VM — Glossary

Vulnerability Management

The continuous process of identifying, evaluating, prioritizing, and remediating security vulnerabilities across an organization's IT assets including software, systems, and configurations.

Last updated

What Is Vulnerability Management?

Vulnerability Management (VM) is a systematic approach to finding and fixing security weaknesses before attackers exploit them. It goes beyond simple scanning — mature VM programs include asset discovery, vulnerability assessment, risk-based prioritization, remediation tracking, and verification.

The Vulnerability Management Lifecycle

  1. Asset Discovery: Maintain a complete inventory of all IT assets
  2. Vulnerability Scanning: Scan assets for known vulnerabilities (CVEs), misconfigurations, and weak credentials
  3. Prioritization: Rank findings by risk — considering CVSS score, exploitability, asset criticality, and exposure
  4. Remediation: Patch, reconfigure, or apply compensating controls
  5. Verification: Rescan to confirm vulnerabilities are resolved
  6. Reporting: Track metrics (mean time to remediate, vulnerability age, SLA compliance)

Risk-Based Vulnerability Management

Not all vulnerabilities are equal. Modern VM tools use risk-based prioritization that considers:

  • CVSS score — Severity of the vulnerability itself
  • Exploit availability — Is there a known exploit in the wild?
  • Asset context — Is the affected asset internet-facing? Does it hold sensitive data?
  • Threat intelligence — Are threat actors actively exploiting this vulnerability?
  • Business impact — What happens if this asset is compromised?

This approach dramatically reduces noise. Typically, fewer than 5% of vulnerabilities pose real risk in any given environment.

Types of Vulnerability Scanning

| Type | Scope | Examples | |---|---|---| | Network scanning | Servers, network devices, IoT | Tenable, Qualys | | Web application scanning | Web apps, APIs | Qualys WAS, Rapid7 | | Container scanning | Container images, registries | Trivy, Aqua, Snyk | | Cloud configuration | IaaS/PaaS misconfigurations | Wiz, Prisma Cloud | | Code scanning (SAST) | Source code vulnerabilities | SonarQube, Checkmarx |

Leading VM Vendors

Major vulnerability management providers include Tenable, Qualys VMDR, Rapid7 InsightVM, CrowdStrike Falcon Spotlight, Microsoft Defender Vulnerability Management, and open-source tools like Greenbone OpenVAS, Nuclei, and Trivy.

Related Resources

Categories

Enterprise Vulnerability Management Platforms

Compare the best enterprise vulnerability management alternatives to Tenable in 2026. Microsoft Defender VM, Tanium, Arctic Wolf — enterprise features, scale, and pricing compared.

Cloud Vulnerability Management Platforms

Compare the best cloud vulnerability management alternatives to Tenable in 2026. Qualys VMDR, Rapid7 InsightVM, CrowdStrike Falcon Spotlight — features, pricing, and capabilities compared.

Open Source Vulnerability Scanners

Compare the best open source vulnerability scanner alternatives to Tenable in 2026. Greenbone OpenVAS, Nuclei — features, scanning depth, and deployment compared.

Products

Tenable

Industry-leading vulnerability management platform with Nessus scanning, cloud-native VM, and exposure management

Qualys VMDR

Cloud-native vulnerability management platform with integrated detection, prioritization, and patch management

Rapid7 InsightVM

Risk-based vulnerability management platform with live dashboards and remediation project tracking

CrowdStrike Falcon Spotlight

EDR-integrated scanless vulnerability assessment built on the CrowdStrike Falcon platform

Microsoft Defender Vulnerability Management

Microsoft's built-in vulnerability management integrated with Defender for Endpoint

Greenbone OpenVAS

The most widely used open-source vulnerability scanner with 100,000+ network vulnerability tests

Nuclei

Fast, template-based open-source vulnerability scanner with 8,000+ community-contributed detection templates

Trivy

Open-source vulnerability scanner for containers, file systems, IaC, and Kubernetes with zero-config setup

Sources & References

  1. NIST Cybersecurity Framework (CSF) 2.0[Government Standard]
  2. NIST Computer Security Resource Center[Government Standard]
  3. MITRE ATT&CK Framework[Industry Framework]
  4. OWASP Foundation[Industry Framework]
  5. CISA Cybersecurity Best Practices[Government Standard]
  6. SANS Institute Reading Room[Industry Research]
  7. Cloud Security Alliance (CSA)[Industry Framework]
  8. CIS Critical Security Controls[Industry Framework]
  9. Gartner Peer Insights: Vulnerability Assessment[Analyst Report]
  10. Forrester Wave: Vulnerability Risk Management, Q3 2023[Analyst Report]
  11. IDC MarketScape: Worldwide Risk-Based Vulnerability Management 2024[Analyst Report]
  12. NIST National Vulnerability Database (NVD)[Government Standard]
  13. FIRST: Common Vulnerability Scoring System (CVSS)[Industry Standard]
  14. CISA Known Exploited Vulnerabilities Catalog[Government Standard]