What is vulnerability management? A practical guide
Why vulnerability management matters
In 2025, NIST's National Vulnerability Database published over 35,000 new CVEs. That is roughly 100 per day. Every one of them is a potential entry point for an attacker.
No team can patch everything. The question is not whether you have vulnerabilities. You do. The question is whether you know about them, and whether you are fixing the right ones first.
That is what vulnerability management is: a structured process for finding, evaluating, prioritizing, and remediating security weaknesses in your infrastructure. Not once, but continuously.
The five stages of vulnerability management
1. Discovery: know what you have
You cannot protect what you do not know about. The first step is building an inventory of your assets: servers, applications, libraries, cloud services, network devices.
This does not require a $50,000 CMDB tool. A spreadsheet works for small teams. What matters is that you know which technologies you run and which versions.
2. Detection: find the vulnerabilities
Once you know your assets, you need to know which CVEs affect them. There are two approaches:
Active scanning: Tools like OpenVAS, Nessus, or Qualys scan your systems and find installed software with known vulnerabilities. Good for internal infrastructure.
Feed monitoring: Watch public vulnerability databases for new CVEs that match your technology stack. This catches vulnerabilities as they are published, before your next scan runs.
The four major CVE databases (NVD, CISA KEV, ENISA EUVD, and GitHub Advisories), each cover different ground. Using all four gives you the most complete picture.
3. Prioritization: fix the right things first
This is where most teams struggle. 35,000 CVEs per year, and your team has limited hours. How do you decide what to patch first?
Bad approach: Sort by CVSS score and work top-down. This gives you 5,000+ "critical" CVEs with no way to distinguish between them.
Better approach: Combine multiple signals:
| Signal | What it tells you | Source |
|---|---|---|
| CVSS score | Theoretical severity (0-10) | NVD |
| EPSS score | Probability of exploitation in next 30 days (0-100%) | FIRST.org |
| CISA KEV | Confirmed active exploitation | CISA |
| PoC availability | Public exploit code exists | GitHub, Exploit-DB |
| Asset criticality | How important is the affected system | Your inventory |
A CVE with CVSS 7.5, EPSS 85%, and a public PoC is more urgent than a CVE with CVSS 9.8 and EPSS 0.5%. The first one is being exploited. The second one is theoretical.
4. Remediation: actually fix it
Prioritization without action is a report. Remediation is the part that reduces risk.
Options, in order of preference:
- Patch: Apply the vendor fix. This is the gold standard.
- Update: Upgrade to a version that is not affected.
- Mitigate: Apply a workaround (disable a feature, restrict access, add a WAF rule).
- Accept: Document the risk and consciously decide not to fix. This is valid for low-risk CVEs, but it must be documented.
Track when each CVE was identified, when it was remediated, and how. This data is critical for audits.
5. Verification: confirm it worked
After patching, verify that the fix is actually in place. Re-scan, check version numbers, confirm the vulnerable component is no longer present.
This sounds obvious, but patches fail. Deployments get rolled back. Config changes get overwritten. Verify.
Vulnerability management vs. vulnerability scanning
These are not the same thing.
Vulnerability scanning is a single activity: run a tool, get a list of vulnerabilities. It is step 2 in the process above.
Vulnerability management is the entire lifecycle: discovery, detection, prioritization, remediation, verification. Running continuously.
A scan without follow-up is noise. Management without scanning is blind. You need both.
What compliance frameworks require
Every major security framework requires some form of vulnerability management:
- NIS2 (EU): "Appropriate and proportionate technical measures" including vulnerability handling and disclosure (Art. 21)
- ISO 27001: Control A.12.6: "Management of technical vulnerabilities"
- SOC 2: CC7.1: "The entity identifies, develops, and implements activities to address risks"
- PCI DSS: Requirement 6: "Develop and maintain secure systems and applications"
- BSI IT-Grundschutz: OPS.1.1.3: Patch and vulnerability management
The common thread: you must have a documented, repeatable process. Ad-hoc patching does not count.
How Nautilus fits in
Nautilus covers stages 2-3 of the vulnerability management lifecycle:
- Detection: Aggregates CVEs from NVD, CISA KEV, ENISA EUVD, and GitHub Advisories into a single feed
- Prioritization: Enriches every CVE with EPSS scores, KEV flags, and PoC detection
- Technology filter: Matches CVEs against your specific stack using the Watchlist
- Notification: Webhooks (Slack, Discord) alert your team when a critical CVE hits your stack
- Export: CSV/PDF export for audit documentation
It does not replace your scanner or your patch management tool. It sits between them: after CVEs are published, before you decide what to patch.
Frequently Asked Questions
What is the difference between vulnerability management and patch management? Vulnerability management is the broader process of identifying and prioritizing security weaknesses. Patch management is the operational process of applying fixes. Vulnerability management tells you what to patch. Patch management does the patching.
How often should I check for new vulnerabilities? Daily. New CVEs are published every day, and some are exploited within hours of disclosure. Automated monitoring eliminates the manual effort of daily checks.
Do I need an expensive tool for vulnerability management? No. Basic vulnerability monitoring can start at zero cost. What you need is a process: know your assets, monitor for new CVEs, prioritize by risk, patch, and document. Tools help automate this, but the process matters more than the tool.
What is a good metric for vulnerability management effectiveness? Mean Time to Remediate (MTTR) for critical and high-severity vulnerabilities. Track how long it takes from CVE publication to patch deployment. Under 7 days for critical CVEs is a strong benchmark.
Related: Understand EPSS vs CVSS for prioritization, learn about the CISA KEV catalog, or see how NIS2 makes this mandatory for SMEs.
Nautilus gives you vulnerability intelligence from four sources, prioritized by EPSS, KEV, and PoC data. Start monitoring for free.
Monitor vulnerabilities with EPSS, PoC detection, and KEV tracking.
All in one dashboard. Free to start.
Start for free