Vulnerabilities are security flaws that create risk when combined with threats and insufficient controls. Managing vulnerabilities is a continuous process essential to cybersecurity.
Why it matters
- Most breaches exploit known vulnerabilities with available patches.
- The average time to exploit a new vulnerability is shrinking (now under 15 days).
- Organizations typically have thousands of vulnerabilities across their systems.
- Prioritization is essential—you can't fix everything at once.
Vulnerability lifecycle
- Discovery: Vulnerability is found by researchers, vendors, or attackers.
- Disclosure: Reported to vendor (responsible disclosure) or publicly.
- Patch released: Vendor issues a fix.
- Exploitation: Attackers develop exploits, sometimes before patches.
- Remediation: Organizations apply patches and mitigations.
Severity scoring
- CVSS (Common Vulnerability Scoring System): 0-10 scale based on exploitability and impact.
- Critical (9.0-10.0): Immediate action required.
- High (7.0-8.9): Prioritize patching.
- Medium (4.0-6.9): Schedule remediation.
- Low (0.1-3.9): Address when convenient.
Types of vulnerabilities
- Software bugs: Buffer overflows, injection flaws, logic errors.
- Misconfigurations: Default credentials, open ports, excessive permissions.
- Design flaws: Weak cryptography, missing authentication.
- Human factors: Social engineering susceptibility, weak passwords.
- Zero-days: Unknown vulnerabilities with no available patch.
Vulnerability management process
- Asset inventory: Know what you have to protect.
- Scanning: Regular automated vulnerability assessments.
- Prioritization: Risk-based ranking considering asset criticality and exploitability.
- Remediation: Patching, configuration changes, or compensating controls.
- Verification: Confirm vulnerabilities are actually fixed.
- Reporting: Track metrics and communicate risk to leadership.
Related Tools
Related Articles
View all articles
MCP Security Risks: A Practical Threat Model for Teams Connecting AI Agents to Tools
MCP isn't uniquely unsafe, but every server you connect widens your attack surface. A risk catalogue, the trust model you're actually accepting, and the governance controls MSPs and security teams should put in place.
Read article →
Claude Code's Security-Guidance Plugin: Shift-Left Security That Fixes Code as You Write It
Anthropic's free security-guidance plugin makes Claude Code review and fix vulnerabilities in the same session. Here's what it catches, how to install it, and how to roll org-wide rules across your team.
Read article →
AI Coding CLIs in CI/CD: Headless Modes, GitHub Actions, and Safe Automation
A practical DevOps guide to running Claude Code, Codex CLI, and Gemini CLI non-interactively in pipelines — headless flags, GitHub Actions, cost ceilings, and the guardrails that keep secrets from leaking.
Read article →
Claude Code Slash Commands Cheat Sheet: Every Command and When to Use It
A grouped reference to Claude Code's built-in slash commands — context management, model and reasoning control, review, recovery, and diagnostics — with practical notes on when to reach for each.
Read article →Explore More Security Foundations
View all termsAttack Surface
The total number of points where an unauthorized user could try to enter data into, or extract data from, an environment.
Read more →Authentication
The process of verifying the identity of a user, device, or system before granting access to resources or services.
Read more →Principle of Least Privilege (PoLP)
The practice of granting users and services the minimum access they need to perform their duties.
Read more →Zero Trust Architecture
A security model that assumes breach, requiring continuous verification of every user, device, and workload regardless of location.
Read more →