A typical KSA enterprise has 30,000 vulnerabilities at any given time across its IT estate. Of those, perhaps 200 are actually being exploited in the wild — what CISA calls the Known Exploited Vulnerabilities (KEV) catalog. Of those 200, perhaps 30 affect assets that matter to your business. And your remediation team has three people who can actually fix things.

The question is not “what vulnerabilities exist?” The question is “which 30 should we fix this month, and how do we know we actually fixed them?”

Vulnerability scanning is easy. Vulnerability management — the discipline of turning scan output into verified remediation — is hard. EIE’s vulnerability management practice is built around this distinction.

Why vulnerability scanning isn’t vulnerability management

Most KSA enterprises that have purchased a vulnerability scanner (Tenable, Qualys, Rapid7) are running scanning, not management. The pattern is familiar: deploy scanner, generate report, present 50,000 findings to overwhelmed team, watch the team triage maybe 5% of them, watch most findings sit unfixed for months, repeat next quarter.

The volume problem: 50,000 findings is humanly unmanageable. Teams disengage from the data because it’s not actionable.

The prioritization problem: CVSS scores alone mislead. A CVSS 9.8 vulnerability on a non-internet-facing internal printer is less urgent than a CVSS 7.5 on the customer-facing web app. Pure CVSS sorting produces bad work orders.

The remediation gap: even when correctly prioritized, findings sit unfixed. Patch windows aren’t aligned, owners aren’t clear, dependencies aren’t tracked.

The verification gap: the team says “we fixed it” but nobody re-scans to confirm. Six months later, the auditor asks “show me evidence” and there’s nothing.

Vulnerability management closes all four gaps with operational discipline.

Modern prioritization — EPSS, KEV, and asset value

The industry has moved beyond CVSS-only prioritization.

EPSS (Exploit Prediction Scoring System) — published by FIRST.org. For each CVE, EPSS predicts the probability of exploitation in the wild within the next 30 days. A vulnerability with EPSS 0.95 (95% probability) deserves immediate attention; EPSS 0.001 can wait. EPSS updates daily.

KEV (Known Exploited Vulnerabilities) — maintained by CISA. The list of vulnerabilities confirmed to be actively exploited. Smaller than the universe of vulnerabilities (a few hundred at any time), but every entry is a “fix now” priority.

Asset value — what’s actually critical to your business? An EPSS-90 vulnerability on a deprecated dev server differs from the same vulnerability on the production payment gateway. Asset value modulates priority.

The intersection — high EPSS × on KEV × high-value asset = fix immediately. Low EPSS × off KEV × low-value asset = defer to next quarterly cycle.

This intersection-based prioritization is what reduces the actionable workload from 30,000 findings to 30 per month.

Discovery — getting the full picture

You can’t manage what you don’t see.

Authenticated network scanning — credentialed scans inside the network. Far more accurate than uncredentialed.

Web application scanning — DAST (dynamic, runs against deployed app) and SAST (static, analyzes source code). For custom applications.

API scanning — increasingly important as APIs proliferate. Traditional web scanners miss most API issues.

Cloud configuration scanning — overlaps with Cloud Security Posture Management. Cloud-specific vulnerability classes (misconfigured S3, exposed RDS, weak IAM).

Container image scanning — every image deployed should be scanned for known vulnerabilities. Catches issues before runtime.

IoT and OT inventory — operational technology is often missed. Industrial control systems, building management, medical devices, IP cameras, badge readers. Each has vulnerabilities; few are scanned.

Tooling

Tenable — comprehensive enterprise scanning. Strong network and authenticated scanning. Industry incumbent.

Qualys — cloud-delivered, broad coverage. Strong compliance reporting.

Rapid7 InsightVM — modern UI, good remediation tracking, integration with Rapid7 InsightIDR for SIEM correlation.

Wiz — cloud-native vulnerability + posture, growing rapidly. Strong for cloud-first environments.

Snyk — developer-first. Strong for SAST, container, dependency scanning. Integrates into CI/CD.

EIE’s recommendation depends on your environment. For mostly-cloud organizations: Wiz. For traditional enterprise: Tenable or Qualys. For developer-heavy organizations: Snyk for shift-left, Tenable for runtime.

Risk-based prioritization workflow

Our operational workflow:

Step 1 — Ingest scan data from all scanners (network, web, container, cloud) into a unified data lake.

Step 2 — Enrich with EPSS and KEV automatically. Each finding gets EPSS score and KEV flag.

Step 3 — Cross-reference asset criticality from a maintained asset register (CMDB integration where available).

Step 4 — Rank, queue, and ticket. Top-priority findings auto-ticket to owners via Jira, ServiceNow, or your ticketing platform. SLA defined by severity.

Step 5 — Assign owner with deadline. Every ticket has a named owner, deadline, and escalation path.

Remediation patterns

Patch management — the obvious cases. Apply vendor patch, reboot, done. Automation drives this.

Compensating controls — when patch isn’t immediate (legacy system, business impact), implement compensating control: WAF rule, network segmentation, additional monitoring. Document the compensating control as the active risk treatment.

Architecture changes — sometimes the vulnerability indicates a design flaw. The fix isn’t a patch; it’s a redesign. We’ll surface this when it’s the right answer.

Acceptance with risk sign-off — sometimes the cost of fixing exceeds the risk. Document the decision, get executive sign-off, monitor.

Verified remediation

This is where most programs fail. Our enforcement:

Re-scan after patch — ticket cannot close until scanner confirms finding cleared.

Confirm finding cleared — no auto-close. Human verification of scan result.

Document for audit trail — every closed finding has a re-scan timestamp and result. Audit-ready.

Close ticket only on verification — no exceptions.

The audit trail this produces is the difference between “we have a vulnerability management program” and “we have evidence of a working vulnerability management program.”

Reporting

Executive reports — trend over time (are findings increasing or decreasing?), top 10 unresolved by business unit, MTTR by severity, compliance posture.

Technical reports — full finding details by asset, owner, status. Searchable, exportable.

Compliance-aligned reports — NCA ECC and SAMA Cybersecurity Framework formats. Your auditor gets what they expect.

SLA tracking — time-to-remediate by severity, with trend visibility. Where SLAs are slipping, root-cause analysis.

Frequently asked questions

Do we need a separate VM tool if we already have CSPM? For cloud-only environments, often no — CSPM tools increasingly cover vulnerability scanning. For hybrid environments (cloud + on-prem + endpoint), you need both. CSPM for cloud configuration; VM for everything else (OS, applications, network).

How do you handle vulnerabilities in our custom-built apps? SAST (source code) and DAST (running application) scanning, plus dependency scanning (OSS libraries you’re using). Snyk and similar tools integrate into CI/CD pipelines. Manual code review for high-risk components.

What’s the SLA expectation for critical patches? Depends on contract terms, but a typical mature program targets: critical (KEV + high EPSS + high-value asset) within 7 days; high within 30; medium within 90; low at next maintenance window.

Can EIE perform the actual patching, or only manage findings? Both. Our managed services include patch execution as well as program management. Scope depends on engagement.

How does VM integrate with our SOC and SIEM? VM data feeds the SOC. When the SIEM detects activity targeting a vulnerability we know is unpatched, it’s escalated faster. When SOC detects exploitation, VM data tells us what was potentially compromised.

What about IoT and OT vulnerabilities? Specialized tooling. Claroty, Nozomi, Dragos for OT. Asset discovery is the first deliverable; vulnerability management follows. Patching OT is hard (uptime constraints) so compensating controls dominate the remediation pattern.