From Scan to Patch: The Vulnerability Management Lifecycle, Explained

Chris Rees
25+ years in IT · Pluralsight author, 4.6/5 across 2,000+ ratings
Over 25,000 CVEs are published every year, and no team on earth patches them all. Vulnerability management is the discipline of deciding — continuously, defensibly — which ones matter to you. It's a headline topic in Security+ Domain 4 (Security Operations, 28% of the exam), and it's best learned the way it runs in production: as a loop, not a checklist.
The loop
Stage 1 — Identification: you can't fix what you can't see
Before anything else works, you need an honest asset inventory. A scanner can only assess targets it knows about, and the systems that hurt you are reliably the ones nobody enrolled: the forgotten staging server, the appliance under someone's desk, the cloud account a team spun up with a credit card. Mature programs treat discovery scanning — sweeping address space and cloud APIs for unknown assets — as stage zero of the loop.
From there, discovery comes from several directions at once, and the exam expects you to know what each is good at:
Vulnerability scans are the workhorse. The distinction that matters is credentialed vs. non-credentialed: an unauthenticated scan sees what an outside attacker sees (open ports, banners, exposed services), while a credentialed scan logs in and reads the truth — installed packages, registry keys, missing patches. Credentialed scans find dramatically more and false-positive less; uncredentialed scans show your real external exposure. You want both. Delivery matters too: network scanners sweep from the outside on a schedule, while agent-based scanning runs on the host itself and reports continuously — the better fit for laptops that never sit on the corporate network and for cloud instances that live for an afternoon. Cadence should match asset criticality: internet-facing systems get scanned far more often than the print server.
Application testing splits by vantage point: static analysis (SAST) reads source code without running it and finds flaws like hardcoded secrets and injection sinks early; dynamic analysis (DAST) probes the running application and finds what's actually exploitable; package monitoring watches your third-party dependencies, because most modern code is someone else's code.
Adversarial methods find what scanners can't chain together: penetration testing (humans emulating attackers, in scope, on contract), bug bounty programs (crowdsourced researchers paid per finding), and responsible disclosure processes for researchers who find things uninvited. The value of these isn't volume — a pen test surfaces far fewer findings than a scan — it's realism. A scanner reports that three medium-severity flaws exist; a pen tester shows that chained together they reach the payroll database. Those chains are invisible to any tool that evaluates one finding at a time.
Threat intelligence tells you what attackers are working with: open-source intelligence (OSINT), vendor advisories, information-sharing organizations (ISACs), and — the exam mentions it explicitly — dark web monitoring for chatter, sold access, and leaked credentials that signal you're already a target.
Stage 2 — Analysis: CVE names it, CVSS scores it, context decides
Two acronyms anchor this stage and get confused constantly. A CVE (Common Vulnerabilities and Exposures) is an identifier — a catalog number for a specific flaw. CVSS (Common Vulnerability Scoring System) is a severity score from 0 to 10, computed from exploitability and impact metrics.
It's worth reading one score the way the calculator does. Take a web flaw rated 9.8: its vector string says network attack vector (reachable from anywhere), low attack complexity (works reliably), no privileges required, no user interaction, and high impact to confidentiality, integrity, and availability. Flip just two of those — say the attacker needs local access and an authenticated account — and the same class of bug lands in the 6s. That's the whole system: severity is a function of how easy the flaw is to reach and how much it breaks, scored against an arbitrary target.
"Arbitrary" is the word doing the work, because your targets aren't arbitrary. A raw CVSS score ignores your environment, so prioritization layers on context:
- Exposure factor — how much of the asset's value is actually at risk, and is the vulnerable service even reachable?
- Environmental variables — internet-facing or internal? Production or lab? What compensating controls already sit in front of it?
- Industry and organizational impact — the same flaw in a hospital's infusion-pump network and a marketing microsite are different emergencies.
- Risk tolerance — how much residual risk your organization has formally agreed to live with, which sets patching SLAs by severity.
Analysis also means judging the data itself. A false positive is the scanner crying wolf (finding reported, not real); a false negative is the dangerous one (real flaw, no finding). A true positive is a real, correctly reported finding. Credentialed scanning, updated plugins, and manual verification of critical findings keep these rates honest.
Stage 3 — Remediation: patch is the answer, except when it isn't
Patching is the default and the exam knows it. Done properly, it's a small change-management exercise in itself: test the patch on representative non-production systems first, schedule the rollout inside an approved maintenance window, and have a rollback plan for when the fix breaks something the vendor didn't anticipate — because sometimes it does, and an outage you caused is still an outage. Patching cadence should follow your severity SLAs (say, criticals in 7 days, highs in 30), with emergency out-of-band procedures for actively exploited flaws.
But the exam also tests the alternatives, because production reality intervenes: the vendor is gone, the medical device is certified as-is, the patch breaks a dependency, the window is three weeks out.
- Compensating controls reduce the risk without fixing the flaw: a WAF rule in front of the vulnerable endpoint, disabling the vulnerable feature, tightened access control.
- Segmentation moves the vulnerable system somewhere attackers can't reach — the standard play for unpatchable legacy and OT/ICS gear.
- Insurance transfers residual financial risk (it never transfers the operational damage).
- Exceptions and exemptions are the formal, documented, time-boxed decision to accept the risk — signed by a risk owner, with an expiry and a review date. Undocumented non-patching isn't an exception; it's negligence with extra steps.
Stage 4 — Validation: trust nothing, rescan everything
A deployed patch is a claim, not a fact. Validation closes the loop three ways: rescanning (does the scanner still flag it?), verification (does the specific exploit path actually fail now — did the reboot happen, is the service running the new version?), and audit (are remediation SLAs being met across the whole estate, not just this ticket?). Patches that require a restart nobody performed are one of the most common ways "fixed" vulnerabilities resurface.
Stage 5 — Reporting: make the loop visible
Reporting turns tickets into a program: open findings by severity and age, mean time to remediate against SLA, recurring offenders, exception inventory with expiry dates, and trend lines leadership can act on. Good reports are audience-shaped — engineers need the finding, the affected asset, and the fix; management needs exposure trends and SLA compliance; auditors need evidence the process ran as documented. One dataset, three views.
This is also where vulnerability management hands off to risk management — unresolved criticals and standing exceptions don't vanish when the quarter closes; they belong on the risk register with named owners and review dates, which is Domain 5's territory.
| Term | What it actually means |
|---|---|
| CVE | Catalog identifier for one specific vulnerability |
| CVSS | 0–10 severity score computed from base metrics |
| False positive | Reported finding that isn't real — wastes time |
| False negative | Real flaw the scan missed — the dangerous error |
| Compensating control | Alternative control when the primary fix isn't feasible |
| Exception / exemption | Formal, documented, time-boxed risk acceptance |
Key takeaways
- It's a loop: identify → analyze/prioritize → remediate → validate → report, running continuously.
- Credentialed scans see the truth, non-credentialed scans see your external exposure — run both.
- CVE names it, CVSS scores it, context ranks it: exposure, environment, and risk tolerance turn severity into priority.
- Patching has four alternatives: compensating controls, segmentation, insurance, and formally documented exceptions.
- Validate or it didn't happen: rescan, verify the exploit path is closed, and audit SLAs across the estate.
Vulnerability management is one of nine modules in Security+ Domain 4 — the biggest domain on the exam at 28%. Our Security+ Domain 4 study guide covers all 39 topics from hardening through incident response with 90 exam-style questions, or get the complete Security+ collection.
#SecurityPlus #SY0701 #VulnerabilityManagement #CVSS #CVE #PatchManagement #SecOps #BlueTeam #CompTIA #CyberSecurity
Keep reading
Risk Management by the Numbers: SLE, ALE, ARO & the Risk Register
The quantitative risk toolkit on Security+ — single loss expectancy, annualized loss expectancy, and annualized rate of occurrence, with a worked example, plus risk registers, appetite vs. tolerance, and the four risk responses. Core SY0-701 Domain 5 material.
Read Security+ deep divesEncryption, Hashing, Tokenization, Masking: How Data Protection Actually Works
The complete Security+ data-protection toolkit, explained properly — the three states of data, what each method (encryption, hashing, tokenization, masking, obfuscation, segmentation) actually does, and how to pick the right one. Core material for SY0-701 Domain 3.
Read Frameworks & governanceAI Governance, Risk & Compliance: Structures, Risks & Regulations — SecAI+ Domain 4
AI governance structures and roles, the risks of AI and the Responsible AI principles that counter them, and the compliance landscape — EU AI Act, OECD, ISO, and the NIST AI RMF. An objective-by-objective guide to CompTIA SecAI+ Domain 4.
ReadEnjoyed this? Get the AI security news that matters.
Join The AI Security Brief — the top AI security news, plus what's important to the C-suite. Free, straight to your inbox.
No spam. Unsubscribe anytime.
This is the biggest domain on your exam
Security Operations is 28% of Security+ — more than any other domain. Master all 9 objectives, from hardening to incident response, with our Domain 4 guide.
Get the Domain 4 guide