Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Vulnerability Management: Everything You Need to Know

Why Keep Searching? Everything You Need to Know About Vulnerability Management Begins Right Here.

Vulnerability management is an ongoing process that includes proactive asset discovery, continuous monitoring, mitigation, remediation and defense tactics to protect your organization's modern IT attack surface from Cyber Exposure. Whether you’re a cybersecurity executive who needs a refresher, an emerging vulnerability management practitioner, or you’re considering purchasing a vulnerability management platform to decrease your Cyber Exposure, this page is your go-to-hub for vulnerability management knowledge.

Vulnerability Management for Everyone
Here are a few highlights of what you’ll discover:
Ditch the Spreadsheet for Vulnerability Management

Are you still using spreadsheets for your vulnerability management program? It’s time to let it go and improve your efficiency so you have more time to focus on more pressing needs.

Learn More
Fundamentals of Vulnerability Management and Other On-Demand Webinars

Overcome asset management challenges with continuous asset discovery, data collection and enhanced discoverability capabilities.

Learn More
Vulnerability Management FAQ

Have a question about vulnerability management? Check out this FAQ for a quick reference guide.

Learn More
Vulnerability Management Plans and Processes

Enhance the overall success of your enterprise cybersecurity program by building a solid vulnerability management foundation with best practices and efficient processes.

Learn More
Tenable Vulnerability Management Community

Looking to connect with other vulnerability management professionals? Tenable Community is your go-to-place for inspiration, support and great idea sharing.

Learn More

Manage and Measure Your Modern Attack Surface to Accurately Understand and Reduce Cyber Exposure

Identify, Investigate, Prioritize, Mitigate and Respond

Vulnerability management is an ongoing process—part of your overall cybersecurity program—to reduce your cyber exposure. You can accurately identify, investigate and prioritize vulnerabilities across your entire attack surface with Tenable.io and instantly access the most accurate information about all your assets and vulnerabilities in a single platform.

Learn More

Back to Top

Vulnerability Management Technical Insights

What to Look for in a Cloud Vulnerability Management Solution

Your Buyer’s Guide to Choosing a Cloud-Based Vulnerability Management Solution

From ease of deployment to ease of maintenance, a cloud vulnerability management solution can help your organization rapidly scale and adopt new features and enhanced security measures as your organization’s needs change.

A cloud-based vulnerability management solution can give your organization a lot of flexibility when it comes to expenses, too. Why? Because most cloud-hosted vulnerability management solutions have fewer up-front costs and generally have fewer related ongoing expenses.

Each vulnerability management solution–whether it’s on-prem or cloud-hosted–has a variety of strengths and weaknesses. Before diving into selecting a provider, think about the goals for your vulnerability management program. What are you hoping to achieve and how can the solution you select best help you?

Read More

Here are a few other questions to think about before evaluating a cloud vulnerability management vendor:

  • Have you created goals and objectives for your vulnerability management program?
  • Do you know how your goals and objectives relate to vulnerability management solutions?
  • Have you explored how cloud-based vulnerability management solutions deliver their key capabilities?
  • Do you understand how vulnerability management solutions leverage the cloud to benefit your organization?
  • What are your coverage expectations and knowledge related to current and emerging vulnerabilities?
SANS Vulnerability Management Survey

SANS Vulnerability Management Survey

What You Can Learn From Other Vulnerability Management Practitioners

Organizations of all sizes face rapidly changing IT environments with more assets to discover and protect, and more vulnerabilities to assess than ever before.

The SANS Vulnerability Management Survey explores how organizations manage an increasing number of vulnerabilities and how they address the challenges they face. It also offers recommendations about ways you can manage vulnerabilities across your attack surface, no matter how rapidly it evolves and changes.

  • As the number of vulnerabilities increases, your need for frequent vulnerability scanning becomes ever more important
  • Conduct routine automated scans to help decrease your cyber risk
  • Adopt continuous scanning to get near real-time insight into your attack surface as it evolves and changes
  • Use automated patching tools to ensure that your business-critical software, applications and operating systems are up-to-date

Read More

Frequently Asked Vulnerability Management Questions

Frequently Asked Vulnerability Management Questions:

What is vulnerability management?
Vulnerability management is an ongoing program that uses a variety of technologies and tools to identify Cyber Exposure risks across your entire organization, align them with your operational goals and objectives and then remediate those vulnerabilities in a timely matter to secure your network and keep your operations safe.
What is a security vulnerability?
A security vulnerability is a weakness or hole in hardware or software—a bug or programming mistake—that can be exploited to compromise systems and give attackers access to your data and information.
What is a network monitor and how does it help me manage vulnerabilities?
A network vulnerability monitor helps you find vulnerabilities, misconfigurations and other security issues within your traditional IT infrastructure including networks, servers, operating systems and applications.
What is an asset?
An asset is any hardware or software within your IT environment. This can include traditional IT assets like servers, networks and desktop computers, but also smartphones, tablets, laptops, virtual machines, Software as a Service (SaaS), cloud-hosted technologies and services, web apps, IoT devices and containers. Continuous asset discovery, evaluation and management are important for vulnerability management program success.
What is an attack surface?
An attack surface consists of multiple points of exposure (your IT assets) in your network that could be exploited by attackers. Historically, an attack surface consisted of traditional IT assets such as servers and networks, but today’s attack surface is vast and ever-growing, including mobile devices (smartphones, desktops and laptops), virtual machines, cloud infrastructure, web apps, containers and IoT devices.
How are vulnerability management and Cyber Exposure related?
Vulnerability management is the foundation of Cyber Exposure, which builds upon asset discovery and criticality, vulnerability discovery and prioritization and threat context related to the potential threats that may directly affect your organization.
What is a Vulnerability Priority Rating (VPR)?
A Vulnerability Priority Rating (VPR) is part of Tenable’s Predictive Prioritization process. VPR combines more than 150 data points, including Tenable and third-party vulnerability and threat data, and uses a machine-learning algorithm to identify vulnerabilities that have the greatest chance of being exploited within the next 28 days. The algorithm analyzes every vulnerability in the National Vulnerability Database (plus others announced by the vendor but not yet published in NVD) to predict the likelihood of an exploit. VPRs are scored on a scale of 0 to 10. VPRs at 10 indicate the most critical threats that should be fixed first.
What is an Asset Criticality Rating (ACR)?
An Asset Criticality Rating (ACR) represents the business-critical impact of assets within your organization. ACR automates asset criticality assessment with data from scan results and a rules-based approach for three pillars: internet exposure, device type and device functionality. These pillars combine to give you an ACR from 0 to 10. An asset that has a low ACR is not considered business-critical. With a high ACR, the asset is considered business-critical.
What is an Asset Exposure Score (AES)?
An Asset Exposure Score (AES) is calculated using a Vulnerability Priority Rating (VPR) and Asset Criticality Rating (ACR) to quantify an asset’s vulnerability landscape, including the asset’s vulnerability threat, criticality and scanning behavior.
What is a Cyber Exposure Score and why is it important?
A Cyber Exposure Score (CES) represents your overall cyber risk and can help you prioritize remediation based on asset criticality, business goals, the severity of the threat, how likely it is to be exploited in the near future and threat context. Once you determine your CES, you can benchmark your vulnerability management program internally as well as against peer organizations. This can help you communicate your cyber risk across your organization in a way key stakeholders and executives (who may not have a cybersecurity background) can understand.

Manage Vulnerabilities With the Power of Community

All of your Tenable Vulnerability Management Knowledge and Conversations in One Place

For years, Tenable-related discussions were hosted in a forum website. There, users shared feedback, asked questions and exchanged knowledge. Today, those forum posts are the foundation of the new Tenable Community. Tenable Community is a place where people with common interests in Tenable and vulnerability management can get together and exchange ideas.

Join our Community

Here are some sample conversations happening now:

How do I filter OS vulnerabilities in Tenable.io?

I have separate teams that manage patching. One manages OS and the other supports applications. I would like to provide separate reports or dashboards based on the vulnerability family so they don't get each other's patching responsibilities in their report or dashboard.

See the Answer

How do I export a scan from Tenable.io?

This short video demonstrates how to export scan results from Tenable.io. You can easily export vulnerability scanning data from Tenable.io as a .nessus file, PDF, HTML, or CSV.

Watch the Video

Why does my dashboard show a decrease in active vulnerabilities?

Vulnerability management dashboards can have a sudden decrease in vulnerabilities present in the scan environment, even when you’ve done no patching or you’ve not done patching on a large scale. Why?

See the Answer

Vulnerability Management Solutions to Ensure Cybersecurity Success

Vulnerability management is a way to reduce risk for your organization, no matter how large or small your organization may be. However, creating a successful vulnerability management program is not a simple task. It requires goal setting, metrics, continuous discovery and monitoring and buy-in from stakeholders across your organization. Not sure where to start? You can make your vulnerability management process stronger with five simple steps.

  1. Discover

    Achieving continuous discovery and complete visibility into your environment can be challenging without the right tools, but it is vital for discovering and preventing blind spots in your attack surface. An important first step in ensuring vulnerability management success is to identify and map every asset across all of your computing environments.

  2. Assess

    Next, evaluate the Cyber Exposure of all of your assets, including vulnerabilities, misconfigurations and other security health indicators. Comprehensive vulnerability and misconfiguration assessment is more than running a scan. It’s also using a range of data collection technologies like you’ll find in Tenable.io to identify diverse security issues for your organization.

  3. Analyze

    The third step for vulnerability management program success is to understand your exposures in context to your security and business goals so you can prioritize remediation based on asset criticality, threat context and vulnerability severity.

  4. Mitigate

    With the first three steps tackled, you’re on your way to a stronger vulnerability management program. Leveraging machine learning, you can go further to spot hidden data patterns that correlate with future threat activity. This will give you insight into vulnerabilities that may have the highest likelihood of near-term exploitation. From there, you can prioritize which exposures to mitigate first, if at all, and then apply the appropriate remediation process.

  5. Measure

    A final recommendation is to measure and benchmark your Cyber Exposure to make better business and technology decisions. Report customization in Tenable.io will provide you with easy-to-understand data about the effectiveness of your vulnerability management program and external benchmarking metrics to help you compare your program performance against similar businesses in your industry.

Vulnerability Management and Protecting Your Enterprise from Cyber Exposure

When it comes to vulnerability management, many security teams focus only on their department or team goals. While that traditionally had a degree of success, enterprise vulnerability management programs that align security goals with business goals tend to be stronger.

By aligning your vulnerability management program to your business goals, you can more easily create and analyze success metrics that enable you to communicate your program success to key stakeholders—like C-Suite executives and board members—in ways they understand. This can help you build a stronger enterprise program and get the support of upper-level management so you have access to the resources you need to keep your program flexible, scalable and successful. Here are five best practice recommendations for enterprise vulnerability management:

  1. Establish Goals

    Identify specific components that are measurable and meaningful and then begin attack surface hardening, asset inventory and patch auditing.

  2. Ensure Data Accuracy

    Don't limit the view of your total state of vulnerability. Ensure you're accessing accurate data that’s actionable and timely.

  3. Account for Gaps

    To maintain reliable processes and build trust, quickly identify sources where you have patching issues and track them as exceptions.

  4. Deal With Interdependencies and Conflicts

    Understand how processes affect individuals and teams within your organization to create a successful vulnerability management program.

  5. Know What to Measure

    Instead of trends, measurement should focus on exceptions to discover weaknesses.

Eliminate Blind Spots. Boost Productivity. Prioritize Vulnerabilities

Tenable.io’s actionable and accurate data will help you identify, investigate and prioritize vulnerability remediation and mitigate misconfigurations across your entire IT environment. Get started today for free.

Try Tenable.io Free for 30 days

Vulnerability Management Blog Bytes

Ditch the Spreadsheet for Vulnerability Management

Ditch the Spreadsheet for Vulnerability Management

Are you a creature of habit? Do you still use older tools and resources even if they're not as efficient as something new—like a good ol' spreadsheet to manage your vulnerability management program? This can be the case for many security teams. You often have more work than you can accomplish on a given day, so you may be hesitant to explore a new solution, even if it will save you time and improve program efficiencies. Tenable.io is an easy way to let go of the spreadsheet without having to let go of the knowledge you already have and the time you’ve invested in your program.

Read More

Security Teams and Vulnerability Response

Security Teams and Vulnerability Response

If you're part of a cybersecurity team, you know there is a never-ending list of vulnerabilities that routinely come across your desk. Traditionally, that’s meant you dig into news headlines, forums and other information exchanges to see which vulnerability is getting the most attention so you can focus your efforts. It can feel like a lost cause. That’s why Tenable’s Predictive Prioritization is changing the way teams handle vulnerability response. Predictive Prioritization leverages data science and machine learning to make it easier for your team to find, patch and remediate vulnerabilities.

Read More

Vulnerability Management Fundamentals

Vulnerability Management Fundamentals

In today’s overcrowded world of emerging security threats, fancy new tools and changing regulations, you may get so caught up in patching and fixing the next big thing that you lose sight of basic security fundamentals. One way you can get back to basics is by learning more about your organization’s Cyber Exposure (CE) lifecycle. You can use your CE to ensure your team’s security goals align with your organization’s business objectives. Not sure where to begin? Take a look at the four stages of a Cyber Exposure lifecycle to learn why they’re important for your vulnerability management program.

Read More

Vulnerability Management On Demand

Vulnerability Management Fundamentals: Asset Discovery and Classification

Overcome the challenges of discovering and managing assets across your attack surface with some basic vulnerability management fundamentals. In this webinar, you’ll learn:

  • Why continuous asset discovery is important
  • Techniques to collect data so you can discover different types of assets across your attack surface
  • Ways you can make the most of your asset management and classification processes
  • How Tenable can help you improve and expand your current discovery capabilities

Eliminate Vulnerability Overload with Predictive Prioritization

What if you only needed to remediate 3% of the vulnerabilities impacting your organization? This on-demand webinar explores:

  • Predictive Prioritization and how it will forever change the way you handle vulnerability remediation
  • Data science, research and analytics behind Predictive Prioritization
  • How Tenable uses Predictive Prioritization is used in Tenable products
  • Ways Predictive Prioritization will transform your vulnerability management program

Practical Approaches for Optimizing Your Asset and Vulnerability Management Processes

You can mitigate security risks with automation by streamlining management, prioritization, remediation and tracking of your most critical assets. In this webinar, you’ll learn about:

  • How to create process efficiencies using enhanced vulnerability assessment and grouping techniques
  • How to prioritize risks to your organization based on business impact
  • What a vulnerability lifecycle is and how to use timeline tracking for remediation

Master the Fundamentals of Vulnerability Management: Analysis and Prioritization

As your vulnerability discovery and assessment efforts become more effective, you will gain better insight into your organization’s overall Cyber Exposure, including access to better data that can help you prioritize patching and improve remediation. Watch this on-demand webinar to learn more about:

  • The value and limits of CVSS scoring
  • How to find the vulnerabilities that are most likely to affect your organization in the near future
  • How asset criticality is an important part of your vulnerability management program

Tenable.io: The Leading Vulnerability Management Solution for Your Modern IT Attack Surface

Your organization has a rapidly-evolving IT landscape. That’s why you need a vulnerability management solution that can evolve and change with you. Tenable.io provides you with timely, accurate information about your entire attack surface, including complete insight into all of your assets and vulnerabilities. Available as a cloud-delivered solution, Tenable.io will help you increase the effectiveness and efficiencies of your vulnerability management program.

Comprehensive Assessment


Nessus sensors within Tenable.io are for active and agent scanning and passive network monitoring to give you complete visibility into your attack surface from on-prem to the cloud.

Predictive Prioritization

Predictive Prioritization

With vulnerability data, data science and threat intelligence, Tenable.io helps you identify which vulnerabilities have the greatest impact of affecting your organization in the near-term.

Dynamic Asset Tracking

Asset Tracking

Your modern IT attack surface is made up of highly dynamic IT assets such as virtual machines, cloud instances, and mobile devices. Tenable.io tracks those assets and their vulnerabilities with unparalleled accuracy.

Passive Network Monitoring

Passive Network Monitoring

Continuously monitor network traffic so you can find and assess hard-to-scan devices and short-lived systems across your attack surface.

Automated Cloud Visibility

Cloud Visibility

Tenable’s Cloud Connectors give you continuous visibility and assessment into your public cloud environments through connectors for Microsoft Azure, Google Cloud Platform and Amazon Web Services.

Pre-built Integrations and Flexible API

Pre-built Integrations and Flexible API

With Tenable’s pre-built integrations and well-documented APIs and SDK resources, you can automate your workflows and share Tenable.io data with other third-party systems. See more at: developer.tenable.com.

Try Tenable.io for Free

Accurately identify, investigate and prioritize all vulnerabilities across your attack surface.

Try for Free

Back to Top

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.