CVE Chapter

What is Vulnerability Management? A Complete Guide

Jul 3, 2026 · 11 min read · Beginner

What is Vulnerability Management?

Vulnerability management (VM) is the continuous, proactive process of identifying, classifying, prioritising, remediating, and verifying security vulnerabilities across an organisation's IT infrastructure, applications, and services.

The key word is continuous. Vulnerability management is not a one-time audit or a quarterly scan. New vulnerabilities are disclosed every day (the NVD processes 70–100 new CVEs daily), your software inventory changes, and threat actors are constantly probing for unpatched systems. An effective VM programme runs as an ongoing operational function.

VM vs Vulnerability Assessment: A vulnerability assessment is a point-in-time snapshot — you scan, report, and stop. Vulnerability management is the ongoing programme that builds on assessments: tracking remediation, re-scanning, reporting metrics over time, and continuously lowering your attack surface.

The VM Lifecycle

Vulnerability management follows a repeating cycle. No phase is "done" — the process loops continuously as new assets are discovered and new CVEs are published.

1
DiscoverInventory all assets
2
ScanDetect vulnerabilities
3
PrioritiseRisk-based ranking
4
RemediatePatch or mitigate
5
VerifyConfirm fix
6
ReportMetrics and trends

Phase 1: Asset Discovery and Scanning

You cannot manage vulnerabilities in assets you do not know exist. The first step is building and maintaining a comprehensive asset inventory — every server, workstation, network device, cloud instance, container, and application.

Types of Vulnerability Scans

Scan TypeHow it worksBest for
Unauthenticated (network) scanProbes open ports and services remotely; identifies service versions and known CVEs via banner matchingQuick external exposure check; no agent needed
Authenticated (credentialed) scanLogs into each host and reads installed software, patch levels, and configurations directlyAccurate, comprehensive internal scanning — far fewer false positives
Agent-based scanLightweight agent installed on each host continuously reports vulnerability dataCloud and remote assets without network access; real-time visibility
DAST (dynamic application scan)Tests running web applications for XSS, SQLi, and other web vulnerabilitiesWeb application vulnerability detection
SAST (static application scan)Analyses source code or compiled binaries for coding weaknesses (CWEs)Finding vulnerabilities during development, before deployment
SCA (software composition analysis)Scans dependencies (npm, PyPI, Maven, etc.) against CVE databasesOpen source library vulnerabilities; supply chain risk
Container scanScans Docker/OCI images for vulnerable OS packages and application librariesPre-deployment container security gates

Phase 2: Risk-Based Prioritisation

A mid-sized organisation might have 50,000 open vulnerabilities at any given time. Patching everything immediately is impossible. Risk-based prioritisation separates what to fix now from what can wait.

Factors in Prioritisation

EPSS: Exploit Prediction Scoring System

The Exploit Prediction Scoring System (EPSS) is an open model that predicts the probability a given CVE will be exploited in the wild within the next 30 days, expressed as a 0–1 probability score. It is maintained by FIRST (Forum of Incident Response and Security Teams).

Research has shown that combining CVSS with EPSS dramatically reduces the volume of CVEs that need immediate attention. Approximately 6% of new CVEs have a CVSS of 9.0+, but only about 3% of all CVEs are ever actively exploited. EPSS helps identify which high-CVSS vulns are the ones actually being used by attackers.

Practical Priority Tiers

PriorityCriteriaTarget Remediation
P1 — ImmediateCISA KEV listed, or CVSS 9+ AND EPSS >0.5, or active exploitation observed internally24–72 hours
P2 — CriticalCVSS 9.0–10.0 on internet-facing or critical assets7–15 days
P3 — HighCVSS 7.0–8.9, or CVSS 9+ on non-critical internal assets30 days
P4 — MediumCVSS 4.0–6.960–90 days
P5 — LowCVSS below 4.0 or compensating controls in placeNext cycle or accept risk

Phase 3: Remediation

Remediation is the most resource-intensive phase. The goal is to eliminate or reduce the risk of each vulnerability. Options include:

Phase 4: Verification

After remediation, rescan the affected asset to confirm the vulnerability is gone. Do not close a ticket based on a developer's confirmation alone — verify with the scanner. For critical vulnerabilities, consider a manual test or a targeted penetration test to confirm exploitability has been eliminated.

Track mean time to remediate (MTTR) — the average time between vulnerability discovery and verified fix. This is the primary KPI for a vulnerability management programme.

Vulnerability Management Tools

ToolCategoryKey Feature
Tenable Nessus / Tenable.ioInfrastructure VMIndustry-standard network and host scanner; 100,000+ plugins
Qualys VMDRInfrastructure VM (cloud)Continuous scanning with asset inventory and patch orchestration
Rapid7 InsightVMInfrastructure VMRisk-based scoring with real-time threat intelligence
Microsoft Defender VMEndpoint VMBuilt into Microsoft 365 Defender; excellent Windows/Azure coverage
SnykApplication + ContainerDeveloper-friendly; deep open source and container scanning
DependabotSCA (open source)Built into GitHub; auto-creates PRs for vulnerable dependencies
TrivyContainer + IaCOpen source; scans Docker images, Terraform, Kubernetes manifests
OpenVASInfrastructure VMOpen source alternative to commercial scanners
OWASP ZAPDAST (web apps)Free dynamic web application scanner

VM and Compliance Frameworks

Vulnerability management is a mandatory control in most major compliance frameworks:

Frequently Asked Questions

What is vulnerability management?
Vulnerability management is the continuous process of identifying, classifying, prioritising, remediating, and verifying security vulnerabilities in an organisation's IT infrastructure. It is an ongoing programme, not a one-time scan.
What is the difference between vulnerability scanning and vulnerability management?
Vulnerability scanning is a single activity — running a tool to detect known vulnerabilities. Vulnerability management is the full lifecycle programme: scanning, risk-based prioritisation, remediation tracking, verification, and reporting. Scanning is one phase inside vulnerability management.
What tools are used for vulnerability management?
Common tools include Tenable Nessus/Tenable.io, Qualys VMDR, Rapid7 InsightVM for infrastructure scanning; Snyk, Dependabot, OWASP Dependency-Check for application dependencies; Trivy and Grype for containers; and Microsoft Defender Vulnerability Management for Windows environments.
How often should vulnerability scans run?
PCI DSS requires internal scans quarterly and after significant changes. Most security frameworks recommend continuous scanning or at least weekly scans for internet-facing systems, monthly for internal systems. Critical assets should be scanned after every major change.
What is EPSS and how does it help prioritisation?
EPSS (Exploit Prediction Scoring System) predicts the probability a CVE will be exploited in the wild within 30 days. Combining CVSS with EPSS helps identify which high-severity CVEs are actually being used by attackers — reducing alert fatigue and focusing patching resources where they matter most.