Vulnerability Management SOP

Standard Operating Procedure for continuous vulnerability scanning, assessment, and remediation management

Service Pillar: Operate Service Category: Managed Security Engagement Type: Ongoing Monthly Retainer Related Pricing: See Pricing & Positioning

---

Service Overview

Purpose

Provide continuous vulnerability identification, prioritization, remediation tracking, and risk reporting through systematic scanning, expert analysis, and actionable guidance to reduce organizational attack surface and maintain security posture.

Target Personas

Persona	Primary Pain Point	Value Case
Solo IT Director	No time for vulnerability management	Managed scanning and prioritization
CFO/Controller	Risk quantification for insurance	Documented vulnerability posture
Healthcare Admin	HIPAA requires regular scanning	Compliance-ready vulnerability program

Business Justification

Metric	Value	Source
Breaches from known vulnerabilities	60%	Verizon DBIR 2024
Mean time to exploit critical vulns	15 days	Mandiant M-Trends 2024
Organizations with vulnerability programs	Only 42% of SMBs	Ponemon Institute 2024
Cost reduction with proactive patching	60% vs. reactive	Gartner Patch Management
New vulnerabilities published (2024)	29,000+	NIST NVD Statistics
Critical/High vulns requiring action	15-20% of total	Qualys Threat Research

---

Pricing Reference

Tier	Coverage	Monthly Investment	Per-Endpoint Option
Essential	<100 endpoints, monthly scanning	$2,500-$3,500/month	$3-$5/endpoint
Standard	100-500 endpoints, weekly scanning	$4,000-$5,500/month	$4-$6/endpoint
Enterprise	500+ endpoints, continuous scanning	$5,500-$8,000/month	$3-$5/endpoint

[BENCHMARK] Industry Pricing: - Vulnerability Management: $1,000-$5,000/assessment (Tenable.io) - Managed VM: $3/endpoint/month ongoing (Tenable.io) - VM platforms: $2,000-$6,000/month for SMBs (Rapid7 InsightVM)

See Pricing & Positioning for complete pricing structure.

---

Supported Platforms

Vulnerability Scanning Platforms

Platform	Strengths	Best For
Tenable.io	Industry leader, comprehensive coverage	Enterprise, compliance-focused
Qualys VMDR	Cloud-native, rapid deployment	Cloud-heavy environments
Rapid7 InsightVM	Strong remediation guidance	IT-security collaboration
Microsoft Defender VM	M365 integration	Microsoft environments
Nessus Professional	Cost-effective, flexible	SMBs, consultancy use

Scan Types

Scan Type	Coverage	Frequency
Network Scan	IP-based asset discovery	Weekly-Monthly
Authenticated Scan	Deep OS and app scanning	Weekly
Agent-Based	Continuous endpoint monitoring	Real-time
Web Application	OWASP Top 10, custom apps	Weekly-Monthly
Cloud Configuration	AWS, Azure, GCP misconfigs	Daily
Container	Image and runtime scanning	CI/CD + Runtime

---

Pre-Engagement

Onboarding Checklist

• Asset inventory documented
• Network topology mapped
• Scan credentials configured
• Critical systems identified
• Maintenance windows defined
• Remediation owners assigned
• Exception process established

Technical Requirements

Component	Requirement	Notes
Scanner Placement	Network visibility to all assets	May need multiple scanners
Credentials	Service accounts for authenticated scans	Least privilege
Firewall Rules	Scanner communication allowed	Port requirements vary
Agent Deployment	Endpoint agents for real-time	RMM or GPO deployment
Cloud Access	API access for cloud scanning	Read-only IAM roles

Deployment Timeline

Phase	Duration	Activities
Setup	Week 1	Platform deployment, initial config
Discovery	Week 2	Asset discovery, baseline scan
Tuning	Weeks 2-3	Credential issues, false positives
Operationalize	Week 4	Full program activation

---

Service Delivery Framework

Vulnerability Management Lifecycle

┌─────────────────────────────────────────────────────────────────┐
│              VULNERABILITY MANAGEMENT LIFECYCLE                  │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  1. DISCOVERY                                                   │
│     ├── Asset discovery and inventory                           │
│     ├── Classification (critical, high, standard)               │
│     └── Coverage validation                                     │
│                                                                  │
│  2. SCANNING                                                    │
│     ├── Scheduled vulnerability scans                           │
│     ├── Authenticated and unauthenticated                       │
│     └── Web application and cloud scanning                      │
│                                                                  │
│  3. ANALYSIS & PRIORITIZATION                                   │
│     ├── CVSS scoring with context                               │
│     ├── Exploitability assessment (EPSS, KEV)                   │
│     ├── Asset criticality weighting                             │
│     └── Risk-based prioritization                               │
│                                                                  │
│  4. REMEDIATION TRACKING                                        │
│     ├── Ticket creation and assignment                          │
│     ├── Remediation guidance                                    │
│     ├── SLA monitoring                                          │
│     └── Exception management                                    │
│                                                                  │
│  5. VERIFICATION                                                │
│     ├── Remediation validation scans                            │
│     ├── Regression testing                                      │
│     └── Closure confirmation                                    │
│                                                                  │
│  6. REPORTING & METRICS                                         │
│     ├── Executive dashboards                                    │
│     ├── Compliance reports                                      │
│     └── Trend analysis                                          │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘

Prioritization Framework

Factor	Weight	Consideration
CVSS Score	25%	Base vulnerability severity
EPSS Score	25%	Probability of exploitation
KEV Status	20%	Known exploited vulnerability
Asset Criticality	20%	Business impact
Exposure	10%	Internet-facing vs. internal

Risk Rating Calculation

Combined Score	Risk Rating	Remediation SLA
9.0-10.0	Critical	72 hours
7.0-8.9	High	14 days
4.0-6.9	Medium	30 days
0.1-3.9	Low	90 days

---

Operational Procedures

Scanning Schedule

Scan Type	Tier: Essential	Tier: Standard	Tier: Enterprise
Network Discovery	Monthly	Weekly	Continuous
Vulnerability Scan	Monthly	Weekly	Continuous
Credential Scan	Monthly	Weekly	Continuous
Web App Scan	Quarterly	Monthly	Weekly
Cloud Config	Monthly	Weekly	Daily

Daily Operations

Task	Description
Critical Alert Review	Triage new critical findings
Scan Health Check	Verify scans completing successfully
Credential Validation	Monitor for auth failures
KEV Monitoring	Check CISA KEV updates

Weekly Operations

Task	Description
Scan Results Analysis	Review all findings
Ticket Management	Create/update remediation tickets
SLA Monitoring	Track remediation progress
False Positive Review	Validate reported FPs

Monthly Operations

Task	Description
Executive Reporting	Generate executive dashboard
Trend Analysis	Track improvement over time
Coverage Assessment	Identify scan gaps
Policy Review	Update scan policies

---

SLA Commitments

Remediation SLAs

Severity	Remediation Target	Escalation Point
Critical	72 hours	48 hours
High	14 days	10 days
Medium	30 days	21 days
Low	90 days	60 days

Operational SLAs

Metric	Target	Measurement
Scan Completion Rate	95%+	Weekly
Asset Coverage	98%+	Weekly
Critical Vuln Response	<24 hours	Per incident
Report Delivery	Within 5 business days	Monthly

---

Deliverables

Real-Time Deliverables

Deliverable	Trigger	Audience
Critical Alert	Critical + KEV finding	IT team
Emergency Patch Advisory	Actively exploited	IT team + management
Remediation Ticket	New findings	Asset owners

Periodic Reports

Report	Frequency	Content
Weekly Summary	Weekly	New findings, remediation progress
Monthly Executive	Monthly	Risk posture, trends, compliance
Quarterly Review	Quarterly	Strategic assessment, benchmarks
Annual Assessment	Annually	Year-over-year analysis

Report Components

Monthly Executive Report: 1. Executive Summary - Overall risk score - Key metrics - Notable improvements 2. Vulnerability Statistics - Open vulnerabilities by severity - New vs. closed - Mean time to remediate 3. Remediation Status - SLA compliance - Top outstanding items - Blocked items 4. Trend Analysis - Month-over-month comparison - Category breakdown 5. Compliance Status - Framework requirements - Audit readiness 6. Recommendations - Priority actions - Strategic improvements

---

Exception Management

Exception Process

Step	Description	Approval
1. Request	Asset owner submits exception	Ticket required
2. Risk Assessment	SBK evaluates risk	Technical review
3. Compensating Controls	Alternative controls identified	Documented
4. Approval	Client security leadership	Sign-off required
5. Documentation	Exception recorded	Tracking system
6. Review	Periodic reassessment	Quarterly

Exception Criteria

Factor	Consideration
Business Impact	System criticality, downtime impact
Compensating Controls	Alternative mitigations available
Exploit Probability	Likelihood of exploitation
Time-Bound	Planned remediation date
Documentation	Risk acceptance documented

---

Quality Assurance

Continuous Improvement

Activity	Frequency	Purpose
Policy Tuning	Monthly	Reduce false positives
Credential Review	Weekly	Ensure scan depth
Coverage Analysis	Monthly	Identify gaps
SLA Review	Quarterly	Adjust targets

Quality Checks

• All assets in scope covered
• Authenticated scans successful
• Critical findings addressed within SLA
• Exception process followed
• Reports delivered on schedule
• Remediation guidance accurate

---

Integration with Other Services

Internal Service Integration

Service	Integration	Value
Managed SOC	Threat context	Exploit correlation
EDR Management	Endpoint context	Attack surface view
Penetration Testing	Validation	Vulnerability verification
Risk Assessment	Risk context	Risk quantification

External Integrations

Integration	Purpose
SIEM	Vulnerability-aware detection
Ticketing	Automated remediation workflow
CMDB	Asset context and ownership
Patch Management	Remediation automation

---

Related Services

Service	Connection	SOP Reference
Managed SOC	Alert context	managed-soc-sop.md
EDR Management	Endpoint protection	edr-management-sop.md
Penetration Testing	Vulnerability validation	pentest-sop.md
Risk Assessment	Risk quantification	risk-assessment-sop.md
vCISO	Strategic oversight	vcto-vciso-engagement-sop.md
Compliance Programs	Compliance evidence	soc2-gap-sop.md

---

Evidence Base

Why This Approach Works

Principle	Evidence	Source
Risk-based prioritization	10x efficiency	Gartner VM Best Practices
Continuous scanning	50% faster detection	Tenable Research
EPSS-based prioritization	80% fewer false priorities	FIRST EPSS
Remediation tracking	40% faster resolution	Rapid7 Research

SBK Success Metrics

Metric	Target	Measurement
Critical remediation SLA	95%+	Monthly
Scan coverage	98%+	Weekly
Client satisfaction	4.5+/5.0	Quarterly survey
Year-over-year risk reduction	25%+	Annual

---

References

• NIST SP 800-40: Patch and Vulnerability Management
• CISA Known Exploited Vulnerabilities Catalog
• FIRST EPSS (Exploit Prediction Scoring System)
• CVE/CVSS Standards
• NIST National Vulnerability Database
• Verizon DBIR 2024
• Gartner Vulnerability Management Market Guide

---

Last Updated: February 2026 Version: 1.0