Vulnerability management.

Vulnerability management is the cycle of discovering, prioritising, remediating and verifying vulnerabilities in your estate. Scanners flag thousands; the discipline is in the prioritisation (asset criticality + exploit availability + business exposure) rather than the scan. CVE, CVSS and KEV are the vocabulary.

By Christophe Mazzola, Practicing CISO · Founder of Cyber AcademyCybersecurity operationsAll entries

The Cyber Academy take

Vulnerability management is the cycle of discovering, prioritising, remediating and verifying vulnerabilities in your estate. Scanners flag thousands; the discipline is in the prioritisation (asset criticality + exploit availability + business exposure) rather than the scan. CVE, CVSS and KEV are the vocabulary.

A cycle, not a scan

Vulnerability management is often reduced to "run the scanner", but the scan is the easy part. The discipline is a repeating cycle: maintain an accurate inventory of what you own, discover the weaknesses on those assets, prioritise the handful that actually matter, remediate them, and verify the fix held. A modern scanner will hand you thousands of findings on a medium estate. Treating that list as a to-do queue is how teams burn out while their real exposure stays open. The value is in the funnel from thousands of raw findings down to the small set you act on this week.

It also depends on something most teams underestimate: knowing your estate. A vulnerability on an internet-facing server running a critical business application is a different problem from the same flaw on an isolated test box. Without asset inventory and ownership, prioritisation has nothing to stand on, which is why the cycle starts with discovery and identification rather than the scan itself.

The vocabulary: CVE, CVSS and KEV

Three reference points carry most of the prioritisation conversation, and practitioners use them in combination rather than alone.

How CVE, CVSS and KEV are used
TermWhat it isWhat it tells you
CVEA unique identifier for a publicly disclosed vulnerabilityA common name so everyone is talking about the same flaw across tools and advisories.
CVSSA scoring framework that rates severityHow bad the flaw is in theory, by impact and exploitability characteristics. A starting point, not a verdict.
KEVA catalogue of vulnerabilities known to be exploited in the wildWhether attackers are actually using it now, which sharply raises real-world priority.

The common mistake is to sort by CVSS score and work top down. A high CVSS on an asset nobody can reach matters less than a medium-rated flaw that sits in a known-exploited catalogue on an exposed system. Mature programmes blend the theoretical severity with real signals: is there a working exploit, is the vulnerability being actively exploited, and how exposed and critical is the affected asset. That combination, not the raw score, is what drives the queue.

Prioritisation is the whole job

The honest framing is that prioritisation is the product of vulnerability management. The inputs are asset criticality, exploit availability and business exposure, and the output is a defensible decision about what gets fixed first and what waits. This is where the function earns its keep, because no team can or should remediate everything at once.

  1. Asset criticality: what the system does for the business and what it can reach if compromised.
  2. Exploit availability: whether a working exploit exists and whether the flaw is being used in the wild.
  3. Business exposure: is the asset internet-facing, what data it holds, and what compensating controls already sit in front of it.

Where it fits in governance

Vulnerability management is rarely optional once you are inside a recognised framework. An ISO/IEC 27001 ISMS expects a defined process for managing technical vulnerabilities, and auditors will ask to see the cycle running, not just a scanner licence. The NIST Cybersecurity Framework treats identifying and managing vulnerabilities as core to the Identify and Protect functions, and regulations such as NIS2 and DORA assume organisations actively find and remediate weaknesses rather than waiting for an incident to reveal them. In every case the evidence an assessor wants is the same shape: how you discover, how you prioritise, the SLAs you remediate against, and the metrics that prove the cycle is closing.

Frequently asked questions

01What is the difference between vulnerability management and patch management?

Vulnerability management is the full cycle of discovering, prioritising, remediating and verifying weaknesses across your estate. Patch management is the narrower operational process of applying a published fix on a defined SLA with verification. Patching is one common remediation path within vulnerability management, but not the only one.

02Should I just fix the highest CVSS scores first?

No. CVSS rates theoretical severity but ignores whether the flaw is reachable, exploited in the wild, or sitting on a critical asset. A better order blends CVSS with exploit availability, known-exploited status and your own asset criticality and exposure.

03What are CVE, CVSS and KEV?

CVE is the common identifier for a specific disclosed vulnerability. CVSS is a framework that scores how severe a vulnerability is. KEV is a catalogue of vulnerabilities known to be actively exploited, which raises their real-world priority sharply.

04Why is asset inventory part of vulnerability management?

You cannot prioritise what you cannot see. The same flaw is trivial on an isolated test box and urgent on an exposed business-critical server. Accurate inventory and ownership are what let you turn a flat list of findings into a defensible remediation order.

05Is vulnerability management required for compliance?

Effectively yes within most frameworks. ISO/IEC 27001 expects a managed process for technical vulnerabilities, the NIST CSF builds it into the Identify and Protect functions, and regulations like NIS2 and DORA assume you actively find and fix weaknesses. Assessors look for the cycle, SLAs and metrics, not just a scan report.

Need more than a definition?

Book a free 20-minute discovery call. We map the cohort that turns this term into an audit-ready practice.