Vulnerability Management.
Finding vulnerabilities is step one. Fixing them is the whole point.
By Brian Gagne, CTO · March 14, 2025 · Updated March 19, 2026
Scan reports are not security programs
Here is a pattern we see constantly: an organization runs quarterly vulnerability scans, produces a PDF, files it somewhere, and moves on. Next quarter, the same findings show up again, sometimes with new ones stacked on top. The scan is running. The vulnerabilities are not getting fixed. Vulnerability management is the entire lifecycle. Discovery, triage, prioritization by actual risk, remediation, verification that the fix works, and tracking trends over time. The scan is maybe 10% of the work. The other 90% is doing something with what you found.
CVSS scores lie without context
A CVSS 9.8 on an internal service behind three layers of access controls is less urgent than a CVSS 6.1 on your public-facing login page. Raw severity scores do not account for your specific environment, existing controls, or actual exposure. Prioritization without context is just sorting numbers.
Why most programs stall
The common failure mode is not scanning. Most organizations scan regularly. The failure is what happens after the scan. Findings hit an inbox, someone looks at the count, and it gets deferred because nobody has time to triage 200 findings with no context about which ones actually matter. Effective vulnerability management requires someone who understands the environment well enough to separate real risk from noise. False positives get filtered. Findings get grouped by root cause instead of treated individually. Remediation gets prioritized by what an attacker could actually do with the finding, not just its severity number.
Every server we provision passes 30+ automated verification checks before it enters production. The process is idempotent and resumable, with a complete JSON audit log. This is what vulnerability prevention looks like when it is built into the deployment process instead of bolted on after.
Environmental risk scoring
Our vulnerability assessment considers actual exposure, existing controls, service criticality, and attacker requirements. Not just raw CVSS scores. A finding on a database server that is only reachable through a VPN, behind key-based authentication, running on a hardened host, gets a very different risk treatment than the same finding on a public-facing web server. Remediation plans include rollback procedures and require human approval before execution. We do not auto-patch production systems. That is not conservatism. That is how you avoid turning a vulnerability fix into an availability incident. This process ties directly into our broader threat detection and server hardening work.
Remediation for a compliance-critical MSP
Problem
A northeast MSP serving HIPAA and PCI-DSS clients had penetration testing findings sitting in a report with no remediation path. IPv6 DNS spoofing, NetBIOS spoofing, SMB null sessions, and SMB signing issues were all documented but unfixed.
Solution
We triaged findings by actual risk to the MSP's client environments, not by report order. Each finding was assessed against budget constraints and remediation was scoped to what the business could absorb without disruption.
Outcome
All critical findings remediated and verified against original test criteria. The MSP had documented evidence of remediation for HIPAA and PCI-DSS auditors.
A scan report with no remediation path is just a list of problems. Vulnerability management means closing the loop from finding to fix to verification.
Continuous management, not periodic scanning
We integrate vulnerability management into ongoing support engagements. Findings are tracked through remediation, verified after fixes are applied, and trended over time so you can see whether your attack surface is actually shrinking. The goal is measurable reduction in risk, not a growing archive of unread reports. If your current security program produces scans but not fixes, that is a management gap, not a tooling gap. First conversation is free if you want to talk through where your program stands. Reach out at kief.studio/contact.
Frequently asked questions
We already run quarterly scans. What would change?
Scanning is discovery. Management is everything after discovery: triage, prioritization, remediation, verification, and trend tracking. If your findings list grows every quarter without shrinking, the missing piece is not more scanning. It is someone closing the loop on what the scans find.
How do you prioritize which vulnerabilities to fix first?
By actual risk to your environment, not by raw CVSS score. We assess each finding against your specific exposure, existing controls, service criticality, and what an attacker would need to exploit it. A high-severity finding behind multiple layers of access control is less urgent than a medium-severity finding on a public-facing service.
Can you work with our existing security vendor?
Yes. We regularly work alongside existing IT partners and security vendors. We can take scan output from any standard tool and build the management process around it. Reach us at kief.studio/contact to discuss how we fit into your current setup.