Vulnerability Management

🔥 Let’s start talking about vulnerability management.

I've decided to start blogging about vulnerability management because there's something we need to get straight: chasing CVSS, VPR, EPSS scores (or whatever else) won't actually make your company safer. Context will.

Patrick Mathieu

Patrick Mathieu

— 1 min read
🔥 Let’s start talking about vulnerability management.

I've decided to start blogging about vulnerability management because there's something we need to get straight: chasing CVSS, VPR, EPSS scores (or whatever else) won't actually make your company safer. Context will.

If you're only looking at raw scores, you're ignoring your actual risks—and probably drowning in irrelevant alerts.

🎯 Why Context Matters (Way) More Than Scores:

  • Exploitability: Can attackers easily exploit it, or better yet, are they already exploiting it?
  • Asset Criticality: What happens if this asset goes down? Do you lose business, data, reputation—or all three?
  • Threat Intel: Are we seeing active attacks targeting this vulnerability right now?
  • Reachability: Is the vulnerability even reachable in your code? (This one's huge—tons of startups are building tools just for this. Why waste time on vulnerabilities that can’t be reached inside your applications or systems ?)

Most frameworks and scanners partially handle these points—but rarely your internal context. Your tooling needs to adapt to your reality and build scores using your unique internal knowledge.

Subscribe to Security Autopsy

🔎 Manual Findings vs. Automated Scans

Let's also be clear: automated scans miss things. Bug bounties, internal pentests, red teams—these humans find critical vulnerabilities automated tools won't.

You simply can’t treat manual findings like yet another automated alert.

🛠️ How Do You Actually Fix Stuff?

  • Prioritize vulnerabilities with known exploits, active attacks, and especially reachable vulnerabilities.
  • Use your internal knowledge (not just external scores) to prioritize fixes.
  • Patch fully—no more band-aid solutions that just delay problems.
  • Keep your environment clean with regular security hygiene. Less emergency patching, more proactive fixes.

🚨 Let’s Make Vulnerability Management Better

  • Are metrics running your vuln management—or are you in charge?
  • Are you prioritizing manual findings correctly?
  • Are you considering reachability when managing vulnerabilities?
  • How can we shift from reactive firefighting to a proactive, context-driven strategy?

I'd love to hear your thoughts on this 👇

#Cybersecurity #VulnerabilityManagement #RiskManagement #SecurityLeadership #ContextOverScores #CVSS #EPSS

Read more