Overview
Vulnerability management is not just scanning and patching. It is a continuous process of identifying, prioritizing, remediating, and verifying security weaknesses across your entire attack surface. This runbook documents the end-to-end workflow from scan configuration through remediation tracking, exception handling, and reporting. It gives SOC and IT operations teams a shared playbook for reducing organizational risk systematically.
Vulnerability Management Lifecycle
- Asset discovery and inventory: know what you are scanning
- Vulnerability scanning: scheduled and ad-hoc scans across all asset types
- Prioritization: risk-based ranking using CVSS, EPSS, asset criticality, and threat context
- Remediation: patching, configuration changes, compensating controls
- Verification: rescan to confirm vulnerabilities are resolved
- Reporting: metrics and trends for leadership and compliance
- Exception management: documented risk acceptance for vulnerabilities that cannot be fixed
Remediation SLAs by Severity
| Severity | CVSS range | Remediation SLA | Verification scan |
|---|---|---|---|
| Critical | 9.0 - 10.0 | 7 days | Within 48 hours of remediation |
| High | 7.0 - 8.9 | 30 days | Within 1 week |
| Medium | 4.0 - 6.9 | 60 days | Next scheduled scan |
| Low | 0.1 - 3.9 | 90 days | Next scheduled scan |
| Informational | 0.0 | Best effort | N/A |
Prioritization Beyond CVSS
CVSS scores alone do not tell you which vulnerabilities to fix first. A CVSS 9.8 on an isolated test server matters less than a CVSS 7.5 on your internet-facing payment processing system. Layer in asset criticality, network exposure, exploit availability (check CISA KEV and EPSS scores), and active threat intelligence. A vulnerability with a public exploit being actively used in the wild against your industry needs immediate attention regardless of its CVSS score. Build a risk-based prioritization model that considers these factors together.
Exception and Risk Acceptance Process
Some vulnerabilities cannot be fixed due to legacy system constraints, vendor dependencies, or business continuity requirements. Have a formal exception process that requires a documented risk acceptance, compensating controls, an expiration date, and executive sign-off. Track all exceptions centrally so they do not become forgotten risks. Review active exceptions quarterly and validate that compensating controls are still effective. Set maximum exception durations: no exception should live longer than 12 months without renewal and re-justification.
Metrics and Reporting
- Track mean time to remediate (MTTR) by severity level and trend over time
- Measure SLA compliance rates for each severity tier
- Report vulnerability aging: how many critical and high vulnerabilities are past their SLA
- Track scan coverage: percentage of assets scanned in the last 30 days
- Monitor exception counts and aging to prevent risk acceptance creep
- Report to leadership monthly with a risk trend dashboard and list of overdue critical items
Frequently Asked Questions
How often should vulnerability scans be run?
Weekly for external-facing assets and monthly for internal assets at minimum. Critical assets should be scanned continuously or after every significant change. Ad-hoc scans should follow major vulnerability disclosures.
Should we scan production systems?
Yes, but carefully. Use credentialed scans during low-traffic windows. Coordinate with operations teams and have a rollback plan. Not scanning production means your highest-risk environment has the least visibility.
What is the difference between CVSS and EPSS?
CVSS measures the intrinsic severity of a vulnerability. EPSS (Exploit Prediction Scoring System) estimates the probability that a vulnerability will be exploited in the next 30 days. Used together, they give a more complete picture of real-world risk.
How do we handle vulnerability backlogs?
Prioritize ruthlessly using risk-based criteria. Focus on externally reachable, exploitable vulnerabilities first. Use compensating controls for anything you cannot patch immediately. Break the backlog into sprints and track progress weekly.
What role does vulnerability management play in compliance?
Nearly every compliance framework requires vulnerability management: PCI DSS, SOC 2, ISO 27001, HIPAA, and NIST CSF all include requirements for regular scanning, timely patching, and documented remediation processes.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.