Vulnerability Management — detect weaknesses before an attacker exploits them
Vulnerability Management (VM) is a continuous process of detecting, assessing, prioritising and remediating weaknesses in IT systems, applications and configurations. Unlike a one-off penetration test, VM runs in a 24/7 cycle — authorised and unauthorised scanners probe the infrastructure, findings are matched against CVE/NVD databases and vendor advisories, and results flow into a ticketing system with assigned ownership and remediation SLAs. The average organisation carries several thousand open vulnerabilities at any given time — without prioritisation based on CVSS, EPSS and business context, the team will be stuck in an endless backlog.
Implementing a VM process delivers three concrete outcomes: reducing MTTR (mean time to remediate) critical vulnerabilities from months to days, a measurable reduction in attack surface, and ready evidence for ISO 27001 (A.8.8 — Management of technical vulnerabilities), NIS2 (art. 21 — risk management measures) and DORA (art. 8 — ICT risk management) audits. Virtline designs and maintains VM processes based on Tenable Nessus, Qualys, Rapid7 InsightVM, OpenVAS and GFI LanGuard — integrating them with existing SIEM, ticketing (Jira, ServiceNow) and patch management workflows.
What does the Vulnerability Management process cover?
An effective vulnerability management programme is not a single tool — it is a repeatable cycle. In practice we implement the following elements:
Asset inventory — a complete map of servers, workstations, network devices, applications and containers in scope.
Authenticated and unauthenticated scanning — credentialed scans inside the host and external scans from an attacker’s perspective.
CVSS + EPSS + context prioritisation — risk scoring based not only on the vulnerability itself, but on the real probability of exploitation.
Ticketing integration — automatic creation of tickets in Jira/ServiceNow with SLA, owner and vulnerability context.
Remediation verification — re-scan after patching, ticket closure based on actual state, not self-declaration.
Audit reporting — KPI dashboards (MTTR, coverage, critical open) and compliance reports for ISO 27001 A.8.8 and NIS2.
Benefits of implementing Vulnerability Management
Smaller attack surface — systematic closure of vulnerabilities exploited by ransomware and APT groups.
Shorter MTTR — average time to remediate critical vulnerabilities drops from weeks to days through prioritisation and automation.
Regulatory compliance — documented process covering ISO 27001 A.8.8, NIS2 art. 21, DORA art. 8 and NIS2-implementing national regulations.
Early detection — vulnerabilities in systems and applications visible to the team before they become an attack target.
Full attack surface visibility — from on-premises servers through the cloud to workstations and network devices.
Lower incident cost — proactively closing a vulnerability costs many times less than responding to a ransomware attack.
Measurable KPIs for management — MTTR, coverage, trend and exposure score dashboards instead of raw CVE lists.
Vulnerability Management platforms we deploy
We select the scanning engine to match the scale, asset type (on-premises, cloud, OT/ICS, web apps) and existing SIEM/ticketing stack. We integrate the VM process with the tools your team already uses.
1. Tenable Nessus and Tenable.io — industry standard for vulnerability scanning, largest plugin database, strong coverage of hybrid environments. Integration with Tenable.sc for larger organisations and executive reporting.
2. Qualys VMDR — cloud platform with native integration of threat intelligence, asset inventory and patch management in a single console. Strong in distributed and multi-cloud environments (AWS, Azure, GCP).
3. Rapid7 InsightVM — dynamic scoring (Real Risk Score) combines CVSS, exploit availability and vulnerability age. Integration with InsightIDR (SIEM) and Threat Command (TI) within one platform.
4. OpenVAS / Greenbone — open source option for organisations with strict budget policies or needing full control. Deployed with custom scan policies and SIEM reporting.
5. SIEM and ticketing integration — Splunk, Microsoft Sentinel, Energy LogServer, Wazuh on the SIEM side, plus Jira, ServiceNow, GLPI on the ticketing side. Vulnerability = automatic ticket with SLA, owner and context.
For whom — Vulnerability Management implementation
Vulnerability management is no longer optional — for entities subject to NIS2, the financial sector under DORA and anyone maintaining ISO 27001, it is a requirement directly written into the regulations. From our practice, VM is especially urgent for organisations that:
- are subject to NIS2 as an essential or important entity
- operate in the financial sector under DORA
- are implementing or maintaining ISO 27001 (control A.8.8)
- manage critical infrastructure or OT/ICS environments
- maintain web applications accessible from the internet
- operate in a hybrid environment (on-premises + public cloud)
- have experienced a security incident or successful phishing/ransomware
- manage a fleet of more than 50 servers or workstations
- work with suppliers and need to document their security posture
- are preparing for a certification audit or TISAX assessment
Vulnerability Management is also an essential component of a CTEM (Continuous Threat Exposure Management) strategy — without VM you cannot build a credible exposure management programme.
Frequently asked questions about Vulnerability Management
How much does Vulnerability Management implementation cost?
Cost depends on the number of hosts, the chosen scanning engine and integration scope. It comprises a per-asset licence (from a few to several tens of euros per host per year) plus a one-time implementation fee (scanner architecture, policies, SIEM and ticketing integrations, training, false-positive calibration). After the asset inventory we provide a quote broken down into tool cost and service cost. Contact us for a quote for your infrastructure.
How long does the VM implementation take?
A standard implementation for 200–500 hosts takes 6–10 weeks: 1–2 weeks for inventory and design, 2 weeks for scanner installation and configuration, 2 weeks for policy calibration and false-positive handling, followed by weeks for SIEM/ticketing integration and training. The VM process then runs continuously — maintenance typically requires 1–2 person-days per week.
How often should vulnerabilities be scanned?
Industry standard is an incremental scan weekly and a full authenticated scan monthly. For critical assets (DMZ, public-facing applications, OT) we recommend daily scanning or continuous monitoring. After each critical CVE announcement (such as Log4Shell or ProxyShell) we run an ad-hoc scan focused on the specific vulnerability — this is a standard component of our maintenance service.
What does reporting to management and auditors look like?
We provide three reporting levels: technical (CVE list, hosts, remediation recommendations), executive (KPIs: MTTR, coverage, exposure score, trends, top 10 risks) and audit (compliance evidence for ISO 27001 A.8.8, NIS2 art. 21, DORA art. 8 — documented detect–prioritise–remediate–verify cycle). Dashboards refresh in real time; monthly and quarterly reports in PDF format.
How does VM help with NIS2, ISO 27001 and DORA compliance?
Vulnerability Management directly addresses ISO 27001:2022 A.8.8 (Management of technical vulnerabilities) and A.8.32 (Change management), NIS2 art. 21 (cybersecurity risk management measures, including vulnerability management) and DORA art. 8 (ICT risk management framework). For entities covered by national cybersecurity legislation it also satisfies requirements for periodic security posture reviews.
What is the SLA for responding to a critical vulnerability?
The Virtline standard SLA for vulnerabilities with CVSS ≥ 9.0 and an available in-the-wild exploit is: alert to the client team within 1 hour of appearing in the databases, dedicated ad-hoc scan within 4 hours, and a report listing exposed hosts with a remediation recommendation within 8 business hours. High vulnerabilities (CVSS 7.0–8.9) are included in the next weekly cycle; medium and low in the monthly cycle.
Why choose Virtline for Vulnerability Management implementation
Virtline designs and maintains Vulnerability Management processes based on proven scanning engines and hands-on experience from ISO 27001 and NIS2 audits. We do not sell licences in isolation from the process — we always deliver a complete service: architecture, calibration, SIEM/ticketing integrations, management and audit reporting, and ongoing maintenance.
Key advantages of implementing with Virtline:
Experience with Nessus, Qualys, Rapid7, OpenVAS, GFI LanGuard
TÜV NORD security certification — ISO 27001:2023
Prioritisation based on CVSS, EPSS and business context
SIEM integration (Splunk, Sentinel, Energy LogServer) and ticketing
Compliance reports for ISO 27001 A.8.8, NIS2, DORA
Ad-hoc response to critical CVEs within 1h/4h/8h
False-positive calibration — reports without noise
Support for ISO 27001, NIS2, TISAX and KSB 3.15 audits
Foundation for CTEM (Continuous Threat Exposure Management)
Contact us to implement a Vulnerability Management process tailored to the scale of your infrastructure and the requirements of ISO 27001, NIS2 or DORA.
Close vulnerabilities before someone exploits them — implement Vulnerability Management.
ISO/IEC 27001:2023 Certification
Virtline certified by TÜV NORD
Virtline holds the PN-EN ISO/IEC 27001:2023-08 certificate issued by TÜV NORD. Certificate number: AC090 121/2469/6137/2026, valid until 02.2029.
Talk to a Virtline expert
We will scope your project, propose an architecture and prepare a fixed quote within 5 working days. No obligations, no junior reps — you talk to engineers from day one.