Skip to content
CloudPresto CloudPresto
Back to Knowledge Base
Operations

Vulnerability Management

Continuous scanning, risk-ranked remediation, and patch compliance as a KPI.

Continuous Scanning

Vulnerability management isn't a quarterly scan. It's a continuous process. Every component in your infrastructure is scanned regularly, and new vulnerabilities are assessed as they're published.

Infrastructure Scanning

OS packages, cloud configurations, and network exposure scanned continuously. Findings risk-ranked by CVSS score and exploitability context.

Container Image Scanning

Every container image scanned in the CI pipeline before deployment. Known-vulnerable images blocked from production. Base image updates tracked and prompted.

Dependency Scanning

Application dependencies checked against vulnerability databases. Critical findings flagged in pull requests. Automated PR generation for security patches.

Configuration Drift

Cloud resource configurations compared against security baselines. Drift, whether from manual changes or failed applies, is flagged and remediated.

Remediation Standards

SeverityCVSS RangeRemediation StandardAction
Critical9.0–10.024–48 hoursEmergency patch or mitigation applied immediately
High7.0–8.97 daysScheduled patch within next change window
Medium4.0–6.930 daysIncluded in regular patch cycle
Low0.1–3.990 daysAddressed during maintenance cycles

Patch Compliance KPI

Patch compliance is tracked as a measurable KPI, not a checkbox. We report:

  • Patch coverage: % of systems at current patch levels
  • Standard adherence: % of vulnerabilities remediated within the standard window
  • Mean time to remediation: average time from discovery to fix
  • Open vulnerability count: trending over time (should be decreasing)