Identify → Analyze → Prioritize → Remediate → Validate → Report
| Method | Also Known As | Description |
|---|
| SAST | Static analysis / white-box | Analyzes source code without execution — used in SDLC |
| DAST | Dynamic analysis / black-box | Attacks running application — finds runtime issues |
| Package monitoring | SCA | Discovers and monitors all installed packages for known CVEs |
| Penetration testing | — | Simulates real attacks to find exploitable weaknesses |
| Vulnerability scanning | — | Automated scans against hosts to enumerate weaknesses |
| Source | Notes |
|---|
| OSINT | Websites, social media, blogs, conferences — free, first-stage recon |
| Commercial feeds | Third-party providers — curated, integrated into SIEMs |
| Threat sharing orgs | ISACs, CISA alerts — actionable intel |
| Dark web monitoring | Detects leaked org data, credentials |
| Responsible disclosure / Bug bounties | Researchers report flaws before public disclosure |
CVE (Common Vulnerabilities and Exposures) — public list of known vulnerabilities. Each gets a unique CVE-YYYY-NNNNN ID. Referenced by NVD, scanners, and SIEMs.
CVSS (Common Vulnerability Scoring System) — qualitative severity score (0–10).
| Metric Group | Description |
|---|
| Base | Intrinsic, unchanging qualities (attack vector, complexity, impact) |
| Temporal | Time-dependent factors (exploit availability, patch status) |
| Environmental | Organization-specific context (asset value, existing controls) |
| Score Range | Severity |
|---|
| 0.0 | None |
| 0.1–3.9 | Low |
| 4.0–6.9 | Medium |
| 7.0–8.9 | High |
| 9.0–10.0 | Critical |
| Type | Definition | Risk |
|---|
| False positive | Alert for a vulnerability that doesn’t exist | Alert fatigue, wasted remediation effort |
| False negative | Real vulnerability missed / marked non-existent | False sense of security, unpatched exposure |
| Strategy | Description |
|---|
| Patching | Apply vendor fix — primary response |
| Segmentation | Isolate affected systems to limit lateral movement |
| Compensating control | Alternative measure when patching isn’t possible |
| Exception / exemption | Formal acceptance of risk with documented justification |
| Insurance | Financial backstop for residual risk |
1. Rescan — confirm the vulnerability no longer appears
2. Audit — verify security controls are implemented correctly
3. Verify — confirm patch/config change is in production
- Industry and org impact — asset classification and business impact analysis (BIA)
- Exposure factor — % of asset value lost if threat is realized
- Risk tolerance — max acceptable risk after controls are applied
- Exploitability — is a public exploit available? Is it being used in the wild?