematic process of identifying, evaluating, prioritizing, and remediating security vulnerabilities across an organization's systems, applications, and infrastructure.

Understanding Vulnerability Management

Vulnerability management is the practice of continuously identifying security weaknesses in systems and software and remediating them before they can be exploited. It is an ongoing cycle rather than a one-time scan. Thousands of new vulnerabilities are disclosed each year, and organizations must systematically track and address those that affect their environment.

The process encompasses automated scanning, manual assessment, risk-based prioritization, remediation tracking, and validation. Not all vulnerabilities pose equal risk. Effective programs focus remediation efforts on vulnerabilities that are both exploitable and impactful in the specific context of the organization's environment.

Vulnerability management is a core requirement of every major compliance framework. SOC 2, HIPAA, PCI-DSS, and ISO 27001 all require organizations to have formal vulnerability management programs with defined remediation timelines.

The VM Lifecycle

Discovery: Maintain a complete inventory of all assets that need to be scanned
Scanning: Run automated vulnerability scans against all in-scope assets on a regular cadence
Assessment: Analyze scan results, eliminate false positives, and validate findings
Prioritization: Rank vulnerabilities by risk using CVSS scores, exploitability, and business context
Remediation: Patch, configure, or mitigate vulnerabilities within defined SLA windows
Verification: Rescan to confirm vulnerabilities have been successfully remediated
Reporting: Track metrics including remediation rates, SLA compliance, and risk trends

Remediation SLAs

Critical (CVSS 9.0-10.0)

Remediate within 14 days. Immediate mitigation if patch is not available.

High (CVSS 7.0-8.9)

Remediate within 30 days. Apply compensating controls if remediation is delayed.

Medium (CVSS 4.0-6.9)

Remediate within 90 days. Track and prioritize based on exploitability.

Low (CVSS 0.1-3.9)

Remediate within 180 days or accept risk with documented justification.

Related Terms

Penetration Testing

Learn more

Risk Assessment

Learn more

EDR

Learn more

Security Operations Center

Learn more

Need Vulnerability Management Oversight?

Our vCISOs establish and oversee vulnerability management programs.

Schedule a Discovery Call