The average organization has hundreds of vulnerabilities on its network at any given time. The key isn’t being vulnerability-free — that’s impossible. The key is knowing what you have, prioritizing ruthlessly, and fixing the things that matter before attackers exploit them. This is vulnerability management.
What Is Vulnerability Management?
Vulnerability management is a continuous, cyclical process:
- Discovery: Find all assets in your environment
- Assessment: Scan those assets to identify vulnerabilities
- Prioritization: Rank vulnerabilities by risk to focus remediation effort
- Remediation: Patch, reconfigure, or mitigate the highest-risk vulnerabilities
- Verification: Confirm the fix worked
- Reporting: Measure progress, demonstrate improvement over time
Then repeat — continuously. New vulnerabilities are discovered daily (the NVD receives 50+ new CVEs per day). New assets are added to your environment. Old ones are forgotten. Vulnerability management never ends.
Understanding CVSS Scores
The Common Vulnerability Scoring System (CVSS) assigns each vulnerability a numerical score from 0–10 representing severity:
- 0.0: None
- 0.1–3.9: Low
- 4.0–6.9: Medium
- 7.0–8.9: High
- 9.0–10.0: Critical
CVSS considers: attack vector (network vs. local), attack complexity, required privileges, user interaction required, and impact on confidentiality/integrity/availability.
Important caveat: CVSS alone is a poor prioritization tool. A CVSS 10 vulnerability in software you don’t use is less urgent than a CVSS 7 vulnerability being actively exploited in the wild against your exact software version. Context matters enormously.
Better Prioritization: CISA’s KEV Catalog
CISA (Cybersecurity and Infrastructure Security Agency) maintains the Known Exploited Vulnerabilities (KEV) catalog — a list of CVEs that have been actively exploited in the wild. This is the most actionable prioritization tool available, and it’s free.
Rule of thumb: Any CVE on the CISA KEV list that affects your environment should be treated as urgent regardless of its CVSS score. Check the catalog at cisa.gov/known-exploited-vulnerabilities-catalog.
Free Vulnerability Scanning Tools
Nessus Essentials (Free for Home/Educational Use)
Tenable’s Nessus is the gold standard in vulnerability scanning. Nessus Essentials is free for up to 16 IP addresses — perfect for small businesses and homelab use. It runs on Windows, Linux, and macOS, and scans for 59,000+ vulnerability checks including CVEs, misconfigurations, and default credentials.
Setup: Register for free at tenable.com/products/nessus/nessus-essentials, install on a dedicated system, activate with your free key, and point it at your network. Scans take 30–60 minutes for a small network and produce detailed, actionable reports.
OpenVAS / Greenbone Community Edition (Free, Open Source)
The most powerful free, open-source vulnerability scanner. OpenVAS has a steep initial setup but is completely free with no IP limitations and over 80,000 vulnerability tests.
# Quickest setup: use Greenbone's Docker container
docker run -d -p 9392:9392 --name openvas greenbone/community-edition
# Wait 10-30 minutes for feed download, then access:
# https://localhost:9392
# Default credentials: admin/admin (change immediately)Nuclei (Fast, Template-Based)
Nuclei by ProjectDiscovery is a fast, community-powered vulnerability scanner using YAML templates. Excellent for web application vulnerability scanning and CI/CD pipeline integration.
# Install
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# Update templates
nuclei -update-templates
# Scan a target
nuclei -u https://example.com
# Scan with specific template categories
nuclei -u https://example.com -tags cve,owasp
# Scan an entire network
nuclei -l targets.txt -severity high,criticalTrivy (Container and Infrastructure Security)
If you use Docker or Kubernetes, Trivy scans container images for vulnerabilities before deployment:
# Scan a container image
trivy image nginx:latest
# Scan your filesystem
trivy fs /path/to/project
# Scan Kubernetes cluster
trivy k8s --report all clusterBuilding a Vulnerability Management Program
Step 1: Asset Inventory
You can’t protect what you don’t know about. Build and maintain a complete asset inventory: all servers (on-premises and cloud), workstations, network devices, IoT devices, cloud resources, and web applications. Tools: Nmap for network discovery, cloud provider dashboards, endpoint management tools (SCCM, Jamf, Intune).
Step 2: Regular Scanning Schedule
- Internal network: Weekly automated scans
- External attack surface (internet-facing assets): Weekly or daily
- After significant changes (new server deployed, major software update): Ad-hoc scans
- Annual: Comprehensive third-party penetration test
Step 3: Risk-Based Prioritization
Don’t just fix in CVSS order. Consider:
- Is this on the CISA KEV list? → Fix immediately (within 24-72 hours for critical infrastructure)
- Is the affected system internet-facing? → Higher priority
- What data/systems does the affected service have access to? → Business impact
- Is there a publicly available exploit? → Escalate urgency
- Is this a compensating control (WAF/network segmentation reduces exploitability)? → Can deprioritize
Step 4: Remediation SLAs
Define Service Level Agreements for remediation based on severity — then measure and report on compliance:
- Critical: 24-72 hours
- High: 7-14 days
- Medium: 30 days
- Low: 90 days or next patching cycle
Step 5: Track and Report
Use a ticketing system (Jira, ServiceNow, or even a spreadsheet for small teams) to track every finding, owner, and remediation status. Report metrics to management: mean time to remediation, percentage of critical/high vulns remediated within SLA, vulnerability trend over time (are you getting better or worse?)
Patch Management: The Execution Side
Vulnerability management identifies what needs to be fixed; patch management executes the fix. Key principles:
- Test patches in a non-production environment before broad deployment
- Use automated patch management (Windows Update, WSUS, Ansible, Chef, Puppet) rather than manual updates
- Have a rollback plan for every critical patch
- Track patch compliance — know which systems are missing which patches
- For end-of-life (EOL) software: upgrade or isolate. EOL software receives no patches — every new vulnerability is permanent.
Summary
Vulnerability management is the foundation of a mature security program. Start with free tools (Nessus Essentials, OpenVAS), build an asset inventory, establish a regular scanning cadence, and prioritize using the CISA KEV catalog and business context. Track remediation and measure progress. The organizations that get badly breached aren’t always the ones with the most vulnerabilities — they’re the ones who didn’t know what vulnerabilities they had.