Skip to content
cyber-security.eu
DEEN

Vulnerability management

Vulnerability management is more than the occasional scan. It is a continuous process of finding, assessing, prioritising, fixing and verifying.

Who this page is for

Security leaders, IT operations, auditors and anyone managing vulnerabilities in a structured way.

What makes it a process

Vulnerability management is recurring: know your assets, find vulnerabilities, assess them in business context, treat them and verify the outcome. A one-off scan is not vulnerability management.

Steps

Inventory: what assets exist?

Scanning: regular discovery, internal and external.

Assessment: technical and business-context.

Prioritisation: criticality, exposure, in-the-wild exploitation.

Remediation: through patch management or compensating controls.

Verification: were vulnerabilities really closed?

Assessing with CVSS

CVSS is a technical aid for severity. It does not replace business context. A high CVSS on an isolated system can matter less than a medium one on an internet-facing service.

Common mistakes

Scans without solid asset basis, no business-context prioritisation, weak link to patch management, no verification, no transparency for leadership.

Checklist

  • Asset inventory as the basis
  • Regular internal and external scans
  • Assessment in business context, not only CVSS
  • Clear integration with patch management
  • Verification documented
  • Reporting to leadership and audit

Frequently asked questions

+How often should I scan?

Regularly and event-driven. Internet-facing systems frequently, internal systems at least on a plan.

+Is an external scan enough?

No. Internal vulnerabilities matter once someone has a foothold inside the network.

Related topics

Patch management

Patch management decides how fast known vulnerabilities are closed. It is unglamorous routine work and reduces the risk of many incidents significantly.

Cloud security

Cloud security combines safe configuration, strong identities, good logging and clear responsibility. This page outlines the core building blocks.

Cybersecurity for business

Effective enterprise security combines governance with concrete technical and organisational controls. This page shows what decision makers and IT leaders should focus on first - calm, practical and clearly prioritised.

Cybersecurity for SMEs

SMEs do not need enterprise security architecture, but they do need the right basics. This page shows which measures deliver the most impact on a limited budget and which common mistakes are easy to avoid.

Ransomware: risks and first response

Ransomware remains one of the most expensive cyber risks. It is typically the result of a chain of weaknesses rather than a single click. This page covers typical patterns, effective controls and an orderly first response.