How to Build an Effective Vulnerability Management Process – Part 2: Vulnerability Assessment and Prioritization

Dave HallDave Hall
4 min read

From Scan Results to Smart Decisions

This post is part of the “Building a Real-World Vulnerability Management Process” series — a practical guide to documenting what actually works in the field.

A vulnerability scan leaves you with one thing: a pile of vulnerabilities.

Assessment is where this noise becomes signal — where the goal isn’t to “patch everything,” but to fix the right things, at the right time, for the right reasons.

This step is critical in transforming scan outputs into an actionable, prioritized remediation plan.

What Is Vulnerability Assessment?

Assessment is the process of evaluating, scoring, filtering, and prioritizing vulnerabilities based on context. This includes:

  • Technical severity (CVSS or vendor severity)

  • Exploitability and threat intelligence

  • Asset importance and exposure

  • Business risk and sensitivity

A mature VM program recognizes that not all vulnerabilities matter equally — and the job of assessment is to triage risk intelligently.

Key Prioritization Dimensions

To assess effectively, you need to weigh vulnerabilities across several dimensions:

1. Exploitability

  • Is there a known public exploit?

  • Is the vulnerability being actively exploited in the wild?

  • Is it listed in CISA KEV, vendor threat feeds, or internal threat intel?

2. Asset Exposure

  • Is the asset externally facing or Internet-accessible?

  • Is the vulnerability discoverable without credentials?

  • Could it be exploited via phishing or supply chain channels?

3. Business Impact

  • Does the asset support revenue-generating services?

  • Does it hold customer data, payment information, or sensitive operational data?

  • Is it part of critical infrastructure (e.g., OT/ICS systems, finance gateways)?

4. Technical Severity

  • What is the CVSSv3 score? (Be cautious of over-reliance)

  • Is there a vendor-specific risk rating?

  • Are there known exploitation chains (e.g., pre-auth + RCE)?

5. Compensating Controls

  • Is the vulnerability mitigated by network segmentation, firewall rules, or EDR?

  • Is it behind a VPN or internal-only?

  • Has a virtual patch been applied?

Define “Critical” in Your Context

The term “critical” is often misunderstood — especially when used interchangeably between CVSS scores, vendor ratings, and internal language.

A real-world program needs to be deliberate about how it defines criticality. For example:

  • A CVSS 10 on a test system may pose no real risk

  • A CVSS 7.5 with public exploit code on a customer-facing app might be high priority

In short, context matters, and your program should have a consistent internal definition of what gets treated as “critical” from a business and risk perspective.

Build a Prioritization Framework

In a real-world VM program, ambiguity is the enemy. Without a clear, documented policy on how vulnerabilities are prioritized, teams rely on gut feel, vendor defaults, or inconsistent logic.

A Prioritization Framework or Vulnerability Prioritization Policy helps clarify what your organization considers “critical” — and how different risk factors are combined into a decision.

It becomes the reference point for risk owners, patching teams, and audit.

What Should This Document Include?

  • Critical Asset Categories: Revenue-generating, customer-facing, OT, or regulated systems

  • Vulnerability Triggers: KEV inclusion, active exploitation, public PoC, unauthenticated access

  • Exposure-Based Boosting: Internet-facing or unauthenticated findings get automatically prioritized

  • SLAs by Risk Tier: Clearly defined timeframes for Critical, High, and Medium vulnerabilities

  • Escalation & Risk Acceptance Guidance: When, how, and who can defer or waive remediation

This doesn’t need to be a long document — but it should be clear, agreed, versioned, and referenced often.

Suggested Controls

  • Documented Prioritization Framework
    There is a policy that defines how vulnerabilities are assessed and prioritized across key dimensions.

  • Exploitability Data Integration
    Your platform ingests CISA KEV, vendor exploit feeds, or internal threat intel into the assessment workflow.

  • Asset Classification Tags
    Assets are tagged by business importance — e.g., customer-facing, revenue-critical, regulated, OT.

  • External Exposure Flagging
    Scanning or asset inventory systems identify externally exposed systems and prioritize accordingly.

  • SLA by Priority Tier
    Each vulnerability priority (e.g., Critical, High, Medium) is mapped to a time-based remediation SLA.

  • Stakeholder Review Process
    There is a weekly or bi-weekly review of top vulnerabilities involving VM, infrastructure, and application teams.

  • Risk Acceptance Workflow
    Low-priority or unpatchable vulnerabilities have a documented waiver/risk acceptance process.

Why This Phase Matters

Assessment is where your vulnerability management program moves from theory to practicality. It's what ensures:

  • Remediation teams aren’t overwhelmed by volume

  • Executives can see progress on what matters

  • Audit teams can validate that risk-based decisions are being made

Ultimately, assessment is the prioritization engine that keeps your entire process grounded in real-world risk.

➡️ Want to connect or ask a question? Find me on LinkedIn

0
Subscribe to my newsletter

Read articles from Dave Hall directly inside your inbox. Subscribe to the newsletter, and don't miss out.

vulnerabilityVulnerability management#cybersecurity

Written by

Dave Hall
Dave Hall