The Vulnerability Management Process

4 Stages of Vulnerability Management 

  • Identification: Using automated vulnerability scanning tools, as well as manual processes such as penetration testing, to discover and document vulnerabilities across your IT environment. 
  • Prioritization: Determining when and how vulnerabilities should be addressed based on the risk they pose to your business. 
  • Remediation: Fixing the vulnerability or putting other mediating controls in place to reduce the vulnerability’s impact. 
  • Reporting: Evaluating your vulnerability landscape based on metrics such as mean time to remediate and the percentage of systems with critical vulnerabilities.  

Frameworks and Models

If you’re just getting started putting in place a formal vulnerability management program or you’re looking for ways to evaluate and improve your current program, using a framework can provide valuable guidance. The NIST Cybersecurity Framework and the SANS Maturity Model are two standards commonly applied to vulnerability management. 

  • NIST Cybersecurity Framework: The NIST Framework is meant as an overarching cyber strategy, but its process of identify, protect, detect, respond, recover, can be applied specifically to vulnerability management. View specific action items from the Framework that apply to VM in RH-ISAC’s blog post. 
  • SANS Maturity Model: This model is divided up into five levels — initial, managed, defined, quantitatively managed, and optimizing — with the goal being to end up with a fully developed vulnerability management program. Organizations can rate their progress on that scale in several key areas — prepare, identify, analyze, communicate, and treat — which represent stages of a vulnerability management process. 

Vulnerability Management Resource Guide

Get actionable strategies and best practices.

Vulnerability Identification

The first step to successful vulnerability management is discovering the vulnerabilities that exist within your systems

Creating an Asset Inventory

For successful vulnerability management, you need to have complete visibility into your assets, including third-party assets like vendors with access to internal environments. The tools you’re using for vulnerability management should be able to provide you with a complete picture of all of the assets (servers, desktops, mobile devices, applications, etc.) in your network, in one location. You will then map discovered vulnerabilities to this inventory for effective prioritization.  

Vulnerability Scanning

Vulnerability scanning uses automated tools to detect and classify system weaknesses. Your vulnerability scanning tools should be able to conduct network and application scans, using a variety of scanning methods including agent-based, agentless, authenticated, unauthenticated, static, and dynamic.  

Vulnerability Prioritization

Once vulnerabilities are detected, the next step is to prioritize which ones are the most important to remediate. Prioritization of vulnerabilities is essential because not all vulnerabilities are going to have the same level of impact on your business operations.

Risk-Based Prioritization

A risk-based approach to vulnerability management prioritizes remediating vulnerabilities based on the impact they will have on your business, as well as the likelihood that exploitation will take place. This is compared to other approaches such as compliance-driven vulnerability management, which focuses more on checking the boxes necessary to meet regulatory requirements, as opposed to analyzing the overall threat landscape. 

Integrating Intelligence

You may determine that a particular vulnerability is present in key assets throughout your network, but if the conditions required to exploit it are such that exploitation is highly unlikely, this vulnerability poses less real risk to your organization and might be prioritized lower than other more exploitable vulnerabilities. The only way to know this information is by integrating real-time threat intelligence data into your vulnerability management system.

Assigning a Risk Score

Since the CVSS score doesn’t show the complete picture of a vulnerability, you need another way to quantitatively assess which vulnerabilities to prioritize. Assigning a risk score to your assets can help provide this standard metric. A risk score is based off of the asset value, threat likelihood, and vulnerability exposure. 

Vulnerability Remediation

Remediation is taking action to eliminate the vulnerability, such as applying a patch, in the case of third-party software. Remediation is generally the preferred long-term course of action, but mitigation tactics can be used when eliminating the vulnerability from the environment completely is not feasible.

Patch Management

It is generally best practice to install patches that are released for the software you’re using because it will reduce the likelihood of a successful breach, ensure that your systems are up to date, and help you comply with regulatory requirements. However, that doesn’t mean that you should necessarily install a patch the moment it is released. Patches should be implemented strategically, taking into account the impact deploying a patch will have on your business operations and security posture.  


Many organizations experience delays between detecting the vulnerability and actually remediating the vulnerability due to a lack of automation and tool communication between their vulnerability scanning tools and the tools used to deploy the update. modern vulnerability detection tools are beginning to incorporate the ability to remediate and deploy patches from the same system as detection, which can help make the pipeline much more efficient. Others without the capability to deploy patches are at least integrating with systems like Microsoft SCCM and HCL BigFix that are used to roll out updates. These tools will also integrate with popular ticketing systems such as Jira and ServiceNow to minimize the headache caused by transferring a detected vulnerability out for remediation.  

Vulnerability Management Resource Guide

Get actionable strategies and best practices.

Vulnerability Reporting

You’ll never be able to completely eliminate all vulnerabilities from your environment, but you do want to have metrics in place for determining the success of your vulnerability management program. Reporting ensures that there is accountability in your vulnerability management program and progress is being made to reduce risk.

What is in a Vulnerability Assessment Report?

If you have good vulnerability management tools in place, the meat of the report will come from the vulnerability scanner. It should provide you with the name of the vulnerability, date of discovery, CVSS score, a description of the vulnerability and the systems impacted, and a POC (proof of concept) of the vulnerability. You will then want to augment the vulnerability scanner’s report with some analysis to provide context to the report. 


Tailoring Your Report for Your Audience

Vulnerability assessment reports can be used for a number of different purposes, which means you might have a few different audiences for your report. The Board of Directors will not need as detailed a report as your IT team, so you should create versions of your report accordingly, highlighting the information that matters to that particular audience.  

Why is a Vulnerability Assessment Report Essential?

Vulnerability assessment reports provide a roadmap for remediation, but they can also be used to demonstrate regulatory compliance, benchmark progress, and lower your cyber insurance premium. 


Vulnerability Management Resource Guide

Get actionable strategies and best practices.

Read the Latest Blog Posts

Join RH-ISAC today!

Complete an application form if you are interested in becoming a member of RH-ISAC.