Vulnerability Management
Continuous scanning, risk-ranked remediation, and patch compliance as a KPI.
Continuous Scanning
Vulnerability management isn't a quarterly scan. It's a continuous process. Every component in your infrastructure is scanned regularly, and new vulnerabilities are assessed as they're published.
Infrastructure Scanning
OS packages, cloud configurations, and network exposure scanned continuously. Findings risk-ranked by CVSS score and exploitability context.
Container Image Scanning
Every container image scanned in the CI pipeline before deployment. Known-vulnerable images blocked from production. Base image updates tracked and prompted.
Dependency Scanning
Application dependencies checked against vulnerability databases. Critical findings flagged in pull requests. Automated PR generation for security patches.
Configuration Drift
Cloud resource configurations compared against security baselines. Drift, whether from manual changes or failed applies, is flagged and remediated.
Remediation Standards
| Severity | CVSS Range | Remediation Standard | Action |
|---|---|---|---|
| Critical | 9.0–10.0 | 24–48 hours | Emergency patch or mitigation applied immediately |
| High | 7.0–8.9 | 7 days | Scheduled patch within next change window |
| Medium | 4.0–6.9 | 30 days | Included in regular patch cycle |
| Low | 0.1–3.9 | 90 days | Addressed during maintenance cycles |
Patch Compliance KPI
Patch compliance is tracked as a measurable KPI, not a checkbox. We report:
- Patch coverage: % of systems at current patch levels
- Standard adherence: % of vulnerabilities remediated within the standard window
- Mean time to remediation: average time from discovery to fix
- Open vulnerability count: trending over time (should be decreasing)