The Vulnerability Lifecycle
Effective vulnerability management is a continuous cycle: discover, prioritise, remediate, verify, and report. Most organisations are good at discovery but poor at prioritisation and verification.
Risk-Based Prioritisation
Not all CVEs are equal. Use CVSS scores as a baseline, but enrich with threat intelligence to understand exploitability in the wild. Patch exploited-in-the-wild vulnerabilities within 24 hours regardless of CVSS score.
SLA Targets
- Critical (CVSS 9+, actively exploited): 24 hours
- High (CVSS 7-8.9): 7 days
- Medium (CVSS 4-6.9): 30 days
- Low (CVSS <4): 90 days