Vulnerability management explained

What vulnerability management is

Vulnerability management is more than running tools. It includes:

• discovering weaknesses
• understanding relevance
• prioritising action
• assigning ownership
• deciding between remediation, mitigation, or acceptance
• tracking progress over time

That is why scanning is useful but not sufficient.

Does this apply to us?

• runs vulnerability scanners, pentests, SAST, DAST, or dependency scanning
• has more findings than it can realistically action
• struggles to separate severe-looking issues from truly urgent ones
• lacks consistent remediation ownership
• wants a better decision model for patching and exceptions
• needs to explain priorities to management or customers

Common misunderstandings

”High severity means high priority.”

Not always. Severity matters, but exposure, exploitability, asset importance, and business context matter too.

”If we scan regularly, we are managing vulnerabilities.”

Not necessarily. Good management requires decisions, ownership, and follow-through.

”More findings means more maturity.”

No. More findings can simply mean more noise if there is no clear action model.

”We need to fix everything immediately.”

Usually not possible. Strong programmes focus first on what creates the most real risk.

What changes in practice

Better vulnerability management usually means improving:

• asset and dependency context
• prioritisation logic
• remediation ownership
• timelines and exception handling
• the connection between tools and human decision-making
• management visibility into real risk rather than raw volume

It also means accepting that vulnerability management is partly an operational discipline — not only a tool configuration problem.

Common gaps

Typical issues include:

• teams drowning in scanner output without a shared priority model
• CVSS treated as the full answer for prioritisation
• weak use of exploitability or exposure context
• patching effort not aligned to business criticality
• findings reopened or ignored because ownership is vague
• pentest reports and scanner data managed separately without one decision model

How WFH Labs helps

WFH Labs helps teams understand where the current prioritisation approach is weak or inconsistent. We help connect findings to exposure, exploitability, criticality, and operational reality — and clarify how findings move from identification to decision to action.

Where relevant, we connect vulnerability management to architecture, secure delivery, dependency transparency, and assurance expectations.

See the vulnerability management service page for engagement details.

FAQ

Is vulnerability management the same as vulnerability scanning?

No. Scanning is one input. Management includes prioritisation, decision-making, treatment, and tracking.

Is CVSS enough?

Usually not. It is useful, but it does not replace context about exposure, exploitability, and business importance.

Why do teams with many tools still struggle?

Because data is easier to generate than to interpret and act on.

What makes a finding urgent?

Usually some combination of exploitability, exposure, asset criticality, and operational importance — not just the CVSS score.

---

Sources and official references are listed in the sidebar.