Building a vulnerability management program from scratch
Program playbook · 9-min read · Build your stack → · updated June 2026
A scanner finds problems. A program fixes them — repeatably, with owners, deadlines and evidence. The difference between the two is a closed loop you run on a cadence.
The loop
Know what you run — assets, products, and the components inside them. An accurate inventory (ideally an SBOM per product) is the foundation; everything downstream depends on it.
Score and rank findings by active exploitation, probability and severity — exploited-first. Without prioritisation, a scanner just produces an un-actionable wall of red.
Patch, mitigate, or formally accept each item with an owner and a due date tied to its priority. This is where risk actually goes down.
Re-scan to confirm the fix landed and nothing regressed. "We patched it" and "the vulnerability is gone" are not the same claim.
Track metrics over time — open criticals, time-to-remediate, exploited exposure — and report them. Trends prove the program works and justify investment.
Metrics that prove it works
| Metric | Why it matters |
|---|---|
| Open exploited / critical count | Your most urgent real-world risk, at a glance |
| Mean time-to-remediate (by severity) | How fast the loop actually turns |
| Asset / component coverage | How much of your estate you can even see |
| EOL exposure | Risk that can never be patched without upgrading |
Turn this into action. A no-nonsense playbook: inventory, prioritise, remediate, verify, report — the loop that turns scanning into measurable risk reduction.
Build your stack — free →Frequently asked questions
Where do I start if I have nothing?
Start with inventory. You cannot prioritise or patch what you have not catalogued. Even a simple list of products and versions beats nothing — then layer in an SBOM.
What metrics should I track?
Open critical/exploited count, mean time-to-remediate by severity, percentage of assets covered, and EOL exposure. Trend them — direction matters more than any single number.
How is this different from just running a scanner?
A scanner is one step (find). A program closes the loop: inventory → prioritise → remediate → verify → report, with owners and SLAs. The loop is what reduces risk.
How does IsItPatched fit?
It supplies the prioritisation and tracking layer — verdicts, a fix-first queue and monitoring across your stack — via My Stack, so you spend effort on remediation, not data wrangling.
This guide is vendor-neutral and informational, grounded in publicly-available guidance from bodies such as OWASP, NIST and CISA. IsItPatched is independent and not affiliated with them, and this is not legal or compliance advice. See our disclaimer.