Incident Response & Forensics

Vulnerability Management

About 4 min read

Last updated: 2026-03-15

What Is Vulnerability Management

Vulnerability management is the process of continuously identifying, assessing, and remediating security weaknesses in systems and software. Unlike one-off vulnerability scans, it is characterized by operating as a consistent cycle from discovery through remediation and re-verification.

The vulnerability management lifecycle consists of six stages: asset inventory → vulnerability scanning → risk assessment → prioritization → remediation (patching and configuration changes) → re-verification. By running this cycle regularly, you can significantly reduce the risk of attackers exploiting known vulnerabilities other than zero-day attacks.

Risk Assessment and Prioritization with CVSS

The industry standard for quantitatively assessing vulnerability severity is CVSS (Common Vulnerability Scoring System). CVSS v4.0 quantifies factors such as attack complexity, required privileges, and impact scope to produce a score from 0.0 to 10.0.

However, relying solely on CVSS scores to determine remediation priority is risky. In practice, the following factors should be considered holistically:

  • Exploitability: Whether proof-of-concept (PoC) exploit code has been publicly released. Vulnerabilities listed in CISA's KEV (Known Exploited Vulnerabilities) catalog should be addressed with the highest priority
  • Asset Criticality: Systems handling customer data and internal tools have different urgency levels even with the same CVSS score
  • Reachability: Whether the service is internet-facing or behind a firewall changes the practical risk
  • Compensating Controls: Whether attacks can be temporarily blocked by a WAF or IPS

Types and Operations of Vulnerability Scanning

Vulnerability scanning has multiple approaches, each with different detection coverage.

  • Network Scanning: Performs port scanning and service detection from external or internal perspectives and matches against known vulnerabilities. Representative tools include Nessus, Qualys, and OpenVAS
  • Agent-Based Scanning: Deploys agents on each server to accurately identify OS packages and middleware versions from the inside. Can also discover configuration issues that network scanning cannot detect
  • SCA (Software Composition Analysis): Detects vulnerabilities in open-source libraries that applications depend on. Tools include npm audit, Snyk, and Trivy
  • DAST (Dynamic Application Security Testing): Sends simulated attack requests to running web applications, detecting vulnerabilities in a manner similar to penetration testing

In practice, these are combined to ensure comprehensive coverage. Running weekly agent scans, monthly network scans, and SCA in CI/CD pipelines in parallel is common.

Improving Vulnerability Management Maturity

To prevent vulnerability management from becoming a formality and continuously improve your organization's security level, the following metrics and mechanisms are important.

  • MTTR (Mean Time to Remediate): Average time from vulnerability discovery to remediation completion. Define SLAs such as within 48 hours for Critical and within 7 days for High, and track them
  • Coverage Rate: The percentage of managed assets that have been scanned. Aim for 100%, but always suspect the existence of shadow IT
  • Recurrence Rate: The percentage of previously remediated vulnerabilities that are detected again. A high rate indicates problems with patch management processes or image management

By integrating with SIEM to cross-reference vulnerability information with threat intelligence, you can immediately identify vulnerabilities that are actively under attack. Building a coordination structure with CSIRT and pre-defining escalation paths for when critical vulnerabilities are discovered is also essential.

To learn more about this topic, see Supply Chain Attacks: The New Threat Exploiting Trust.

Common Misconceptions

Running vulnerability scans regularly means vulnerability management is in place
Scanning is just one step in vulnerability management. It can only be called vulnerability management when you operate a continuous process that includes prioritizing discovered vulnerabilities, remediating them, and re-verifying. Leaving scan results unaddressed changes nothing about the risk.
Only addressing Critical CVSS-scored vulnerabilities is sufficient
Even vulnerabilities with moderate CVSS scores can be immediately exploited if attack code is circulating in the wild. Vulnerabilities listed in the CISA KEV catalog or those affecting your organization's public-facing assets should be prioritized regardless of score.

Vulnerability Scanning vs. Penetration Testing

Vulnerability Scanning

Automated tools comprehensively detect known vulnerabilities. Covers a wide range in a short time and is suitable for regular execution. However, it may include false positives and cannot detect business logic vulnerabilities.

Penetration Testing

Experts attempt actual infiltration from an attacker's perspective. Can discover chained vulnerability exploitation and business logic flaws, but has high execution costs and is not suited for frequent execution.

Share

Related Terms

Penetration Testing A proactive security assessment method where authorized security professionals s… SIEM (Security Information and Event Management) A platform that aggregates and correlates log data from diverse sources across t… Zero-Day Attack An attack that exploits a software vulnerability before it is publicly disclosed… WAF (Web Application Firewall) A security solution that monitors, filters, and blocks malicious HTTP/HTTPS traf… CSIRT (Computer Security Incident Response Team) A specialized team within an organization responsible for the coordinated handli… Container Security The comprehensive set of security practices for safely building, deploying, and …

Related Articles

Supply Chain Attacks: The New Threat Exploiting Trust Understand how software supply chain attacks work, real-world examples, and defense strategies for i… API Security Basics: Protecting the Backend of Web Services Learn how APIs can be exploited and the fundamental security measures like authentication, authoriza… Why Updates Are Annoying but Necessary - The Real Danger of Clicking 'Later' Learn about the importance of security patches, how zero-day exploits work, the WannaCry (230,000 de…
← Glossary