# Vulnerability Management / Remediation / Audit / Compliance Mapping > **Intro:** Vulnerability management is not “run scanner, send PDF.” It is the lifecycle that starts with inventory and context, continues through prioritization and remediation, and ends with audit-friendly evidence, exception handling, and measurable risk reduction. > > **What this page includes** > > * an operator-friendly lifecycle for findings management > * where scanners fit and where they do not > * examples of common vulnerability-management platforms > * evidence and mapping patterns for audit and compliance work ## Findings lifecycle at a glance | Stage | Goal | Typical outputs | | ------------------ | --------------------------------------------------------------------- | ------------------------------------------------------------------------------ | | Inventory | know what exists and who owns it | asset list, owner, environment, criticality, internet exposure | | Detection | identify vulnerabilities, misconfigurations, secrets, weak components | scanner findings, posture findings, code findings, runtime observations | | Severity + context | turn raw findings into action priorities | severity, exploitability, reachability, business criticality, exposure context | | Remediation | drive fixes, mitigations, or compensating controls | tickets, patch plans, code changes, config updates, deploy gates | | Risk acceptance | explicitly document time-bounded exceptions | exception record, approver, expiry, compensating controls | | Evidence | prove that the process exists and is followed | reports, ticket history, screenshots, exceptions, dashboards | | Compliance mapping | show how the lifecycle supports standards and audits | mapped controls, recurring metrics, audit pack references | ## Where scanners fit Scanners are **inputs**, not the whole program. Good scanners help you: * discover assets and vulnerabilities at scale * detect missing patches and insecure configurations * prioritize by threat or exploit context * integrate remediation work with IT or engineering tools Scanners do **not** solve: * ownership gaps * weak SLA discipline * poor exception governance * business-criticality mapping * proof that the fix actually made it to production ## Practical severity and context model | Signal | Why it matters | | ----------------------------------- | --------------------------------------------------------------------------- | | CVSS / vendor severity | useful baseline, but too generic on its own | | exploit / threat context | helps distinguish “interesting” from “actually urgent” | | asset criticality | a vulnerable payment system and a lab VM are not equal | | internet reachability | changes likelihood and urgency | | runtime reachability / exploit path | reduces noise by focusing on realistic paths | | compensating controls | WAF, isolation, network barriers, or disabled code paths can change urgency | | patch availability | affects how remediation is planned | ## Example SLA model | Finding class | Suggested target | Notes | | --------------------------------------------- | ---------------- | --------------------------------------------------- | | Critical on internet-facing crown-jewel asset | 24–72 hours | emergency handling, mitigation if patch unavailable | | Critical on internal production asset | 3–7 days | still leadership-visible | | High in production | 14–30 days | prioritize by exploitability and exposure | | Medium | 30–90 days | batch where appropriate | | Low / hygiene debt | planned backlog | do not let this hide systemic neglect | ## Scanner / platform examples | Platform | Typical use | Short take | | ------------------------------------------- | --------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | | Tenable Nessus | host, network, configuration, compliance-oriented vulnerability assessment | great foundational scanner for infrastructure and authenticated scanning; strong plugin ecosystem | | Tenable Vulnerability Management | cloud-hosted vulnerability management with scanners and agents | adds broader management workflows beyond standalone Nessus deployments | | Rapid7 InsightVM / Nexpose lineage | asset discovery, vulnerability assessment, remediation projects, SLAs | strong remediation-project workflow and risk contextualization | | Greenbone / OpenVAS | open-source-friendly network and vulnerability scanning | useful when openness and self-hosting matter; operational maturity still required | | Qualys VMDR | unified vulnerability management, asset discovery, prioritization, patching / remediation workflows | strong platform view across detection, prioritization, and response in one place | | Microsoft Defender Vulnerability Management | endpoint- and ecosystem-integrated exposure and vulnerability management | especially compelling where Microsoft security tooling is already central | ## How to use scanner output sanely ### Good pattern 1. deduplicate findings by asset and owner; 2. enrich with environment, criticality, internet exposure, and exploit context; 3. assign remediation or mitigation with an SLA; 4. recheck after change and keep the evidence; 5. document exceptions with expiry. ### Bad pattern 1. export 2,000 findings; 2. email them to engineering; 3. wait until audit month; 4. declare the process “blocked by resourcing.” ## Audit and compliance mapping model | Process element | Evidence examples | Common standards it helps satisfy | | ------------------------------------ | --------------------------------------------------------------- | ----------------------------------------------------- | | Asset inventory | CMDB / asset export / scanner asset list | ISO 27001, NIST CSF, PCI DSS, CIS | | Authenticated vulnerability scanning | scan policy, schedule, results, remediation tickets | PCI DSS, CIS, internal control testing | | SLA tracking | aging dashboard, overdue report, exception log | audit traceability, operational control effectiveness | | Risk acceptance | approved exception record with expiry and compensating controls | governance and risk-management expectations | | Remediation verification | rescan results, deploy evidence, change ticket closure | control closure proof | | Executive reporting | trend charts, critical backlog, MTTR, exception debt | management review and board reporting | ## Simplified operating model * **Security** defines policy, triage model, and reporting. * **Platform / IT** owns baseline scanning infrastructure and patch orchestration where relevant. * **Engineering** fixes code and application configuration issues. * **Risk / compliance** validates that evidence is retained and exceptions are governed. ## Practical examples ### Example 1 — scanner says “critical,” business says “not now” A finding lands on an internet-facing production service. The team cannot patch immediately because of a release freeze. Good practice is not to mark it “won’t fix” and move on. Good practice is to document a short-lived exception, add a compensating control if possible, and record when the patch will ship. ### Example 2 — thousands of low-context findings, zero movement A scanner rollout succeeds technically, but owners are not mapped and SLAs are unclear. The program generates a mountain of data and no material risk reduction. The lesson is that **asset ownership and remediation workflow are part of vulnerability management, not optional extras.** ## References and best-practice anchors * NIST SSDF * OWASP SAMM * vendor guidance for your chosen scanning platform * compliance-specific requirements such as PCI DSS authenticated scanning and evidence retention expectations ## Read next * [Compliance-to-Engineering Evidence Pass](/metrics-audit-risk-evidence-and-compliance/index-1/compliance-to-engineering-evidence-pass.md) * [Cloud Auditing by API and Configuration State](/cloud-kubernetes-and-infrastructure-security/index/cloud-auditing-by-api-and-configuration-state.md) * [Security Quality Gates and Release Blocking](/devsecops-cicd-and-supply-chain/index-1/security-quality-gates-and-release-blocking.md) * [Risk Acceptance, Exceptions, and Decision Records](/strategy-governance-and-leadership/index/risk-acceptance-exceptions-and-decision-records.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/metrics-audit-risk-evidence-and-compliance/index-1/vulnerability-management-remediation-audit-and-compliance-mapping.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.