Last year, a Fortune 500 company I consulted for had over 14,000 open vulnerabilities across their infrastructure—not because they lacked scanning tools, but because they had no structured workflow connecting discovery to remediation. Vulnerabilities were found, logged, and forgotten. If that sounds familiar, you don't have a detection problem; you have a process problem. Let's fix it.
The Core Problem: Detection Without Closure
Most security teams run vulnerability scans religiously. Nessus fires on schedule, reports get exported to PDF, and someone files a ticket. But without a defined workflow—with ownership, prioritization, SLAs, and verification—scanning becomes theater. The goal isn't to find vulnerabilities. It's to close them systematically.
A mature vulnerability management workflow has five distinct phases: Discovery → Prioritization → Assignment → Remediation → Verification.
Phase 1: Discovery — Scan Smarter, Not Just More
Credentialed scans are non-negotiable. Unauthenticated scans miss 30-60% of vulnerabilities because they can't inspect installed packages, registry keys, or local configurations.
Here's an example of running a credentialed scan with OpenVAS from the command line using gvm-cli:
gvm-cli --gmp-username admin --gmp-password $GVM_PASS socket \
--xml '<create_task>
<name>Prod-Server-Weekly</name>
<config id="daba56c8-73ec-11df-a475-002264764cea"/>
<target id="a1e5b23c-8f91-4d3b-b6a7-9c2df4e71a80"/>
<scanner id="08b69003-5fc2-4037-a479-93b440211c73"/>
</create_task>'Pair this with asset inventory from your CMDB. If you're scanning IPs that aren't mapped to business owners, you're generating noise with no accountability.
Phase 2: Prioritization — CVSS Alone Isn't Enough
A CVSS 9.8 on an isolated test server matters less than a CVSS 7.5 on your internet-facing payment gateway. Effective prioritization combines:
- CVSS base score — severity baseline
- EPSS (Exploit Prediction Scoring System) — likelihood of exploitation in the wild
- Asset criticality — business context from your CMDB
- Exposure — is it internet-facing, segmented, or air-gapped?
A practical risk score formula might look like:
Risk Score = CVSS × EPSS_percentile × Asset_Criticality_WeightWhere Asset_Criticality_Weight is 1.0 (low), 2.0 (medium), or 3.0 (critical). This pushes genuinely dangerous findings to the top.
Phase 3: Assignment and SLAs — Creating Accountability
Define remediation SLAs based on your risk tiers and enforce them:
| Risk Tier | Score Range | Remediation SLA | Escalation |
|---|---|---|---|
| Critical | 20+ | 72 hours | CISO at 48h |
| High | 10–19 | 14 days | Manager at 10d |
| Medium | 5–9 | 30 days | Automated reminder |
| Low | < 5 | 90 days | Quarterly review |
Automate ticket creation. Here's a snippet using Python to push findings into Jira:
from jira import JIRA
jira = JIRA(server="https://yourorg.atlassian.net", basic_auth=(user, token))
jira.create_issue(
project="VULN",
summary=f"[{severity}] {cve_id} on {hostname}",
description=f"Asset: {hostname}\nCVE: {cve_id}\nCVSS: {cvss}\nSLA: {sla_date}",
issuetype={"name": "Bug"},
priority={"name": priority_map[severity]},
assignee={"name": asset_owner}
)No more emailing spreadsheets. Every finding has an owner and a deadline.
Phase 4 & 5: Remediation and Verification — Closing the Loop
After patching, rescan the specific asset to confirm the fix. Don't wait for the next scheduled scan cycle. With Nessus, you can trigger a targeted rescan:
nessuscli scan --targets 10.0.5.22 --policy "Verification-Only" --name "Post-Patch-CVE-2024-3094"Track your mean time to remediate (MTTR) by severity tier monthly. This is the metric that tells leadership whether your program is actually improving—not the number of scans run.
Final Thought
Vulnerability management isn't a tool. It's a workflow. The organizations that get breached rarely lack scanners—they lack the operational discipline to act on what the scanners find. Build the pipeline, automate the handoffs, measure closure rates, and iterate. That's how you turn a vulnerability report from a liability into a defense.
Have questions about vulnerability assessment and remediation workflows? I'm always happy to talk shop — reach out or connect with me on LinkedIn.