What is vulnerability management?

Vulnerability management allows you to identify, prioritise and respond to software issues and misconfigurations that could be exploited by attackers, lead to inadvertent release of sensitive data or disrupt business operations.

The modern cyber ecosystem is anything but static; it’s a constantly shifting, evolving entity that continually expands to encompass new technologies, systems and individuals. Unfortunately, this makes security a daunting task.

New digital vulnerabilities are being discovered on a nearly daily basis, accounting for thousands of new threat vectors every year that may be exploited—causing significant problems for organisations across essentially every industry. And according to Ponemon Institute, the global average cost of a data breach in the United States is $8.64 million. As such, responding to attacks only after they occur is simply not an effective defence.

In addition, systems and services are growing more complex and more integral to modern society. Mistakes will happen as users configure, maintain and add more tech and devices to the environment. Each mistake is an opportunity for a problem.

Vulnerability management offers a solution.

Vulnerability management definition

Vulnerability management is a term that describes the various processes, tools and strategies of identifying, evaluating, treating and reporting on security vulnerabilities and misconfigurations within an organisation’s software and systems. In other words, it allows you to monitor your company’s digital environment to identify potential risks, for an up-to-the-minute picture of your current security status.

Security vulnerabilities

In broad terms, a vulnerability is a weakness—a flaw that can be exploited. In computer science, a security vulnerability is essentially the same thing. Security vulnerabilities are targeted by threat actors. These attackers attempt to find and exploit vulnerabilities to access restricted systems.

Vulnerability scanner

Identifying vulnerabilities throughout your systems, networks and application requires specific tools. A vulnerability scanner is a program that is designed to move through your digital systems and discover any potential weaknesses, making vulnerability management possible.

Risk-based vulnerability management

An extension of vulnerability management, risk-based vulnerability management programmes are designed to address the weaknesses inherent in digital systems, including software, hardware and infrastructure. Risk-based vulnerability management uses machine learning to extend vulnerability management beyond traditional IT assets, incorporating cloud infrastructure, IoT devices, web apps and more. This allows businesses access to relevant insights across their entire attack surface.

Risk-based vulnerability management also allows for more accurate, risk-based prioritisation. Your company can focus first on identifying and repairing the weaknesses that are most likely to result in a breach, leaving less-critical vulnerabilities for later.

Vulnerability management vs. vulnerability assessment

Both vulnerability management and vulnerability assessment contribute to effectively addressing and resolving cybersecurity vulnerabilities. However, vulnerability management and vulnerability assessment are not synonymous terms.

A vulnerability assessment is only the first phase of vulnerability management. Most companies use scanning tools to look at devices on their network and collect information about the version of software that is installed and compare it to known vulnerabilities announced by software vendors. Multiple scanning tools, with or without agents or credentials, are typically required to cover the range of software in use (applications, operating systems, cloud service providers etc.). Companies run scans at scheduled intervals -- usually monthly or quarterly -- and then use the list, often emailed as a spreadsheet, to assign upgrade or patching tasks. If a zero-day vulnerability is announced, one which is actively being exploited and for which a patch may not yet be available, a company may launch an on-demand scan that can take days or weeks depending on the size and configuration of their infrastructure.

Conversely, vulnerability management is a lifecycle, not just a scheduled or ad hoc scan. Instead, it is an ongoing programme that moves from assessment into prioritisation and remediation. It uses multiple data sources to continually assess and reassess the current state of your software and services. By adding business, threat, exploitation and risk context to the software information generated by the assessment tools, a vulnerability management system can efficiently call attention to the vulnerabilities that must be addressed immediately and even suggest the best solution or mitigation. Constant assessment, evaluation, repair and reporting on vulnerabilities allows you to manage and address security vulnerabilities on a day-to-day basis. This means that weaknesses can be discovered more quickly, the highest impact issues can be addressed first, and fewer vulnerabilities get overlooked.

Simply put, a vulnerability assessment gives you a snapshot of your IT software stance; vulnerability management offers constantly evolving, real-time intelligence, remediation guidance and reporting.

As more and more information is created and contained within digital systems, and organisations continue to increase the employment of mobile technologies and IoT devices, new security vulnerabilities are emerging. Here, we take a look at some of the most relevant statistics related to vulnerability management:

  • 17002 new security vulnerabilities were identified and published in 2020. (Stack Watch)
  • The average vulnerability had a severity rating of 7.1 out of 10. (Stack Watch)
  • 48% of organisations report that they have had a data breach in the past two years. (ServiceNow)
  • 60% of breach victims said they were breached due to an unpatched known vulnerability where the patch was not applied. (ServiceNow)
  • 62% were unaware that their organisations were vulnerable prior to the data breach. (ServiceNow)
  • 52% of survey respondents say their organisations are at a disadvantage in responding to vulnerabilities because they use manual processes. (ServiceNow)

The five vendors with the most documented security vulnerabilities in 2020 are Microsoft, Google, Oracle, Apple and IBM. (Stack Watch)

There certainly isn’t any shortage of vulnerabilities for threat actors to target. And, given the damage that may result from a data breach—not only in terms of financial loss, but also in regard to operational disruptions, damage to customer trust and brand reputation, and even potential legal ramifications—finding and fixing vulnerabilities is absolutely vital.

An effective vulnerability management system provides an important additional layer of protection, giving you the power to manage and correct IT security flaws on an ongoing basis.

No discussion of vulnerability management would be complete without addressing exploits—what they are, and how to prepare for them.

An exploit is a malicious software (malware) program. It consists of a specialised code that takes advantage of known vulnerabilities within a system. Threat actors initially use exploits to access networks and related systems remotely. They can then steal or alter data, give themselves system privileges, lock out authorised users, move deeper into the network and open the door for other malware or attack techniques.

One important factor to consider is that exploits are software programs that are designed to target and take advantage of known vulnerabilities, or, in the case of a zero-day, a vulnerability that may not be known and therefore won’t have been patched. By implementing vulnerability management within your organisation, you can address and repair the same vulnerabilities targeted by exploits.

In addition to ongoing vulnerability management, you can also prepare your organisation in the following ways:

  • Provide IT security training for all employees
    Your IT department isn’t the only department that needs to know how to defend against possible attacks. Train all of your employees on best IT security practices and make sure that your organisation’s cybersecurity policies are up to date.
  • Implement traffic filtering and scanning
    Traffic filtering and scanning give you increased visibility into network traffic, and allows you to send the right kinds of traffic to the right security monitoring tools. This prevents traffic bottlenecks, reduces latency and allows for faster identification and response of malicious agents.
  • Keep up with regular patching
    Software vendors will regularly provide patches and updates to help secure their products from emerging vulnerabilities. Checking for patches on a regular basis and making sure that all of your systems and applications are operating with the most up-to-date versions will help ensure that known vulnerabilities aren’t being used against you.

For more insight into protecting your vital IT ecosystem, check out Implementing Agile Security Response: The Essential Checklist.

As vendors and developers release software solutions, they do not always have the time to identify and address all possible vulnerabilities before the product is pushed to market. As such, flaws and bugs may go undiscovered for some time.

As vendors, security agencies, testers and traditional users discover new vulnerabilities, the vulnerabilities are usually reported and disclosed through the proper channels. The vendors are then responsible for patching their exposed products. Depending on the severity or criticality of the vulnerability, vendors will move more or less quickly to release a patch. Large vendors typically aggregate and test patches into a “Patch Tuesday” release, so that their customers can have fewer disruptions and less work in implementing the fix.

Although vendors will likely employ their own testers and even third-party penetration testing agencies to identify vulnerabilities, many flaws do go unnoticed until they are stumbled upon by users or identified by hackers. With this in mind, ongoing vulnerability management becomes even more essential.

Vulnerability management is a cyclical process; it follows a set number of stages and then repeats. This cycle includes six steps:

Discover vulnerabilities

The longer a vulnerability remains undetected, the more likely it is to result in a security breach. Perform weekly external and internal network scans to identify existing and new vulnerabilities. This process includes scanning network-accessible systems, identifying open ports and services on those systems, gathering system information and comparing system information with known vulnerabilities.

Prioritise assets

Once you know what is in use, you can assign each asset a value based on its usage or role in your business. Is it an application or web server used to support your best customers or mission-critical employees, or just a printer? Is it an executive laptop or a customer help desk terminal? By adding this context to your list of systems, you know how important a vulnerability is to fix.

Assess vulnerabilities

Assessment is where you scan to understand the state of the applications and systems in your environment.

Prioritise vulnerabilities

As your scans uncover vulnerabilities, you will need to prioritise them based on their potential risk to your business, workforce and customers. Vulnerability management platforms typically provide different built-in metrics for assessing and ranking vulnerabilities. That said, you will also need to enrich the process with business, threat and risk context that may come from internal or external sources. The goal is to identify the most relevant-to-you, high-impact, high-likelihood vulnerabilities. With the explosion of software, services and devices in your business, you may never be able to patch all of your vulnerabilities. Identifying the most important and likely targets of an attack provides a practical way to manage this reality.

Remediate vulnerabilities

With vulnerabilities identified, prioritised and catalogued, the obvious next step is to remediate and/or mitigate them. It is worth noting that often those within a company who are responsible for understanding the risk associated with vulnerabilities are not often the same individuals with the authority to implement solutions. With this in mind, your organisation should work towards achieving a common language, decision criteria and process between security operations, IT operations and system administration teams.

Verify remediation

The final, often-overlooked step in this process is to verify that the vulnerability has been resolved. Follow up the aforementioned steps with another scan to ensure that your top-priority risks have been effectively resolved or mitigated. This final step permits the incident to be closed out in the tracking system and facilitates key performance metrics such as mean time to remediate (MTTR) or number of open critical vulnerabilities.

Report on status

Especially when there is a newsworthy event like a major software flaw or exploited zero-day vulnerability, managers, executives and even the board may be asking about how well you have assessed and addressed the vulnerabilities in your estate. Reports on trends in vulnerabilities, risk and vulnerability management performance also help justify staffing or tooling. Top vulnerability-management platforms include options for automatically generating visual reports and interactive dashboards to support different users, stakeholders and lenses.


The six stages outlined above demonstrate a structured, sequential approach to vulnerability management. The right structure is likewise vital as you set up your vulnerability management process. These are the steps you’ll want to consider:

Define your objectives

Obviously, the primary goal of any vulnerability management solution should be to identify and remediate or mitigate vulnerabilities within your system, and to do so before those vulnerabilities can be exploited. However, you should also identify any secondary objectives your organisation may have in relation to the vulnerability management process.

Secondary objectives allow you to improve the overall effectiveness of vulnerability management, and how your organisation is implementing the resultant data. These secondary objectives may include increasing the regularity of vulnerability scanning, or speeding up the resolution time in addressing identified vulnerabilities.

Define the roles within your organisation

For your vulnerability management solution to be effective, you’ll need all of your stakeholders committed to its success, and their roles and responsibilities in the process clearly defined. Although different organisational structures and capabilities may demand a different separation of responsibilities, most businesses may benefit from assigning individuals to the roles of monitors, resolvers and authorisers.

  • Monitors
    This role assesses vulnerabilities for severity and risk, documents their findings and then alerts the resolvers who will be responsible for addressing the issues.
  • Resolvers
    This role is responsible for locating patches to known issues, and creating mitigation solutions when patches are not available or it is not convenient to apply them.
  • Authorisers
    This role takes a big-picture view of system vulnerabilities, and is responsible for making changes to strategy and procedure when necessary to mitigate the effects of vulnerabilities now and in the future.

Assess the effectiveness of your vulnerability management programme

Ongoing vulnerability-management processes allow your business a clearer, more up-to-date view of your overall security status. As an added bonus, the continuous nature of these processes will help you develop an accurate assessment of what aspects of your vulnerability-management approach are working, and which need adjustment.

Remember: Although the basics steps of vulnerability management are relatively consistent, subtle variations in approach may be appropriate between organisations. Don’t be afraid to make changes to your processes to facilitate improved accuracy, clarity and remediation.

In order to create an effective, ongoing vulnerability-management process, top solutions should include the following:


This includes network scanning and firewall logging, as well as penetration testing and automated tools. In fact, there are many different sources of scan data, so don’t feel as though you need to limit your options to a single company or tool.


This involves analysing the results of your scans to identify vulnerabilities as well as possible evidence of past or occurring breaches.


This incorporates an assessment of the vulnerabilities themselves to determine how they may be used by threat actors and what risk they entail.

Prioritising based on risk and impact mitigating

This may incorporate risk-based vulnerability management to determine which bugs are highest risk, and thus should be placed at a higher priority for remediation or mitigation.


This involves patching identified vulnerabilities, effectively eliminating them as potential threat vectors.


This involves assessing the effectiveness of the vulnerability-management solution, and making changes to the process where necessary.

Get started with SecOps

Identify, prioritise and respond to threats faster.

Loading spinner