What is Vulnerability Management?

The Vulnerability Management Process

Discovery and Inventory

Effective vulnerability management begins with comprehensive asset inventory — you cannot assess vulnerabilities in systems you do not know exist. Shadow IT, forgotten servers, cloud instances spun up for projects that were never decommissioned, and contractor-managed systems frequently create inventory gaps that leave significant attack surface unassessed. Asset discovery tools, cloud asset management platforms, and network scanning establish the baseline inventory that vulnerability scanning operates against.

Scanning and Assessment

Vulnerability scanners — Tenable Nessus, Qualys, Rapid7 InsightVM — assess systems against databases of known vulnerabilities, misconfigurations, and security weaknesses. Credentialed scans, which authenticate to target systems and perform local assessment, identify significantly more vulnerabilities than uncredentialed scans that rely on external detection. The output of a vulnerability scan is a list of findings, each assigned a severity score using the Common Vulnerability Scoring System (CVSS). A large enterprise environment might produce 50,000-200,000 vulnerability instances from a single scan cycle.

Prioritization: The Critical Problem

CVSS scores are calculated based on the theoretical characteristics of a vulnerability — how easily it can be exploited, what access it provides, what confidentiality or availability impact it causes. They do not account for whether the vulnerability is being actively exploited in the wild, whether your environment is actually reachable by an attacker in a way that makes the vulnerability exploitable, or whether compensating controls reduce the effective risk. A CVSS 9.8 critical vulnerability on a system that is not internet-facing and is isolated from sensitive data represents lower operational risk than a CVSS 7.0 finding on an internet-facing system handling customer financial data. Risk-based vulnerability management prioritizes based on exploitability, asset exposure, and business context rather than raw severity scores.

Why Vulnerability Management Programs Fail

The Volume Problem

Organizations that implement vulnerability scanning without the operational processes to triage and remediate findings quickly accumulate backlogs of open vulnerabilities that grow faster than the remediation capacity to address them. A mid-market organization that scans monthly and remediates based on CVSS critical findings may be remediating 200-300 vulnerabilities per cycle while simultaneously generating 200-300 new findings — running to stand still while the backlog of high and medium findings grows unchecked. The vulnerability backlog problem is fundamentally an operational throughput problem, not a technology problem.

The Ownership Problem

Vulnerability management identifies security issues in systems owned by IT, engineering, operations, and development teams. The security team that identifies the vulnerability frequently does not control the system the vulnerability affects and cannot directly remediate it. Effective vulnerability management requires clear ownership assignment — specific teams are accountable for specific systems and have defined SLAs for remediation based on vulnerability severity. Without ownership clarity and accountability, vulnerability findings sit in reports that nobody acts on.

The Coverage Problem

Most vulnerability management programs scan known systems on a defined schedule. Cloud infrastructure that changes continuously, container environments, third-party applications, and web application code require different scanning approaches than traditional agent-based or network-based vulnerability scanning. Organizations that have migrated significant workloads to cloud environments without extending their vulnerability management program to cover cloud-native assets have significant unscanned attack surface.

Vulnerability Management for PE Portfolio Companies

The M&A Due Diligence Perspective

Vulnerability posture is a meaningful indicator of overall IT operational discipline in M&A technical due diligence. Organizations with effective vulnerability management programs demonstrate the operational processes, team accountability, and systematic approach to risk reduction that correlate with broader IT maturity. Organizations with large, aging vulnerability backlogs demonstrate the operational debt accumulation that frequently extends to other IT domains. In Cloudskope's due diligence engagements, we regularly find critical vulnerabilities in externally-facing systems that have been open for 12-24 months — not because the organization lacked scanning capability, but because they lacked the remediation processes and ownership accountability to act on findings.

Metrics That Matter

The vulnerability management metrics that indicate program effectiveness are mean time to remediate by severity tier (how long it takes to fix critical, high, medium, and low findings), scan coverage (what percentage of the known asset inventory is being scanned), and reopen rate (what percentage of remediated vulnerabilities reappear, indicating patches that are applied without root cause correction). These metrics distinguish organizations that are genuinely reducing vulnerability exposure from organizations that are generating reports.

Real-World Example: Equifax — A Known Vulnerability, an Available Patch, and 147 Million Records

The 2017 Equifax breach exposed 147 million Americans' most sensitive personal and financial data. The attacker gained initial access through a known vulnerability in Apache Struts — CVE-2017-5638 — for which a patch had been available for two months. Equifax's vulnerability management program had not identified the vulnerable system as requiring patching. The system was not in the scan scope because it was not in the asset inventory maintained by the security team. An asset that security did not know existed, running software with a known critical vulnerability for which a patch was available, caused the most significant consumer data breach in US history. The failure was not a zero-day, not a sophisticated attack, and not an unavoidable outcome. It was a vulnerability management failure.