Practice and strategy · Module 5
Vulnerability management
Vulnerability management is not a panic feed.
Previously
Supply chain security
Supply chain risk is the uncomfortable truth that you inherit other people’s security decisions.
This module
Vulnerability management
Vulnerability management is not a panic feed.
Next
Detection and incident response
Detection closes the gap between compromise and action.
Progress
Mark this module complete when you can explain it without rereading every paragraph.
Why this matters
Check whether the vulnerable path is reachable from untrusted zones.
What you will be able to do
- 1 Prioritise vulnerabilities using exposure, impact, and exploit signals
- 2 Choose containment when patching is not possible yet
- 3 Record decisions so you can defend them later
Before you begin
- You know what a patch is and why change control exists
Common ways people get this wrong
- Backlog as strategy. A growing backlog is not a plan. Choose what you will fix and what you accept.
- Fix without verification. If you never verify, you do not know if risk actually reduced.
Main idea at a glance
Diagram
Risk-based vulnerability triage flow
`flowchart LR
Intake["Vulnerability\nintake"] --> Exposure{"Exposed to\nuntrusted path?"}
Exposure -->|"Yes"| Signals["Exploit &\nimpact signals"]
Exposure -->|"No"| Lower["Schedule\nremediation"]
Signals --> Priority{"High practical\nrisk?"}
Priority -->|"Yes"| Contain["Contain &\npatch urgently"]
Priority -->|"No"| Plan["Plan patch\n& monitor"]
Contain --> Verify["Verify fix\n& close"]
Plan --> Verify
`Risk-based vulnerability triage flow
Vulnerability management is not a panic feed. It is a system for deciding what matters now, what can wait, and what you will never fix and must isolate. The hard part is prioritisation under uncertainty and limited capacity.
A good triage decision uses a few simple inputs. Exposure, impact, exploitability signals, and how fast you can safely patch. If your process only sorts by severity labels, it will fail in the real world.
Vulnerability triage sequence
-
Confirm exposure
Check whether the vulnerable path is reachable from untrusted zones.
-
Estimate impact and exploitability
Use business impact and exploit signals, not label severity alone.
-
Choose immediate containment
Apply compensating controls when patching cannot happen safely yet.
-
Time-box remediation with ownership
Set owner, due date, verification method, and escalation trigger.
Use the tool below to practise triage on defensive scenarios. The aim is to justify a priority and write down what you would do in the first day.
Mental model
Vulnerability work as a loop
Scanning produces work. Triage turns it into action. Fixing reduces risk.
-
1
Discover
-
2
Triage
-
3
Fix
-
4
Verify
-
5
Learn
Assumptions to keep in mind
- Fix capacity exists. If you cannot fix, scanning only creates anxiety. Make space for remediation.
- Severity is contextual. CVSS is a hint. Real severity depends on exposure and controls.
Failure modes to notice
- Backlog as strategy. A growing backlog is not a plan. Choose what you will fix and what you accept.
- Fix without verification. If you never verify, you do not know if risk actually reduced.
Check yourself
Quick check. Vulnerability management
0 of 6 opened
What is the goal of vulnerability management
To reduce risk through prioritised remediation and sensible compensating controls.
Scenario. A high severity issue is in an internal service with no sensitive data. A medium issue is on a public endpoint with active exploit reports. Which likely comes first
Usually the exposed endpoint with exploit signals, because exposure and likelihood matter as much as the label.
What is a common failure mode
Sorting only by severity label and ignoring exposure and business impact.
What matters when you cannot patch quickly
Containment, monitoring, and limiting blast radius until you can fix.
Why track patch windows
To make risk decisions explicit and reduce silent backlog growth.
What is one good output from triage
A documented priority and a first day response plan.
Artefact and reflection
Artefact
A triage note with priority, rationale, and next actions
Reflection
Where in your work would prioritise vulnerabilities using exposure, impact, and exploit signals change a decision, and what evidence would make you trust that change?
Optional practice
Score a scenario by exposure and impact, then choose a practical response plan.