Security 101

What is Vulnerability Management?

15 min read
Last updated March 2026

Vulnerability management is the continuous process of identifying, evaluating, prioritizing, and remediating security vulnerabilities across an organization’s systems, applications, and infrastructure. It is not a single scan or a quarterly report. It is an ongoing operational discipline that tracks every known weakness from the moment of discovery through remediation and verification. Done well, vulnerability management transforms a chaotic flood of scanner output into a focused, risk-driven program that measurably reduces the likelihood of a breach.

Every organization has vulnerabilities. That is not the problem. The problem is not knowing which ones matter, not fixing them fast enough, and not verifying that fixes actually worked. Vulnerability management exists to solve all three.

The Vulnerability Management Lifecycle

Effective vulnerability management is not a linear checklist. It is a cycle that repeats continuously, with each iteration refining the organization’s understanding of its risk posture. The lifecycle has five core phases.

1. Discover

You cannot manage what you cannot see. The discovery phase identifies vulnerabilities across the entire environment using a combination of automated scanning, agent-based assessment, and manual analysis.

Automated vulnerability scanning is the foundation. Tools like Nessus, Qualys, Rapid7 InsightVM, and Tenable.sc scan networks, endpoints, applications, and cloud infrastructure for known vulnerabilities by comparing observed software versions and configurations against databases of published CVEs and known weaknesses.

Scanning comes in two flavors:

Unauthenticated (external) scans assess what an attacker would see from outside the network. These catch exposed services, missing patches on internet-facing systems, and misconfigured public assets.
Authenticated (credentialed) scans log into systems and inspect installed software, configuration settings, and security policies from the inside. These produce dramatically more accurate results because they see the full picture rather than guessing based on banner information.

But scanning alone is not enough. Discovery also means ensuring you know what assets exist in the first place. If a server is not in your scan scope, its vulnerabilities are invisible. This is where attack surface management becomes essential, feeding newly discovered assets into vulnerability management workflows so nothing falls through the cracks.

2. Assess

Raw scan output is data, not insight. The assessment phase evaluates each discovered vulnerability to determine what it actually means in context.

Every vulnerability receives a severity classification. The industry standard is the Common Vulnerability Scoring System (CVSS), which assigns a score from 0.0 to 10.0 based on factors like attack vector, complexity, required privileges, and potential impact. But as we will discuss later, CVSS alone is a poor basis for remediation decisions.

Assessment also involves validation. Not every scanner finding is real. False positives, where the scanner flags a vulnerability that does not actually exist, waste remediation effort and erode team trust. Experienced analysts review findings, correlate results across multiple tools, and confirm that reported vulnerabilities are genuine before passing them downstream.

For critical findings, penetration testing provides the deepest form of assessment. A human tester can determine not just whether a vulnerability exists, but whether it is exploitable in the specific context of your environment, what an attacker could achieve by exploiting it, and how it chains with other weaknesses.

3. Prioritize

This is where most vulnerability management programs succeed or fail. A typical enterprise scan produces thousands of findings. Remediating all of them simultaneously is impossible. Prioritization determines which vulnerabilities get attention first, and getting it wrong means burning remediation cycles on low-risk issues while critical exposures remain open.

Effective prioritization requires more than sorting by CVSS score. It requires understanding:

Is this vulnerability being actively exploited in the wild? A CVSS 7.5 vulnerability with a known exploit kit targeting your industry is more urgent than a CVSS 9.8 that exists only as a theoretical proof of concept.
What asset is affected? The same vulnerability on a development server and a production payment processing system carry vastly different risk profiles.
What compensating controls exist? A vulnerable service behind a properly configured WAF and network segmentation is lower priority than the same service directly exposed to the internet.
What is the blast radius? A compromised domain controller affects the entire environment. A compromised print server does not.

We will go deeper on prioritization below, because it deserves its own section.

4. Remediate

Remediation is the act of eliminating or reducing the risk associated with a vulnerability. It takes several forms:

Patching is the most common remediation method. Apply the vendor-supplied update that fixes the underlying flaw. This is straightforward in theory, but operationally complex when dealing with thousands of systems, legacy applications, and patching windows that conflict with business operations.
Configuration changes address vulnerabilities caused by insecure settings rather than software bugs. Disabling unnecessary services, enforcing strong cipher suites, removing default credentials, and tightening access controls all fall here.
Compensating controls reduce risk when direct remediation is not immediately possible. A WAF rule that blocks exploitation of a web application vulnerability buys time until the code can be patched. Network segmentation limits the blast radius. These are temporary measures, not permanent solutions.
Acceptance is the deliberate decision to leave a vulnerability unpatched because the risk is low enough, the system is scheduled for decommission, or the cost of remediation exceeds the risk. Acceptance must be documented, time-bound, reviewed by a risk owner, and never used as an excuse to avoid work.

Remediation is also where cross-team coordination matters most. Security teams identify the problems. IT operations, DevOps, application developers, and system administrators fix them. Without clear handoffs, SLA expectations, and escalation paths, findings sit in ticketing queues indefinitely.

5. Verify

Remediation without verification is hope, not security. The verification phase confirms that fixes were applied correctly, that the vulnerability is no longer exploitable, and that the remediation did not introduce new issues.

Verification methods include:

Rescanning the affected systems to confirm the vulnerability no longer appears
Targeted retesting by penetration testers for high-severity findings
Configuration audits to verify that settings changes were applied as intended
Regression testing to ensure patches did not break application functionality

After verification, the cycle returns to discovery. New vulnerabilities are published daily. Infrastructure changes constantly. The process never stops.

Why Vulnerability Management Matters

The business case for vulnerability management rests on two realities. First, vulnerabilities are the primary mechanism through which breaches occur. Second, the volume of published vulnerabilities is growing faster than any organization’s ability to patch them all.

The Numbers

The National Vulnerability Database (NVD) published over 28,000 new CVEs in 2023, and the pace continues to accelerate year over year. No organization can patch everything. The question is not whether you will have unpatched vulnerabilities. You will. The question is whether the ones you leave unpatched are the ones that will get you breached.

Meanwhile, the cost of getting it wrong keeps climbing. IBM’s Cost of a Data Breach Report puts the global average at $4.88 million. Organizations with mature vulnerability management programs that identify and remediate critical vulnerabilities quickly spend significantly less on breach response than those that discover weaknesses only after exploitation.

Regulatory and Compliance Drivers

Virtually every major compliance framework requires some form of vulnerability management:

PCI DSS (Requirements 6 and 11): Quarterly external scans by an ASV, internal scanning, and a formal vulnerability management program
HIPAA: Risk analysis that includes vulnerability identification and mitigation
SOC 2: Vulnerability management as part of the Common Criteria for security
NIST CSF: Vulnerability management across the Identify and Protect functions
ISO 27001: Annex A.12.6 specifically addresses technical vulnerability management
FedRAMP: Continuous monitoring including regular vulnerability scanning
CIS Controls: Control 7 is dedicated entirely to continuous vulnerability management

Compliance is not security, but a failed audit is a business problem. Vulnerability management satisfies both requirements simultaneously.

Operational Efficiency

Without a structured program, security teams spend disproportionate time firefighting. Every vulnerability becomes urgent because there is no framework to determine which ones actually are. Analysts waste cycles chasing false positives. Remediation requests lack context, so IT operations push back or deprioritize them. Reporting is manual and inconsistent.

A mature vulnerability management program replaces this chaos with a repeatable, measurable process. Teams know what to fix, in what order, by when, and how to verify success.

Vulnerability Management vs. Vulnerability Assessment

These terms are frequently used interchangeably. They should not be.

Dimension	Vulnerability Assessment	Vulnerability Management
Scope	Point-in-time identification of vulnerabilities	Ongoing lifecycle from discovery through verified remediation
Duration	Hours to weeks (a project)	Continuous (an operational program)
Output	A report listing discovered vulnerabilities	Tracked, prioritized, remediated, and verified findings with trend data
Remediation	Recommendations provided but not tracked	Remediation assigned, SLAs enforced, verification required
Measurement	Snapshot of current state	Trends over time: mean time to remediate, SLA compliance, risk reduction
Ownership	Often outsourced as a one-time engagement	Owned internally with supporting tools and processes

A vulnerability assessment answers the question “what vulnerabilities exist right now?” Vulnerability management answers “what are we doing about them, how fast, and is it working?”

Assessment is a necessary activity within the management lifecycle. It is not a replacement for it. Organizations that perform assessments without building a management program around them generate reports that gather dust while vulnerabilities remain open.

Common Challenges

Alert Fatigue

Enterprise vulnerability scanners routinely produce tens of thousands of findings. When everything is flagged, nothing feels urgent. Security teams become desensitized to scanner output, and critical vulnerabilities get lost in the noise. The solution is not fewer scans. It is better prioritization, which we cover in the next section.

False Positives

Scanners are imperfect. They flag vulnerabilities based on version detection, banner grabbing, and heuristic analysis, and they get it wrong regularly. A scanner might report a vulnerability because it detected an affected software version without recognizing that the specific vulnerable component is disabled or patched through a backport. Each false positive wastes investigation and remediation time, and enough of them cause teams to stop trusting scanner results entirely.

Reducing false positives requires credentialed scanning (which produces more accurate results than unauthenticated probes), tuning scanner policies to reduce noise, and validating critical findings through manual analysis or security validation testing.

Prioritization Paralysis

When your scanner tells you that 15,000 vulnerabilities are “critical” or “high,” where do you start? CVSS scores alone do not answer this question. Organizations without a risk-based prioritization framework either try to fix everything (impossible), fix nothing (dangerous), or fix whatever is easiest (ineffective). Breaking through prioritization paralysis requires the contextual approach described below.

Patching Windows and Business Constraints

Remediation often requires system restarts, application downtime, or change windows that conflict with business operations. Production databases cannot be patched during peak hours. Legacy systems may not have vendor-supported patches at all. Healthcare devices often cannot be taken offline. These constraints are real, and any vulnerability management program that ignores them will fail to gain operational buy-in.

Effective programs account for business constraints by building flexible remediation timelines, establishing compensating controls for systems that cannot be immediately patched, and working with business stakeholders to create regular, predictable maintenance windows.

Incomplete Asset Visibility

You cannot scan what you do not know exists. Shadow IT, cloud instances spun up outside standard provisioning processes, forgotten development environments, and acquired infrastructure all create blind spots. Attack surface management and external attack surface management address this gap by continuously discovering assets from an outside-in perspective and feeding them into vulnerability management scope.

Cross-Team Friction

Security teams find the vulnerabilities. IT operations, DevOps, and application teams fix them. This handoff is a persistent source of friction. Remediation requests arrive without business context. Patching competes with feature development for engineering time. System administrators push back on scan-driven tickets because they lack enough detail to act.

Resolving this requires clear SLAs, remediation ownership models, integration between vulnerability management platforms and ticketing systems, and regular operational meetings where security and IT operations align on priorities.

Prioritization: Beyond CVSS Scores

CVSS was designed to describe the technical characteristics of a vulnerability. It was never designed to tell you which vulnerability to fix first. A CVSS 9.8 on an isolated test server behind three layers of network segmentation is less urgent than a CVSS 7.0 on an internet-facing web application that handles customer financial data and has a known exploit circulating in the wild.

Risk-based vulnerability management (RBVM) addresses this by layering additional context onto raw severity scores.

Exploitability

Is there a working exploit? Is it publicly available? Is it being used in active attack campaigns? The Cybersecurity and Infrastructure Security Agency (CISA) maintains a Known Exploited Vulnerabilities (KEV) catalog that tracks CVEs with confirmed active exploitation. Vulnerabilities on the KEV list deserve immediate attention regardless of their CVSS score. Exploit prediction models like EPSS (Exploit Prediction Scoring System) provide probability-based assessments of which vulnerabilities are likely to be exploited in the near term.

Asset Criticality

Not all systems are created equal. A vulnerability on a server that processes payment transactions, stores customer PII, or controls industrial equipment carries fundamentally different risk than the same vulnerability on a printer in a conference room. Asset criticality classification must account for the data processed, the business function served, the regulatory requirements that apply, and the downstream impact if the system is compromised.

Network Exposure

Is the vulnerable asset reachable from the internet? Is it in a DMZ? Behind a VPN? On an isolated network segment? Exposure determines how easily an attacker can reach the vulnerability. An exploitable flaw on an internet-facing asset is qualitatively different from the same flaw on an internal system that requires VPN access and additional authentication.

Threat Intelligence

What threat actors are targeting your industry? What TTPs are they using? Vulnerability prioritization improves significantly when informed by threat intelligence that maps active campaigns to the specific CVEs and attack techniques relevant to your environment. A vulnerability that aligns with an active campaign targeting your sector should jump the queue.

Compensating Controls

Effective prioritization also accounts for existing defenses. A vulnerable web application protected by a WAF with specific virtual patching rules, monitored by EDR, and segmented from sensitive backend systems carries lower effective risk than the same application without those controls. This does not mean the vulnerability should be ignored. It means it can reasonably be scheduled for the next maintenance window rather than treated as an emergency.

Putting It Together

The most effective prioritization frameworks combine these factors into a composite risk score that reflects actual organizational risk rather than abstract technical severity. The result is a dramatically smaller set of truly urgent vulnerabilities. Research consistently shows that only 2% to 5% of published vulnerabilities are ever exploited in the wild. A risk-based approach focuses remediation effort on that critical minority.

Tools and Technologies

Vulnerability Scanners

Scanners are the workhorses of any vulnerability management program. They fall into several categories:

Network vulnerability scanners (Nessus, Qualys, Rapid7 InsightVM, Tenable.sc) scan infrastructure for known vulnerabilities, misconfigurations, and compliance deviations
Web application scanners (Burp Suite, OWASP ZAP, Acunetix) test web applications for injection flaws, authentication weaknesses, and OWASP Top 10 vulnerabilities
Cloud security posture management (CSPM) tools (Wiz, Orca, Prisma Cloud) scan cloud environments for misconfigurations, overprivileged IAM roles, and exposed resources
Container and image scanners (Trivy, Snyk Container, Anchore) inspect container images for known vulnerabilities in base images and dependencies
Software composition analysis (SCA) tools (Snyk, Dependabot, Black Duck) identify vulnerable open-source dependencies in application code

No single scanner covers everything. Mature programs combine multiple tools to achieve comprehensive coverage across infrastructure, applications, cloud, and code.

Vulnerability Management Platforms

Platforms like Tenable.one, Qualys VMDR, Rapid7 InsightConnect, and ServiceNow VR aggregate findings from multiple scanners, deduplicate results, apply risk-based prioritization, track remediation workflows, and generate reporting. They serve as the operational hub of the program.

Integration Points

Vulnerability management does not exist in isolation. Effective programs integrate with:

Ticketing systems (Jira, ServiceNow) for remediation tracking and assignment
SIEM platforms (Splunk, Sentinel, Chronicle) for correlation with security events
CMDB/asset management for asset criticality context
Threat intelligence platforms for exploitation data and campaign context
CI/CD pipelines for shifting vulnerability detection left into development workflows
Attack surface management platforms for continuous asset discovery feeding scan scope

Offensive Validation

Scanners find potential vulnerabilities. Offensive testing proves which ones are actually exploitable. Penetration testing provides human-led validation of critical findings. Breach and attack simulation platforms automate continuous validation of specific attack paths and control effectiveness. Both serve as force multipliers for vulnerability management by converting theoretical risk into demonstrated impact.

How Vulnerability Management Fits Into CTEM

Gartner introduced the Continuous Threat Exposure Management (CTEM) framework as a response to the limitations of traditional vulnerability management. CTEM does not replace vulnerability management. It extends it.

CTEM’s five phases map to vulnerability management as follows:

Scoping

CTEM begins by defining what matters to the business, not just what assets exist. This phase identifies the business-critical processes, data, and systems that the program should protect, and it explicitly includes non-traditional exposure categories like SaaS configurations, identity infrastructure, and code repositories. Traditional vulnerability management often starts with an asset list. CTEM starts with business impact.

Discovery

This is where vulnerability management lives most naturally. Discovery in the CTEM context encompasses vulnerability scanning, attack surface management, and external attack surface management to build a comprehensive picture of what is exposed and where the weaknesses are.

Prioritization

CTEM prioritization goes beyond CVSS and even beyond RBVM. It considers attacker feasibility, business impact, existing controls, and threat intelligence holistically. The goal is to reduce the thousands of raw findings to the dozens that require immediate action.

Validation

This is where CTEM diverges most sharply from traditional vulnerability management. Validation means proving that an exposure is actually exploitable and that existing controls either catch or miss the attack. Penetration testing, red teaming, and breach and attack simulation all contribute to validation. Traditional vulnerability management often skips this step entirely, treating scanner output as ground truth.

Mobilization

The final phase focuses on driving actual remediation across the organization. Mobilization acknowledges that identifying vulnerabilities is the easy part. Getting cross-functional teams to fix them within acceptable timeframes is the hard part. CTEM emphasizes automated workflows, clear ownership, and measurable remediation SLAs.

Organizations with mature vulnerability management programs already have the discovery and prioritization foundations that CTEM requires. Adding validation and mobilization capabilities transforms a good vulnerability management program into a comprehensive exposure management strategy.

How Praetorian Approaches Vulnerability Management

Vulnerability management as a standalone program leaves gaps. Scanners find CVEs. But who validates which ones are actually exploitable? Who discovers the assets your scanner does not know about? Who tests whether your patches actually hold?

Praetorian Guard unifies vulnerability management with attack surface management, breach and attack simulation, continuous penetration testing, cyber threat intelligence, and attack path mapping into a single managed service. Vulnerabilities are not just identified and scored. They are validated through real-world attack techniques by Praetorian’s elite offensive security engineers.

Every finding is human-verified before it reaches your team. No false positives. No noise. Just exploitable risks prioritized by actual business impact, with hands-on remediation guidance and re-testing to confirm fixes work. The result is a vulnerability management program that does not just generate reports. It actually reduces risk.

Frequently Asked Questions

What is vulnerability management?

Vulnerability management is the continuous, cyclical process of identifying, evaluating, prioritizing, remediating, and verifying security vulnerabilities across an organization’s IT environment. It goes beyond one-time scanning by establishing an ongoing program that tracks vulnerabilities from discovery through resolution, measures remediation effectiveness, and adapts to new threats as they emerge. The goal is to reduce organizational risk by ensuring that the most dangerous vulnerabilities are addressed quickly and thoroughly.

What is the difference between vulnerability management and vulnerability assessment?

A vulnerability assessment is a point-in-time activity that identifies and catalogs vulnerabilities in a given environment. Vulnerability management is the broader, ongoing program that encompasses vulnerability assessment plus prioritization, remediation tracking, verification, reporting, and continuous improvement. Think of assessment as a snapshot and management as the movie. Assessment tells you what vulnerabilities exist today. Management ensures those vulnerabilities are tracked, assigned, remediated, verified, and reported over time.

How often should vulnerability scans be run?

Most organizations should run authenticated vulnerability scans at least weekly for critical infrastructure and monthly for the broader environment. PCI DSS requires quarterly external scans by an Approved Scanning Vendor. However, scan frequency alone does not determine program effectiveness. What matters more is how quickly identified vulnerabilities are prioritized, assigned, and remediated. Running daily scans but taking 90 days to patch critical findings does not constitute a mature program. Match scan cadence to your remediation capacity and ensure that both are improving over time.

What is risk-based vulnerability management?

Risk-based vulnerability management (RBVM) prioritizes vulnerabilities based on the actual risk they pose to the organization rather than relying solely on CVSS severity scores. RBVM incorporates active exploitation status, asset business criticality, network exposure, compensating controls, and threat intelligence to determine which vulnerabilities should be remediated first. Research shows that only 2% to 5% of published CVEs are ever exploited in the wild. RBVM focuses remediation effort on that critical minority rather than spreading resources thin across every high-CVSS finding.

What are the biggest challenges in vulnerability management?

The most common challenges include alert fatigue from scanners generating thousands of findings per cycle, difficulty prioritizing when CVSS alone makes everything look critical, patching windows that conflict with business uptime requirements, incomplete asset inventories that create scanning blind spots, false positives that erode team trust in tools, cross-team coordination friction between security and IT operations, and demonstrating program effectiveness to leadership in terms that connect to business risk rather than technical metrics.

How does vulnerability management relate to patch management?

Patch management is one remediation method within a vulnerability management program, but they are not equivalent. Vulnerability management identifies and prioritizes all types of security weaknesses, including misconfigurations, architectural flaws, logic errors, and design weaknesses that no patch can fix. Patch management focuses specifically on applying vendor-supplied software updates. A vulnerability management program feeds prioritized findings into patch management workflows, but also drives configuration changes, compensating controls, and architectural improvements that go beyond patching.

What compliance frameworks require vulnerability management?

PCI DSS requires quarterly vulnerability scans and a formal vulnerability management program (Requirements 6 and 11). HIPAA requires risk analysis that includes vulnerability identification. SOC 2 includes vulnerability management under the Common Criteria for security. NIST CSF references vulnerability management across the Identify and Protect functions. ISO 27001 addresses it under Annex A.12.6. FedRAMP requires continuous monitoring including regular vulnerability scanning. CIS Controls dedicate Control 7 to continuous vulnerability management. CMMC references vulnerability management as part of its security assessment activities.

How does vulnerability management fit into a CTEM program?

Vulnerability management is a foundational component of Continuous Threat Exposure Management (CTEM), the five-phase framework introduced by Gartner. Vulnerability management contributes primarily to the discovery and prioritization phases. However, CTEM extends the model by adding explicit scoping (defining what matters to the business), validation (proving exploitability through offensive testing like penetration testing and breach and attack simulation), and mobilization (driving cross-functional remediation at scale). Organizations with mature vulnerability management programs are well-positioned to adopt CTEM by layering in those additional capabilities.