Vulnerability Management Framework

Vulnerability Management Framework — Enterprise Risk Reduction Program

After running vulnerability management programs where a single unpatched CVE on an internet-facing system could compromise classified data, I built this framework because most organizations confuse "running a scan" with "managing vulnerabilities" — and the gap between those two things is where breaches happen.

The specific problem: CVE-2024-3400 (Palo Alto PAN-OS), CVE-2023-34362 (MOVEit), and CVE-2024-1709 (ConnectWise ScreenConnect) were all exploited in the wild within days of disclosure. Your current patching SLA of 30 days for critical vulnerabilities means you're exposed for 29 days longer than threat actors need. This framework builds a risk-prioritized remediation engine, not just a scanning program.

What You Get

• Risk-Based Prioritization Engine — Vulnerability scoring methodology that combines CVSS base score with EPSS (Exploit Prediction Scoring System), CISA KEV catalog status, asset criticality, network exposure, and compensating controls. Reduces actionable vulnerabilities from thousands to hundreds without ignoring real risk.
• Scanning Program Architecture — Authenticated and unauthenticated scan configurations for Tenable, Qualys, and Rapid7. Includes scan scheduling templates, credential management procedures, and scanner placement guides for segmented networks. Covers cloud-native scanning (AWS Inspector, Azure Defender, GCP Security Command Center).
• Remediation SLA Framework — Tiered SLAs based on risk score: CISA KEV entries (48 hours), Critical+Exploitable (7 days), Critical (14 days), High (30 days), Medium (90 days). Includes exception request templates, risk acceptance documentation, and compensating control validation procedures.
• Patch Management Runbooks — Step-by-step procedures for Windows (WSUS/SCCM/Intune), Linux (yum/apt with staged rollout), container images (base image rebuild pipelines), and third-party applications. Includes rollback procedures and post-patch validation scripts.
• Metrics & Reporting Templates — Executive dashboards showing: mean-time-to-remediate by severity, SLA compliance rates, vulnerability aging, and risk reduction trending. Board-ready monthly reports and operational weekly reports.

Brownfield Implementation

Week 1-2: Deploy authenticated scanning across all network segments and cloud accounts. Week 3-4: Build asset inventory with criticality ratings and owner assignments. Week 5-8: Implement risk-based prioritization and establish remediation SLAs with system owners. Week 9-12: Automate reporting, integrate with ticketing (JIRA/ServiceNow), and establish exception management workflow.

Scope Limitations

Covers infrastructure and application vulnerability management. Does not cover DAST/SAST application security testing in the SDLC, penetration testing methodology, bug bounty program management, or OT/SCADA vulnerability management (different scanning tools and maintenance windows apply).

Audit Evidence

Satisfies PCI DSS v4.0 Req 11.3 (vulnerability scanning), NIST SP 800-53 RA-5 (Vulnerability Monitoring and Scanning), HIPAA §164.308(a)(1)(ii)(A) (risk analysis), and SOC 2 CC7.1 (detection of changes). Generates: authenticated scan reports, remediation tracking records with SLA compliance, risk acceptance documentation, and vulnerability trending reports that auditors require for continuous monitoring evidence.

Written by Kenny Ogunlowo — Detection Engineer, U.S. Secret Clearance holder. Managed vulnerability programs at Lockheed Martin and Cigna Healthcare across classified and regulated environments.