Vulnerability Management

What is vulnerability management?

Vulnerability management is a systematic process encompassing the identification, classification, prioritisation and elimination of vulnerabilities in an organisation’s IT infrastructure. It is not a one-off scan, but a continuous cycle: scan - analyse - remediate - verify.

The process starts with asset inventory - you cannot secure what you do not know about. Scanning is then carried out using automated tools that compare software versions against known vulnerability databases (CVE). Detected vulnerabilities are assessed for the risk they pose in the context of the specific organisation.

Detecting vulnerabilities alone is not enough - the organisation must remediate them within an appropriate timeframe. Prioritisation is essential because a typical organisation has hundreds or thousands of vulnerabilities and limited resources for remediation. Modern approaches such as SSVC (Stakeholder-Specific Vulnerability Categorization) help focus efforts on vulnerabilities that pose a real threat.

Why does it matter?

Unpatched vulnerabilities are one of the primary attack vectors. Attackers routinely scan the internet for systems with known vulnerabilities - the time from exploit publication to mass exploitation is measured in days, sometimes hours.

In OT environments, vulnerability management is particularly challenging due to limited maintenance windows, the inability to apply automatic updates and long device lifecycles. This requires trade-offs - not every vulnerability can be patched immediately, but every one should be consciously managed.

Related topics

• CVSS
• Penetration testing
• EDR