Every 24 hours, approximately 80 new CVEs are published. Without a systematic approach to finding, prioritizing, and fixing vulnerabilities, you're playing Russian roulette with your business. 60% of breaches involve a known, unpatched vulnerability.
Vulnerability management is the continuous, systematic process of identifying, evaluating, prioritizing, remediating, and verifying security vulnerabilities across an organization's IT assets. It's not a one-time scan — it's an ongoing program that reduces organizational risk over time.
Vulnerabilities span multiple categories:
A vulnerability assessment tells you what's wrong (point-in-time). Vulnerability management ensures it gets fixed — and stays fixed (ongoing program with prioritization, tracking, verification, and improvement).
Regulatory fines: NIS2 mandates vulnerability management — up to €10M or 2% of turnover. Breach liability: GDPR requires "appropriate technical measures." Ransomware: WannaCry, Log4Shell, MOVEit — all exploited known, patchable flaws. Insurance: Cyber insurers audit patch management and adjust premiums or deny claims.
You can't protect what you don't know about. Maintain a current inventory of all IT assets and scan continuously. Key metrics: asset coverage, scan frequency, time since last scan.
Not all vulnerabilities are equal. A critical CVSS score doesn't automatically mean critical risk. Consider exploitability, asset criticality, exposure, compensating controls, and business context.
Options include patching, configuration changes, compensating controls (WAF, virtual patching), formal risk acceptance, or system retirement.
A "patched" vulnerability that wasn't actually fixed provides a false sense of security. Always re-scan, regression test, and validate configuration changes after remediation.
Serve multiple audiences: security teams (tactical dashboards), IT management (strategic reports), executives (business risk), and auditors (compliance evidence).
Volume: Tens of thousands of critical/high findings — can't fix them all. False urgency: Many critical CVEs are never exploited. Missing context: A medium vuln on a payment system may be higher risk than a critical on an isolated dev server.
Risk-based vulnerability management (RBVM) combines vulnerability severity with threat intelligence (is it being exploited?), asset criticality (how important?), and exposure (internet-facing?). This reduces the actionable backlog by 80–90%.
| Aspect | CVSS | EPSS |
|---|---|---|
| What it measures | Vulnerability severity (0–10) | Exploitation probability (0–100%) |
| Updates | Largely static | Daily |
| Focus | What could happen | What will happen |
| Limitation | Only ~15% of criticals are exploited | Doesn't consider asset context |
High CVSS + High EPSS → Critical, immediate remediation. High CVSS + Low EPSS → Scheduled within standard SLA. Low CVSS + High EPSS → Elevated, investigate (may be underrated). Low CVSS + Low EPSS → Address in regular maintenance.
Discover your vulnerabilities before attackers do. AI-powered scanning with risk-based prioritization.
Start Free Scan →| Framework | Vulnerability Management Requirement | Penalty |
|---|---|---|
| NIS2 | Article 21: "vulnerability handling and disclosure" as minimum measure | Up to €10M / 2% turnover |
| DORA | ICT risk management, regular vulnerability assessments | Sector-specific enforcement |
| DSGVO/GDPR | Article 32: "appropriate technical measures" | Up to €20M / 4% turnover |
| ISO 27001 | A.8.8: Management of technical vulnerabilities | Certification risk |
| PCI DSS 4.0 | Quarterly external ASV scans, internal scanning, annual pentesting | PCI non-compliance fines |
| Risk Level | Internet-Facing | Internal Critical | Internal Standard |
|---|---|---|---|
| Critical | 24 hours | 72 hours | 7 days |
| High | 7 days | 14 days | 30 days |
| Medium | 30 days | 60 days | 90 days |
| Low | 90 days | 180 days | Next maintenance |
KENSAI scans web applications, APIs, and infrastructure with a database of 332,000+ CVEs continuously updated. Identifies both known vulnerabilities and misconfigurations across your entire attack surface.
Goes beyond CVSS: cross-references active threat intelligence, considers real-world exploitation data, reduces false positives through intelligent analysis, and delivers risk-based prioritization so you focus on what matters.
Every scan generates reports aligned with NIS2, DSGVO/GDPR, DORA, and ISO 27001 — documented vulnerability handling and disclosure evidence for auditors and regulators.
Actionable fix recommendations for every finding. Reduces the time and expertise required to close vulnerabilities.
Professional: €990/month — ideal for growing businesses. Enterprise: €2,490/month — advanced features and higher scan volumes.
The continuous process of identifying, evaluating, prioritizing, remediating, and verifying security vulnerabilities. Unlike one-time assessments, it's an ongoing program with structured discovery, risk-based prioritization, and tracked remediation with defined SLAs.
RBVM prioritizes by actual risk (threat intelligence + asset criticality + exposure) rather than CVSS severity alone. Reduces the actionable backlog by 80–90% and focuses resources on genuinely dangerous vulnerabilities.
CVSS rates severity (static, 0–10). EPSS predicts exploitation probability (dynamic, updated daily). Used together, they provide both severity context and exploitation likelihood for superior prioritization.
Critical/internet-facing: at least weekly (daily or continuous preferred). Internal: monthly minimum. After significant changes: always. The trend is continuous scanning.
NIS2 Article 21 explicitly requires "vulnerability handling and disclosure." A compliant program must demonstrate systematic discovery, risk-based prioritization, defined SLAs, verification, continuous monitoring, and documented processes.
MTTR for critical/high-risk vulnerabilities — it directly measures how quickly you close your most dangerous exposure windows.
Take control of your vulnerability management. AI-powered discovery, prioritization, and compliance reporting.
Start Free Scan →Security is not optional.
🗡️ The KENSAI Team