What is Vulnerability Management?

Vulnerability management (VM) is the continual process of identifying, evaluating, reporting, managing, and then remediating IT infrastructure vulnerabilities.  An efficient vulnerability management program combines a team of trained IT experts and security solutions. VM helps minimize attack surface areas by proactively scanning, detecting, and prioritizing vulnerabilities, which then allows the security team to step in and help guide remediation efforts.

Why Vulnerability Management is Important

Cyberattacks aren’t going away. As organizations adopt digital flexibility into their business strategy, cybersecurity gaps can persist. As attack methods evolve and newer opportunities to exploit weaknesses are found, vulnerability management becomes even more important for proactive security.

The average cost for a data breach has risen to $9.44M in the United States and globally, $4.35M. Compliance and regulation penalties, downtime to fix cybersecurity weaknesses, and customer loss are the largest portions of these costs.

On average it takes 9 months to discover a data breach has occurred. In that timeframe, the cost of recovering from data theft becomes more than money. An organization’s reputation and customer trust plummets, and executive liability and accountability is now being taken into account during the penalty phase of a data breach. The initial damage is monetary; however, the long-lasting impact is the ability to regain consumer trust in your business.

Designing and implementing vulnerability management into a proactive, layered cybersecurity stack is a fraction of the cost when compared to the penalties and reputation damage that can be levied after a breach.

The Stages of the Vulnerability Management Lifecycle


  1. Identify VulnerabilitiesVulnerability management solutions take inventory of all assets across an environment, identifying details such as operating systems, applications, services, and configurations when searching for vulnerabilities. These include network scans and authentication-based scans. This is often performed regularly through automated schedules.
  2. Prioritize Remediation Tasks – Identified vulnerabilities need to be categorized and assigned risk-based prioritization based on company-specific risk context.
  3. Assess Improvement – Establishing a risk baseline for point of references as vulnerabilities are remediated. Assessments allow ongoing baseline over time, and create proof of value conversations with intuitive reporting and understandable metrics.
  4. Remediate Vulnerabilities, Threats - Vulnerabilities need to be fixed. Controls should be in place for remediation to be successfully completed while documenting progress.
  5. Verify Remediation - Remediation effectiveness can be validated through post remediation scanning, scoring, and reporting.
  6. Secure Posture Reporting - Executives and teams need to understand the risks associated with every vulnerability. IT needs to report on vulnerabilities identified and remediated, so executives can provide a summary of a vulnerability’s state.

Vulnerabilities vs. Threats vs. Risks

Network security is all about identifying and remediating security vulnerabilities, the success of which depends greatly on risk assessment and threat identification. Many discussions about security use the terms vulnerability, risk, and threat interchangeably. But in the cybersecurity world they have very different meanings. 

A vulnerability, simply put, is a gap in a company’s network security. These security holes can be anywhere across the network, from servers to workstations, smartphones to IoT devices. It’s a known weakness that could be exploited, the door through which the attacker can enter. Common vulnerabilities include data that isn’t backed up, an unsecure cloud configuration, lax standards around data access, and weak or non-existent data recovery plans. Vulnerability scans identify system vulnerabilities, making a security gap easier to address. 

A threat is something that can exploit a vulnerability. It is what an organization is defending itself against. A threat can be deliberate, like viruses and malware, or unintended, like lost credentials. Some of the top threats according to Verizon’s Data Breach Investigation’s Report (DBIR) in 2020 included: 

  • denial of service 
  • phishing 
  • mis-delivery of documents and email 
  • use of stolen credentials 

Broadly, threats can be broken down into four buckets: structured, unstructured, internal, and external. The threat landscape is always in flux so it can be difficult to know what’s coming. But a strong IT security team can take steps like staying aware of existing and evolving threats, employing good vulnerability management software, and performing penetration testing based on known threats. 

Risk is the possible damage that could happen when a threat exploits a vulnerability. A risk might include: 

  • possible financial loss 
  • data loss or corruption 
  • reputational damage 
  • legal and compliance problems. 

Every company should know its risk context, which forms the basis of how to tackle known security vulnerabilities. All organizations face cyber security risks but understanding the specific risks a company or enterprise is likely to encounter can help prioritize remediation.

A good VM program must understand a specific customer’s risks to find and remediate vulnerabilities, which reduces the possibility of harm from new and existing threats. 

Components of a Vulnerability Management Program 

Vulnerability management contains different components. Legacy VM may only contain scanning and detection, however risk-based vulnerability management will include reporting, prioritization, and apply threat context analysis.

Vulnerability Assessment

Vulnerability assessment is a single point in time activity, compared to the ongoing nature of VM, that discovers security weaknesses within operating systems, software and/or hardware elements being assessed. Vulnerability assessments are usually an automated process that may span days or even weeks. Essentially, a given assessment is an engagement that occurs once. An organization that receives the information gleaned from a vulnerability assessment will likely act based on the findings. For example, the organization may correlate the identified vulnerabilities with knowledge of exploit availability, security architecture, and real-world threats. An organization will also likely attempt to remediate some of the identified vulnerabilities and will assign those deemed critical to their IT security staff. Although performing a one-time assessment followed by taking the aforementioned actions are critical activities and are elements of VM, if an organization stops at a one-time assessment and does not perform recurring vulnerability assessments, it’s not really vulnerability management. VM is continuous, repeated instances of vulnerability assessment.

Vulnerability Scanning

Vulnerability scanning scans all internal and external assets whether on-premise, cloud-based, or hybrid. Scanning provides information needed to assess the security posture of the devices connected to an organization’s networks across the globe on an individual IP or enterprise-wide basis. Scan needs to include hardware, networks, and applications to be effective. Vulnerability scan types include:

  • external
  • internal
  • authorized
  • unauthorized
  • comprehensive
  • limited

Vulnerability scans are different from penetration tests. Penetration tests are designed to actively exploit weaknesses to prove they are exploitable. Vulnerability scanning serves to identify vulnerabilities and create awareness of them so they can be mitigated.

Penetration Testing

Penetration testing, also known as ethical hacking, is another part of comprehensive VM. It’s sometimes confused with vulnerability scanning but differs in a few ways. Scanning is usually automated and broad and detects a wide variety of vulnerabilities. A penetration test, or pen test, is typically a manual test done by a security professional to find and exploit a specific system vulnerability. Together, a vulnerability scan may find vulnerabilities and a pen test determines if a potential vulnerability is truly exploitable and if it could lead to data compromise. Learn more about vulnerability scanning vs. pen testing >

Organizations can use pen testing services or pen testing software.  Pen testing software is available to companies that already have an IT security team in place, and they need the tools to conduct their own testing.  Pen testing services include an outside security team to conduct their own security tests.

Based on these results, companies can examine the financial, resource, and reputational cost of a potential breach and then plan remediation.

Vulnerability Management Benefits 

A thorough and well-executed VM program delivers risk reduction and damage mitigation to organizations of all sizes across the industry spectrum. Additional benefits of vulnerability management include:

Real-time security visibility across all assets

Availability of security program reports

Discovery of priorities for developer education to mitigate future vulnerabilities

Efficient use of personnel resources

Compliance with security protocols

Speedy remediation

Vulnerability Management vs. Risk-Based Vulnerability Management

There’s a big difference between vulnerability management and risk-based vulnerability management (RBVM).  Legacy vulnerability management scans and discovers vulnerabilities, without adding any risk context or threat prioritization.  RBVM scans, discovers, and then applies insight into the severity and threat context of found vulnerabilities and the potential damage they can cause. 

Risk-based vulnerability management uses intelligent automation to prioritize an organization’s asset management.  It can find critical, exploitable vulnerabilities that are located near sensitive company data and prioritize those weaknesses based on the likelihood of exploitation as well as the company data that can be compromised.   

RBVM scans, prioritizes, and generates reports based on each company’s individual network and assets.  This customization helps enterprises focus on the vulnerabilities that are an actual threat to them and doesn’t overload IT teams with every potential vulnerability, whether it’s dangerous to them or not. 

Read more about risk-based vulnerability vulnerability management >

What to Look for in a VM Solution

Each organization has their own unique cybersecurity concerns that need to be taken into consideration when selecting the right vulnerability management solution. Below are a few things you may want to consider during your search. 


Fast and easy deployment is critical. Look for a solution with a flexible SaaS platform that can be stood up in hours vs. days and scale up or down with your business needs. 

Security Gap Coverage

Vulnerability management should help secure and monitor security gaps and help optimize your resources so your team can be more productive.  Learn how a fast-growing company implemented a vulnerability management solution for responsive and scalable cybersecurity coverage.

Quality of Support

Without top notch support, many solutions may not perform at their peak abilityGet the most out of your investment with a highly rated customer support team.

Ease of Use

A vulnerability management solution isn’t effective if it’s too complicated to use.  The faster and easier a VM solution is implemented and understood, the faster you can begin protecting your business with scanning, monitoring, and reporting on security weaknesses.

Regulations and Compliance Standards

Key industries require adherence to compliance regulations and standardsVM solutions should not only help you comply with those regulations, but should also evolve with changing industry compliance standards.

Vulnerability Management Solutions from Digital Defense

Fortra Vulnerability Management

The industry’s most comprehensive, accurate, and easy-to-use SaaS vulnerability management solution.

Learn More >

Web Application Scanning

Easy to conduct dynamic testing with accurate assessment results, no matter how often your web apps change. 

Learn More >

Active Threat Sweep

Quickly and reliably assesses active threats in your network using powerful, patented technology. 

Learn More >

Penetration Test

Proven and exhaustive penetration testing that identifies cyber security weaknesses before they're attacked. 

Learn More >

Get Expert Help Choosing Your Security Solution

Our professionals will help your company select the right vulnerability management solution