Informationssicherheit

Vulnerability Management: The Complete Lifecycle for Finding, Prioritizing, and Remediating Weaknesses

Boris Friedrich
Boris Friedrich
14 min read
Vulnerability Management: The Complete Lifecycle for Finding, Prioritizing, and Remediating Weaknesses

Over 30,000 CVEs were published in 2025 alone. No organization can patch everything immediately. Effective vulnerability management is not about scanning — it is about the discipline of finding vulnerabilities, understanding which ones matter most to your specific environment, and remediating them before attackers exploit them. The organizations that get breached are rarely the ones without scanners; they are the ones without prioritization.

This guide covers the complete vulnerability management lifecycle: asset discovery, scanning strategies, risk-based prioritization that goes beyond CVSS scores, remediation SLAs, verification, and regulatory alignment with DORA and NIS2.

The Vulnerability Management Lifecycle

1. Asset Discovery

You cannot protect what you do not know about. Maintain a comprehensive, continuously updated asset inventory: on-premises servers and workstations, cloud instances, containers, and serverless functions, network devices (routers, switches, firewalls, wireless access points), IoT and OT systems, shadow IT and unsanctioned cloud services. Automated discovery tools should scan your network continuously, not on a quarterly schedule. Every new asset that appears should be classified and included in vulnerability scanning within 24 hours.

2. Vulnerability Scanning

Regular automated scans identify known vulnerabilities across your environment. Scan types and their roles:

  • Network-based external scans: Identify vulnerabilities visible from the internet. Run weekly.
  • Network-based internal scans: Cover the internal attack surface. Run bi-weekly to monthly.
  • Authenticated (credentialed) scans: Log into systems for deeper assessment with fewer false positives. Monthly for servers, quarterly for workstations.
  • Agent-based scanning: Lightweight agents on endpoints provide continuous vulnerability data without network dependency. Best for cloud and remote devices.
  • Container and image scanning: Scan container images in CI/CD pipelines before deployment. Block deployment of images with critical vulnerabilities.

3. Risk-Based Prioritization

CVSS scores alone are insufficient for prioritization. A CVSS 9.8 vulnerability on an isolated test server is less urgent than a CVSS 7.5 vulnerability on an internet-facing payment system. Effective prioritization combines:

  • CVSS base score: Technical severity of the vulnerability
  • Asset criticality: Is the system internet-facing? Does it process sensitive data? Does it support a critical business function?
  • Exploit availability: Is there a public exploit? Is it being used in the wild? (Check CISA KEV, Exploit-DB, threat intelligence feeds)
  • Business context: What is the business impact if this system is compromised? (Link to BIA data)
  • Compensating controls: Are there mitigations already in place (WAF rules, network segmentation, EDR detection) that reduce the practical risk?

Tools like EPSS (Exploit Prediction Scoring System) and SSVC (Stakeholder-Specific Vulnerability Categorization) provide structured frameworks for contextual prioritization that go beyond raw CVSS.

4. Remediation

Define remediation SLAs based on prioritized risk level:

  • Critical (actively exploited or CVSS 9+, internet-facing): 24–72 hours
  • High (CVSS 7–8.9, exploit available): 7–14 days
  • Medium (CVSS 4–6.9): 30 days
  • Low (CVSS 0–3.9): 90 days

When patching is not immediately possible, implement compensating controls: network isolation of the vulnerable system, WAF rules to block known exploit patterns, EDR detection rules for exploitation attempts, disabled unnecessary features or ports, and documented risk acceptance for low-impact cases with management sign-off.

5. Verification and Reporting

After remediation: rescan to confirm vulnerabilities are actually resolved (not just marked as patched), document remediation actions for audit trail, report metrics to management: total open vulnerabilities by severity, mean time to remediate (MTTR) by severity, SLA compliance rate, and trend over time. Continuous reporting builds organizational accountability and demonstrates program effectiveness to auditors.

Vulnerability Management and Regulatory Compliance

  • DORA: Requires financial institutions to have processes for vulnerability identification and remediation as part of the ICT risk management framework. Regular testing is mandatory.
  • NIS2: Requires vulnerability handling and disclosure as one of the 10 mandatory security measures. Regular vulnerability assessments are expected.
  • ISO 27001 (Annex A 8.8): Technical vulnerability management is a required control, including timely identification and remediation of vulnerabilities.
  • CRA: Product manufacturers must handle vulnerabilities throughout the product lifecycle and report actively exploited vulnerabilities to ENISA.

Frequently Asked Questions

How often should we scan for vulnerabilities?

External perimeter: weekly. Internal networks: bi-weekly to monthly. Critical systems: continuously (agent-based). Container images: at every build in CI/CD. DORA and NIS2 expect regular assessments — quarterly at minimum, continuous as best practice.

What is the difference between vulnerability management and patch management?

Vulnerability management is the broader discipline: discover, assess, prioritize, and track all vulnerabilities across all systems. Patch management is one remediation method: applying vendor-provided software updates. Not all vulnerabilities have patches (zero-days, design flaws). Not all patches address vulnerabilities (feature updates). VM is the strategy; patching is one tactic within it.

How do we handle vulnerabilities without patches?

Compensating controls: network segmentation (isolate the system), WAF rules (block known exploits), EDR monitoring (detect exploitation), feature disabling (remove the vulnerable component), virtual patching (IPS rules), and documented risk acceptance for residual risk with management approval.

What tools do we need?

Minimum: vulnerability scanner (Tenable, Qualys, Rapid7), asset inventory (integrated or standalone CMDB), and a tracking system (Jira, ServiceNow) for remediation workflow. Advanced: CSPM for cloud, container scanning in CI/CD, EPSS for prioritization, and integration with SIEM/SOAR for automated response to critical findings.

Hat ihnen der Beitrag gefallen? Teilen Sie es mit:

Your strategic success starts here

Our clients trust our expertise in digital transformation, compliance, and risk management

Ready for the next step?

Schedule a strategic consultation with our experts now

30 Minutes • Non-binding • Immediately available

For optimal preparation of your strategy session:

Your strategic goals and challenges
Desired business outcomes and ROI expectations
Current compliance and risk situation
Stakeholders and decision-makers in the project

Prefer direct contact?

Direct hotline for decision-makers

Strategic inquiries via email

Detailed Project Inquiry

For complex inquiries or if you want to provide specific information in advance