← Back to Blog
Research 20 min read

Vulnerability Management: The Complete Guide

Every 24 hours, approximately 80 new CVEs are published. Without a systematic approach to finding, prioritizing, and fixing vulnerabilities, you're playing Russian roulette with your business. 60% of breaches involve a known, unpatched vulnerability.

80+
New CVEs Daily
60%
Breaches from Known CVEs
$4.88M
Avg Breach Cost
15 days
Avg Time to Exploit

What is Vulnerability Management?

ℹ️ Definition

Vulnerability management is the continuous, systematic process of identifying, evaluating, prioritizing, remediating, and verifying security vulnerabilities across an organization's IT assets. It's not a one-time scan — it's an ongoing program that reduces organizational risk over time.

Vulnerabilities span multiple categories:

Assessment vs Management

A vulnerability assessment tells you what's wrong (point-in-time). Vulnerability management ensures it gets fixed — and stays fixed (ongoing program with prioritization, tracking, verification, and improvement).


Why Vulnerability Management Matters

⚠️ The Business Risks

Regulatory fines: NIS2 mandates vulnerability management — up to €10M or 2% of turnover. Breach liability: GDPR requires "appropriate technical measures." Ransomware: WannaCry, Log4Shell, MOVEit — all exploited known, patchable flaws. Insurance: Cyber insurers audit patch management and adjust premiums or deny claims.


The Vulnerability Management Lifecycle

5-Phase Continuous Cycle

Phase 1: Discover

You can't protect what you don't know about. Maintain a current inventory of all IT assets and scan continuously. Key metrics: asset coverage, scan frequency, time since last scan.

Phase 2: Prioritize

Not all vulnerabilities are equal. A critical CVSS score doesn't automatically mean critical risk. Consider exploitability, asset criticality, exposure, compensating controls, and business context.

Phase 3: Remediate

Options include patching, configuration changes, compensating controls (WAF, virtual patching), formal risk acceptance, or system retirement.

Phase 4: Verify

⚠️ Don't Skip Verification

A "patched" vulnerability that wasn't actually fixed provides a false sense of security. Always re-scan, regression test, and validate configuration changes after remediation.

Phase 5: Report & Improve

Serve multiple audiences: security teams (tactical dashboards), IT management (strategic reports), executives (business risk), and auditors (compliance evidence).


Risk-Based Vulnerability Management

⚠️ CVSS-Only Prioritization Is Broken

Volume: Tens of thousands of critical/high findings — can't fix them all. False urgency: Many critical CVEs are never exploited. Missing context: A medium vuln on a payment system may be higher risk than a critical on an isolated dev server.

Risk = Threat × Vulnerability × Impact

Risk-based vulnerability management (RBVM) combines vulnerability severity with threat intelligence (is it being exploited?), asset criticality (how important?), and exposure (internet-facing?). This reduces the actionable backlog by 80–90%.


CVSS vs EPSS: Modern Prioritization

AspectCVSSEPSS
What it measuresVulnerability severity (0–10)Exploitation probability (0–100%)
UpdatesLargely staticDaily
FocusWhat could happenWhat will happen
LimitationOnly ~15% of criticals are exploitedDoesn't consider asset context

Use Both Together

High CVSS + High EPSS → Critical, immediate remediation. High CVSS + Low EPSS → Scheduled within standard SLA. Low CVSS + High EPSS → Elevated, investigate (may be underrated). Low CVSS + Low EPSS → Address in regular maintenance.


Vulnerability Management Tools

Scanner Categories

Choosing the Right Tool

Key Evaluation Criteria

Try KENSAI Free

Discover your vulnerabilities before attackers do. AI-powered scanning with risk-based prioritization.

Start Free Scan →

Compliance Integration

FrameworkVulnerability Management RequirementPenalty
NIS2Article 21: "vulnerability handling and disclosure" as minimum measureUp to €10M / 2% turnover
DORAICT risk management, regular vulnerability assessmentsSector-specific enforcement
DSGVO/GDPRArticle 32: "appropriate technical measures"Up to €20M / 4% turnover
ISO 27001A.8.8: Management of technical vulnerabilitiesCertification risk
PCI DSS 4.0Quarterly external ASV scans, internal scanning, annual pentestingPCI non-compliance fines

Building a Vulnerability Management Program

Remediation SLAs (Example)

Risk LevelInternet-FacingInternal CriticalInternal Standard
Critical24 hours72 hours7 days
High7 days14 days30 days
Medium30 days60 days90 days
Low90 days180 daysNext maintenance

Key Metrics to Track


How KENSAI Automates Vulnerability Management

Continuous Discovery

KENSAI scans web applications, APIs, and infrastructure with a database of 332,000+ CVEs continuously updated. Identifies both known vulnerabilities and misconfigurations across your entire attack surface.

AI-Powered Prioritization

Goes beyond CVSS: cross-references active threat intelligence, considers real-world exploitation data, reduces false positives through intelligent analysis, and delivers risk-based prioritization so you focus on what matters.

Automated Compliance Reporting

Every scan generates reports aligned with NIS2, DSGVO/GDPR, DORA, and ISO 27001 — documented vulnerability handling and disclosure evidence for auditors and regulators.

Remediation Guidance

Actionable fix recommendations for every finding. Reduces the time and expertise required to close vulnerabilities.

Pricing

Professional: €990/month — ideal for growing businesses. Enterprise: €2,490/month — advanced features and higher scan volumes.


FAQ

What is vulnerability management?

The continuous process of identifying, evaluating, prioritizing, remediating, and verifying security vulnerabilities. Unlike one-time assessments, it's an ongoing program with structured discovery, risk-based prioritization, and tracked remediation with defined SLAs.

What is risk-based vulnerability management?

RBVM prioritizes by actual risk (threat intelligence + asset criticality + exposure) rather than CVSS severity alone. Reduces the actionable backlog by 80–90% and focuses resources on genuinely dangerous vulnerabilities.

What is the difference between CVSS and EPSS?

CVSS rates severity (static, 0–10). EPSS predicts exploitation probability (dynamic, updated daily). Used together, they provide both severity context and exploitation likelihood for superior prioritization.

How often should vulnerability scans be run?

Critical/internet-facing: at least weekly (daily or continuous preferred). Internal: monthly minimum. After significant changes: always. The trend is continuous scanning.

How does vulnerability management support NIS2 compliance?

NIS2 Article 21 explicitly requires "vulnerability handling and disclosure." A compliant program must demonstrate systematic discovery, risk-based prioritization, defined SLAs, verification, continuous monitoring, and documented processes.

What's the most important metric?

MTTR for critical/high-risk vulnerabilities — it directly measures how quickly you close your most dangerous exposure windows.

Try KENSAI Free

Take control of your vulnerability management. AI-powered discovery, prioritization, and compliance reporting.

Start Free Scan →

Security is not optional.

🗡️ The KENSAI Team