Vulnerability Management

What problem does it target?

Vulnerability Management addresses the need to identify, assess, prioritize, and remediate security vulnerabilities across IT assets to reduce risk and prevent exploitation by attackers. A key challenge is distinguishing between vulnerabilities that are present and those that are actually exploitable in a given environment (reachability).

What does this solution do?

Vulnerability Management platforms:

  • Scan systems, applications, and networks for vulnerabilities
  • Prioritize findings based on risk and exploitability, with increasing focus on reachability (whether a vulnerability is actually exploitable in the environment)
  • Track remediation and verify fixes
  • Integrate with patch management and ticketing systems

Reachability and False Positives

Traditional vulnerability scanning often results in high numbers of false positives—vulnerabilities that are present but not exploitable due to environmental factors or lack of exposure. This can harm security team credibility and waste resources. Modern approaches use reachability analysis to determine if a vulnerability can actually be exploited, helping prioritize remediation efforts and reduce false positives.

There are two main approaches to reachability analysis:

  • Static reachability analysis analyzes code without execution and can be performed at the package or function level. Function-level static reachability provides much more precise results and can reduce vulnerability counts by 90-99% compared to traditional methods, but cannot confirm if the vulnerable code is actually executed at runtime. Static reachability is easy to integrate into developer workflows, supports more languages, and provides better patch guidance, but can suffer from false positives, longer scan times, and lacks runtime context.
  • Runtime reachability analysis observes which components are executed in a live environment, offering higher certainty and further reducing false positives. Function-level runtime reachability provides evidence of whether a vulnerable function is actually executed, offering higher certainty of exploitability and enabling application detection and response (ADR) capabilities. Runtime reachability can also combine code and container vulnerability scanning, and supports defense and mitigation actions, but requires agent deployment and may lack pre-deployment scanning features.

Combining static and runtime reachability, potentially within an Application Security Posture Management (ASPM) platform, provides the most comprehensive vulnerability detection and prioritization. Static reachability is more workflow-oriented and suitable for early detection, while runtime reachability is better for confirming exploitability and reducing wasted developer effort. The effectiveness and maturity of both approaches vary by programming language and vendor implementation.

Compliance and Prioritization

Compliance requirements have traditionally driven patching of all vulnerabilities. However, there is a growing shift toward justifying non-patching of non-exploitable findings, using tools like VEX (Vulnerability Exploitability eXchange) statements for SBOMs (Software Bill of Materials).

Effective vulnerability management should combine both prioritization (identifying exploitable issues) and patching (remediation) strategies.

Note: The definition and implementation of reachability can vary between vendors, as determining exploitability often requires detailed environmental context.

Who is this for?

  • Security and IT operations teams
  • Organizations with diverse IT environments
  • Enterprises subject to compliance requirements

Who might not benefit from this?

  • Small businesses with minimal infrastructure
  • Teams with manual or ad hoc vulnerability tracking

Pitfalls and remedies

Pitfall Remedy
Too many low-risk findings Use risk-based prioritization and reachability analysis
Missed assets or blind spots Ensure comprehensive asset inventory
Delayed remediation Automate ticketing and follow-up

Sample products

  • Tenable Nessus
  • Qualys VMDR
  • Rapid7 InsightVM
  • Microsoft Defender Vulnerability Management
  • OpenVAS

All trademarks are property of their respective owners.
Copyright © 2025 Deepblue Consulting – All rights reserved.