When it becomes a management task
Vulnerability management becomes a management task when a company already has a scanner, reports, critical CVEs and regular meetings, but it is unclear what the asset owner should fix first, what time frame is realistic and what risk remains for the business.
This page is for the Director of Information Security, CIO, Head of Infrastructure, SOC, DevSecOps, owners of critical systems, project office and procurement. Particularly useful for banks, industry, the public sector, retail, telecoms and companies with a large number of servers, workstations, web services, cloud resources, contractors and regulated environments.
What is vulnerability management
VM stands for Vulnerability Management, that is, vulnerability management. In a mature enterprise landscape, this is an ongoing process: know your assets, regularly find vulnerabilities, understand the real danger, assign owners, control the elimination, double-check the result and show management the dynamics of the risk.
The scanner provides technical findings. Vulnerability management answers other questions: what findings really threaten an important business process, what is already being exploited by attackers, where there are compensatory measures, where a patch cannot be applied immediately, and what decision the responsible owner needs to make.
Key Terms, Plainly Explained
| Term | Decoding | What does it mean in the project |
|---|---|---|
| VM | Vulnerability Management - vulnerability management. | A process that links scanning, assets, prioritization, tasks, deadlines, exceptions, and reporting. |
| CVE | Common Vulnerabilities and Exposures - public identifier for known vulnerabilities. | A common language for information security, IT, vendors and contractors when discussing a specific vulnerability. |
| CVSS | Common Vulnerability Scoring System - a system for assessing the technical severity of a vulnerability. | A basic severity assessment that needs to be supplemented with asset, threat, and operational context. |
| EPSS | Exploit Prediction Scoring System - predicts the likelihood of CVE exploitation. | Helps understand which vulnerabilities are most likely to be exploited in the near term. |
| KEV | Known Exploited Vulnerabilities - a catalog of vulnerabilities that have already been exploited. | A strong signal for accelerated resolution, especially for public and critical systems. |
| ASM / EASM | Attack Surface Management / External Attack Surface Management - management of the attack surface, including external. | Helps you see domains, subdomains, IPs, public services, test benches and cloud access points. |
| SLA | Service Level Agreement - agreed upon completion date. | In VM, specifies timelines for risk elimination or treatment for different asset classes and vulnerabilities. |
| SIEM / SOAR | Collection and correlation of information security events / response automation. | Used to link vulnerabilities, events, incidents, playbooks and SOC reporting. |
| EDR / XDR | Endpoint detection and response/advanced correlation. | Shows where the vulnerable host is actually exposed to activity and what mitigation measures are in place. |
| SCA / SBOM | Software Composition Analysis / Software Bill of Materials - analysis of dependencies and list of software components. | Needed for DevSecOps to see vulnerable libraries, containers and application components. |
| ITSM / CMDB | IT service management / database of configuration items. | They help assign owners, create tasks, associate vulnerabilities with services and monitor statuses. |
How the process works in a large organization
Assets
We collect servers, workstations, applications, databases, network devices, cloud resources, external services, containers and owners.
Scanning
We configure data sources: internal and external scanners, AppSec, SCA, endpoint, SIEM, CMDB, clouds and manual checks.
Enrichment
We add business criticality, Internet exposure, exploitation availability, CVSS, EPSS, KEV, compensating measures and dependencies.
Priorities
Separating truly urgent risks from noise: not all Criticals are equally important, and not all Mediums can be safely put aside.
Tasks
We create tasks in ITSM or a team task queue, fix the owner, deadline, correction option, exclusion risk and target date.
Examination
We re-scan, verify actual elimination, close false positives and update reporting.
Reporting
We show management the dynamics: what has been fixed, what is overdue, where the risk has been accepted, which systems require a separate solution.
Prioritization: what to close first
A classic mistake of a VM process is to try to close all vulnerabilities based on a technical score. In reality, IT has limited update windows, there are legacy systems, business-critical services, contractors and regulatory environments. Therefore, priority must take into account both the technical severity, the likelihood of exploitation, and the value of the asset.
| Signal | How to use |
|---|---|
| Asset criticality | A payment system, personal account, GIS, CII, ERP, database with personal data or public API receive more weight than an isolated test bench. |
| Accessibility from the Internet | An external service with a vulnerability requires a more severe response than an internal node without a route from the user or attacker. |
| KEV and operation | If a vulnerability has already been used in real attacks, it cannot be left on the general waiting list. |
| EPSS | Helps distinguish vulnerabilities that are more likely to be exploited from a large array of technical findings. |
| Compensating measures | A WAF, segmentation, EDR, a disabled component, or limited access may change the urgency, but does not eliminate the need for a solution. |
| Cost of correction | Sometimes a quick configuration fix reduces risk more than a long project on a complex patch. |
Global Practices and the Russian Regulatory Context
In international practice, vulnerability management is closely related to update management. NIST SP 800-40 Rev. 4 Views update management as proactive maintenance: identifying, prioritizing, receiving, installing, and verifying updates across the organization. This is a good guideline for talking to IT: patches are not someone else's task for information security, they are part of reliable operations.
FIRST CVSS useful as a general standard of technical severity, but cannot be used alone. FIRST EPSS adds the likelihood of exploitation, and CISA KEV helps highlight vulnerabilities that have already been seen in attacks. CIS Controls provides practical language for basic cyber hygiene: asset inventory, configuration control, access control, logging, and vulnerability remediation.
In the Russian environment, VM must be linked to the requirements of FSTEC, CII, GIS, ISPDn, internal policies and the evidence base for inspections. Useful for known vulnerabilities Data Bank of Information Security Threats FSTEC of Russia. In regulated projects, it is important not only to close CVE, but also to show the controllability of the process: who is responsible, what measures are applied, what risks are taken, and how this is confirmed by documents and logs.
How AI helps the VM process
AI should not decide for itself what risk is acceptable for a business. But it can significantly speed up the work of a team if it is built into a controlled loop with sources, roles and logs.
Deduplication of findings
AI helps combine repeated scanner results, different names for the same problem, and noise from multiple sources.
Explanation for the owner
The owner of the system does not receive a dry CVE, but a clear description: what is vulnerable, what it threatens, what correction options are available and why the deadline is important.
Draft tasks
AI can prepare an issue description for ITSM, Jira or issue queue: affected assets, version, remediation steps, review and closing criteria.
Linking to Documents
The module compares vulnerabilities with policies, threat models, CII/GIS/ISPD requirements and a package of evidence for compliance.
Reporting
AI helps to compile a brief summary for the CISO, CIO and committee: trends, delays, risks accepted, problem owners and quick actions.
Constraint Control
The specialist remains in the decision-making loop: AI prepares options, and the responsible expert confirms the risk, exception, deadline and final status.
Where RESTART Adds Value
RESTART is useful where vulnerability management is needed not as a separate console, but as a workflow between information security, IT, development, operations, procurement and system owners. We connect audit, external perimeter, endpoints, DevSecOps, SIEM/SOAR/SGRC, ITSM, CMDB, vendor solutions and regulatory requirements.
Our approach: First understand assets and processes, then choose tools and rules. Otherwise, it's easy to end up with an expensive platform that generates thousands of hits but doesn't help the business reduce risk any faster.
External Perimeter, Endpoints and DevSecOps
External perimeter
Public domains, subdomains, IP, VPN, web/API and test benches should be included in the VM process as a separate source of risk. What is seen on the Internet often requires a different reaction speed.
External perimeter auditEnd devices and servers
Workstations, servers, VDI and privileged devices provide the real picture: OS versions, installed software, protection agents, local rights and upgrade readiness.
Endpoint SecurityDevSecOps and Applications
SAST, DAST, SCA, containers and SBOM reveal vulnerabilities in code and dependencies before production release. This reduces the flow of problems into the productive environment.
DevSecOps and AppSecSOC and GRC
SIEM, SOAR and SGRC link vulnerabilities to events, incidents, tasks, controls, exceptions and evidence.
SIEM, SOAR, SGRCDeliverables
| Artifact | What is it for? |
|---|---|
| Map of assets and sources | Shows which systems, hosts, applications, clouds, external services and scanners are included in the process. |
| Prioritization model | Fixes the rules: CVSS, EPSS, KEV, asset criticality, Internet accessibility, compensating measures and regulatory environment. |
| SLA Matrix | Sets processing and remediation deadlines for different types of assets, vulnerabilities, exceptions, and critical systems. |
| RACI and owners | Determines who is responsible for asset, remediation, risk assumption, audit and management reporting. |
| Elimination task queue | Translates findings into understandable tasks for IT, DevSecOps, system owners and contractors. |
| Exception register | Records cases where correction is not immediately possible: reason, compensatory measure, owner, review period and residual risk. |
| Integration scheme | Shows the combination of the VM platform with scanners, SIEM/SOAR/SGRC, ITSM, CMDB, endpoints, AppSec and reporting. |
| Management report | Shows the dynamics of risk, delays, critical systems, quick wins, problem areas and development plan. |
Delivery and implementation of VM tools
Vulnerability management tools, scanners, EASM, configuration management, SCA and SGRC platforms should be linked to assets, prioritization, operations, DevSecOps and reporting. RESTART helps select and deliver such solutions as part of a managed process, rather than as a separate license purchase.
Frequently asked questions
How is vulnerability management different from pentesting?
Pentest verifies practical attack scenarios within agreed boundaries. VM is an ongoing process that regularly finds, prioritizes, and monitors the remediation of vulnerabilities. These approaches complement each other: the pentest shows the attack path, the VM keeps the process of repair and re-testing.
Why can't only critical vulnerabilities be fixed?
Because a technical score without context can be deceiving. A mid-level vulnerability on a public service with real-world exploitation can be more dangerous than a critical vulnerability on an isolated test node. We need a prioritization model.
What to do if the patch cannot be installed?
The exception is recorded: reason, owner, review period, compensatory measures, residual risk and decision of the person responsible. This is better than silently ignoring the find.
Is it possible to start without introducing a new platform?
Yes. Often the first step is to diagnose the process: assets, data sources, current scanners, prioritization rules, owners, SLAs, reporting and rapid improvements. After this, it becomes clearer whether a new product is needed.
How to connect VM with SOC and DevSecOps?
The SOC gains context of assets and vulnerabilities for incident investigation. DevSecOps closes vulnerable dependencies, containers, and code before release. The VM combines these threads into a common registry of risks and tasks.
Can AI close vulnerabilities automatically?
Most enterprise landscapes do not. AI can produce analysis, task draft, explanation and report, but correction, risk taking and change of productive systems must go through responsible people and change process.
Let's discuss your environment
Describe the task, current systems, constraints, and expected results. We will offer a practical first step: diagnostics, pilot, audit, roadmap or project team.
