Vulnerability Management
High scrutiny and high blast radius; proof and governance matter.
Inside this journey
-
Customer Discovery
Confirm decision-makers, available scanners and data, top-20 critical assets, success metrics (board-ready risk metric), and POC constraints.
Discovery Questions
Why Are We Talking Now?
- What's the immediate trigger that brought you to evaluate vulnerability prioritization now?
- Who is the ultimate decision-maker for selecting a vulnerability risk platform, and who else needs to sign off?
- How urgent is the decision on a vendor for the two-week POC (timeline to start)?
- Roughly how many open scanner findings are you working from today?
- Which vulnerability scanners and discovery tools are you currently using (select all that apply)?
Are We Choosing What Matters—or Just What’s Loud?
- Do your teams believe most scanner findings reflect exploitable risk in your environment?
- What approximate percentage of findings do you currently suppress as non-actionable or false positives?
- How do you currently decide to suppress or deprioritize a finding—walk me through the decision process and who’s involved.
- Give an example of a high-severity vulnerability that slipped through your current process—what happened, and what was the impact?
- Which data points do you feel are missing from scanner output that would change prioritization for you?
Who Signs the Tickets—and Who Pushes Back?
- When you present a prioritized remediation list, how often does IT operations accept the assignments without contest?
- Which ticketing and workflow platforms must remediation integrate with for you to consider the POC successful?
- How are remediation responsibilities currently assigned (automatic mapping, manual triage, by asset owner, other)?
- What are the top reasons IT ops resists your remediation priorities today?
- Tell me about a time a prioritized list worked—what convinced operations to act, and how long did trust take to build?
- What would make a new prioritization approach feel trustworthy to IT operations (specific evidence, pilot wins, executive mandate, other)?
Board-Ready Metrics: What Would Make Leadership Sit Up?
- Would a single defensible risk metric change remediation prioritization in leadership or the boardroom?
- What specific board-level metric would you need to see to feel prepared for an audit or executive review?
- What cadence and format does leadership prefer for vulnerability reporting (weekly dashboard, monthly slide, KPIs embedded in risk reports)?
- Which elements must the POC deliver to be considered 'board-ready' (select all that apply)?
- What threshold would you consider an acceptable suppression rate in the POC to demonstrate value (give a percentage or range)?
Two Weeks to Prove It—What Can Break the Experiment?
- What single issue is most likely to derail a two‑week proof-of-value in your environment?
- What scan data and artifacts are required for the POC (raw scan exports, asset inventory with IPs, tags, CMDB records, vulnerability descriptions, diff history)?
- Are there privacy, regulatory, or contractual constraints we should know about before ingesting scan data?
- How quickly can your team provide the last quarterly scan and any required asset enrichment (estimate in days)?
- Who will be the day-to-day POC owner on your side, and who is the escalation contact if something goes off-track?
Show Me the Twenty That Matter
- Do you already have a ranked list of your top 20 critical assets, and if so, how was that list created?
- Please list the identifiers (hostnames, IPs, asset tags) or a brief description of the top 10–20 assets you consider most critical.
- How many of those top assets are publicly internet-facing or exposed via DMZ/cloud endpoints?
- How would a compromise of one of those assets impact the business (data loss, financial, operational downtime, reputational)?
- Which enrichment sources do you currently trust to validate asset criticality (select all that apply)?
What Does Success Look Like at 2 Weeks and at 60 Days?
- If after two weeks we show an 80% reduction in actionable findings but no tickets were remediated, how would you interpret that result?
- Which success signals are most critical for you to greenlight a full rollout (choose up to three)?
- What acceptance gates should we use to declare the POC successful (examples: suppression % threshold, top-asset alignment %, ticket routing success)?
- If successful, what internal timeline do you expect for a 30–60 day rollout to full-estate coverage?
- Who must sign off on POC results to proceed to rollout (roles and approximate approval timeframes)?
Practical Constraints and Promises
- What internal resources can you commit to the POC (time per week, people, and tool/integration support)?
- Which internal approvals or legal reviews are required before we can ingest and process your scan data?
- Are there any network or VPN requirements for integrations, or do you prefer only offline/air-gapped upload of scan exports?
- What success commitments can your team make if the POC demonstrates clear value (e.g., pilot for 30–60 days, adopt prioritized tickets for a pilot group)?
- Who should we add to the POC kickoff and weekly check-ins (names, roles, and preferred contact method)?
-
Proof-of-Value Experience
Run the two-week POC using the customer’s last quarterly scan to compare prioritized output, suppression rate, exploit mapping, and ticket routing.
Proof-of-Value Sessions
- POC Kickoff & Current-State Confirmation
- Data Ingestion & Validation (Hands-on)
- Initial Prioritization Review — Top-20 Validation
- Ticket Routing & Remediation Flow Test
- Final Validation & POC Acceptance Review
- Identify and agree remediation for any gaps in ticket content or routing logic.
- Surface and document any disagreements with clear reasons and next steps to resolve them.
- Confirm suppression decisions are defensible and acceptable for the POC acceptance gate.
- Identify any policy or threshold tweaks required to better match customer expectations.
- Platform to deliver a top-20 comparison report with evidence links and a proposed adjustment list for any mismatches.
- Customer SMEs to annotate the report with accept/reject and provide rationale for any rejections.
- Agree and implement any agreed threshold or rule updates and re-run impacted items before mid-POC checkpoint.
- Ticketing Goals & Required Fields Recap
- Confirm that prioritized findings reliably create usable tickets in the customer's ticketing system.
- Ensure ticket fields, owner mappings, and SLAs align with IT operations needs.
- Introductions & Objectives
- Platform to push the full set of POC tickets (per agreed scope) and provide a tracking report.
- Customer to confirm ticket receipt and provide screenshots or ticket IDs for validation.
- Platform to update field mappings or owner logic based on feedback and re-run a small test if required.
- Recap: Agreed Current State, Consequence, and Future State
- Obtain explicit POC acceptance or a clear remediation list with owners and deadlines.
- Deliver a board-ready metric and narrative the CISO can use to justify next-phase investment.
- Agree mutual commit next steps: pilot scope, 30–60 day deployment plan, and owners.
- Document any outstanding technical/configuration items required before full rollout.
- Customer and platform sign the POC acceptance (or documented exception list) and confirm next-phase timeline.
- Platform to deliver final POC report with evidence bundles, board-ready slide, and configuration export.
- Schedule Mutual Commit meeting to finalize trial terms, data access for pilot, and deployment owners.
- Assign owners and deadlines for any remediation/configuration tasks needed before production rollout.
- Create a single, crystal-clear statement of the current state agreed by both teams.
- Explicitly quantify the consequence the POC must address (risk metric, time/cost impact).
- Agree precise POC success criteria, gates (suppression %, top-20 alignment), and timeline.
- Confirm owners and data/access requirements to avoid delays during ingestion.
- Customer to deliver the last quarterly scan export, top-20 asset list, and any enrichment sources (CMDB, IP registry) by the agreed cutoff.
- Customer to provide ServiceNow/Jira test credentials and a sandbox project for ticket routing tests.
- Platform team to send a POC runbook with timeline, data checklist, and contact roster within 24 hours.
- Schedule the Data Ingestion & Validation meeting and mid-POC checkpoint on calendar.
- Confirm the customer's scan data is fully ingested with no mapping errors.
- Pre-ingestion Checklist Review
- Validate that asset enrichment and exposure data is applied and top-20 assets are correctly identified.
- Demonstrate suppression and exploit overlays are working as intended against sample findings.
- Agree timing and scope for a safe ticketing integration test (what will be pushed and verified).
- Platform team to complete full ingest and deliver an initial prioritized report (CSV and dashboard link).
- Customer to confirm any missing asset identifiers or enrichment feeds within 24 hours.
- Platform to prepare a list of 5–10 representative findings for ticketing tests (covering suppressed, exploitable, and critical top-20).
- Customer to verify test ticket target queue and owner mappings for the integration test.
- One-sentence Recap (State, Consequence, Future State)
- Obtain explicit customer validation for the platform's priority rankings on the top-20 assets.
- One-sentence Current State
- Final Results Presentation
- Walkthrough: Prioritized Top-20 Findings
- Run Ingestion of Quarterly Scan
- Push Sample Tickets (Live)
- Asset Mapping & Enrichment Validation
- Consequence Quantification
- Board-ready Risk Metric & Narrative
- Comparison vs Customer Manual Ranking
- Verify Ticket Content & Assignment
- Suppression Rationale Review
- Define Future State / POC Outcome
- Workflow & Escalation Validation
- Suppression Logic & Exploit Overlay Check
- Acceptance Criteria Check against Gates
- Ticketing Integration Smoke Test Plan
- Collect Feedback & Adjust Mapping
- Decision & Next Steps (Mutual Commit)
-
Solution Scope
Define scanner connectors, asset enrichment sources, threat feeds, ticketing integrations (ServiceNow/Jira), and POC acceptance criteria.
Scope Configuration
- Import and Normalize Scanner Data
- Enrich Assets with Network Topology and Exposure
- Correlate Vulnerabilities with Threat Intelligence
- Identify Known Exploits and Proof-of-Concepts
- Risk-rank Findings by Exploitability and Asset Criticality
- Suppress Non-exploitable and False-positive Findings
- Map Prioritized Findings to Internet-facing Attack Surface
- Generate Remediation Tickets in ServiceNow or Jira
- Provide Remediation Playbooks for Critical Assets
- Deliver CISO Board-level Risk Dashboards and Metrics
- Export Regulatory Audit Evidence Packages
- Automate Quarterly Scan Re-ingestion and Delta Detection
- Enable Role-based Access, SSO, and Permissions
Scope Questions
Import and Normalize Scanner Data
- Which vulnerability scanners or sources do you currently use and want to ingest?
- What export formats or integration methods can you provide from those scanners?
- Do you prefer scheduled automated imports (e.g., daily/quarterly) or manual one-time uploads for the POC?
- Approximately how many findings (rows) and unique assets will typical imports contain?
- Do you require assistance mapping scanner fields to our canonical schema (e.g., host identifier, port, plugin id)?
- Are there any sensitive fields in your scan exports (e.g., PII, credentials) that must be redacted before ingestion?
Enrich Assets with Network Topology and Exposure
- What authoritative sources for asset inventory or topology do you have available?
- Which canonical asset identifier should we use to join data (IP address, FQDN, asset ID, other)?
- Do you have external exposure data (e.g., authenticated external scans, Shodan/Censys) to enrich internet-facing status?
- Do you need cloud-specific enrichment (instance metadata, security groups, public IPs)?
- Are there access constraints (firewalls, read-only CMDB, departmental approvals) that will affect enrichment?
- Describe any custom asset attributes or tags we should preserve during enrichment (e.g., business owner, environment).
Correlate Vulnerabilities with Threat Intelligence
- Which external or internal threat intelligence sources should we prioritize for correlation?
- Do you require real-time correlation of new intel or periodic batch enrichment?
- Do you want vulnerability-to-actor/campaign mappings and ATT&CK technique correlation?
- Are there internal signals (incident tickets, detections) we should ingest for richer correlation?
- What tolerance do you have for noisy intel matches (false positives) when surfacing risk flags?
- List any specific threat actors, campaigns, or CVE lists (e.g., CISA KEV) that must be prioritized.
Identify Known Exploits and Proof-of-Concepts
- Do you require discovery and indexing of known exploits and public proofs-of-concept for ingested CVEs?
- Which exploit data sources should be referenced for POC/exploit identification?
- Should exploit presence be time-weighted (e.g., active in past 30/90 days) for ranking?
- Do you want exploitability mapped to asset-specific configuration/context (service, port, kernel version)?
- Is safe validation/testing of POCs during the POC required (proof-run in isolated lab)?
- What minimum confidence threshold should mark an exploit as actionable in the POC?
Risk-rank Findings by Exploitability and Asset Criticality
- Which asset criticality model do you want to use for ranking?
- Which risk signals should inform ranking (select all that apply)?
- Do you want configurable weighting between exploitability and criticality during the trial?
- Will you provide a vetted list of top-20 critical assets to validate ranking alignment?
- What suppression or prioritization thresholds do you consider acceptable for POC acceptance (e.g., suppression % or top-N alignment)?
Suppress Non-exploitable and False-positive Findings
- Do you want automated suppression of non-exploitable findings based on rules and evidence?
- Should suppression be applied globally or scoped to asset groups/environments?
- Do you have existing suppression/whitelist lists to import?
- What audit and review workflow do you require for suppressed items (who reviews, frequency)?
- How long should suppressed findings be retained in the system for audit purposes?
- Are there categories of findings that must never be auto-suppressed (e.g., Internet-facing critical assets)?
Map Prioritized Findings to Internet-facing Attack Surface
- Do you maintain an authoritative list of internet-facing assets we should use for validation?
- Which external discovery sources may we use to validate internet exposure?
- What minimum confidence level should classify an asset as internet-facing?
- Should mapping to attack-surface include open ports, exposed services, and web-app endpoints?
- Do you require manual verification for top-ranked internet-facing findings before ticket creation?
Generate Remediation Tickets in ServiceNow or Jira
- Which ticketing systems do you use and want integrated?
- Should remediation tickets be created automatically or generated as drafts for review?
- Which ticket fields are mandatory to populate from the platform (e.g., asset owner, priority, CVE, remediation steps)?
- How should assignment rules be determined (by asset owner, by patch group, by network domain, custom)?
- Do you require two-way synchronization so ticket status updates reflect back into the platform?
Provide Remediation Playbooks for Critical Assets
- Do you want pre-built remediation playbooks per OS/application type or bespoke playbooks for specific critical assets?
- Which playbook formats are most useful to your ops teams?
- Who should author and approve playbooks (security team, ops team, vendor)?
- Should playbooks include verification and rollback steps and expected validation checks?
- How many high-priority assets require bespoke playbooks for the POC (estimate)?
Deliver CISO Board-level Risk Dashboards and Metrics
- Which board-level KPIs are essential for your CISO (select up to 3)?
- What reporting cadence do you prefer for board-level materials?
- Do you need exportable slide-deck or PDF-ready artifacts for board meetings?
- Should dashboards provide role-specific views (CISO executive summary, remediation team detail)?
- Are there existing visualization templates or corporate branding requirements for board materials?
Export Regulatory Audit Evidence Packages
- Which regulatory frameworks or audits must evidence packages support?
- What artifacts should be included in an audit package (select all that apply)?
- Preferred format for evidence delivery to auditors?
- What retention period do auditors require for these packages?
- Do auditors require signed/timestamped attestations or verifiable audit trails?
-
Mutual Commit
Agree on trial terms, data access, timelines, acceptance gates (suppression %, top-asset alignment), and responsibilities for each team.
Agreement Modules
- Proof-of-Value (POV) Agreement
- Statement of Work (SOW)
- Master Services Agreement (MSA)
- Data Access & Security Addendum
- Acceptance Criteria & Gates
- Roles & Responsibilities (RACI)
- Trial Timeline & Milestones
- Integration & Ticketing Access
- Trial Pricing & Licensing Terms
- Service Level & Support Plan (Trial SLA)
- Compliance & Data Processing Agreement (DPA)
- Change Control & Scope Management
- Escalation & Executive Sponsors
- Termination, Extension & Renewal Terms
- Final Sign-off & Handover Checklist
-
Deployment
Plan and execute ingestion, integrations, sequencing for early high-profile fixes, owners, and a 30–60 day rollout path to full-estate coverage.
-
Success
Validate POC results against success signals, confirm ticket flow into ops, measure actionable finding reduction, and track next-phase rollout.
Success Reviews
- Executive Success Review
- Technical Validation Workshop
- Ops Handoff & Ticket Flow Confirmation
- Remediation Roadmap & Early Wins Planning
- Measurement & Continuous Validation Cadence
Issues & Enhancements
- Define rollback and mitigation rules to limit operational disruption.
- Document and remediate any data connector or asset-mapping gaps identified in the session.
- Current Ticketing Process Overview
- Confirm that tickets created by the platform reach ops intact and are actionable by the assigned owners.
- Agree on field mappings, priority-to-SLA translations, and acceptance/closure rules for remediation tickets.
- Identify any required changes to ticket templates, integration configs, or notification workflows.
- Approve an operational pilot window and runbook for the initial cutover to ops.
- Update integration configuration to match agreed field mappings and priority-to-SLA rules.
- Produce an ops runbook covering ticket lifecycle, owner responsibilities, and suppression handling.
- Schedule and execute a 1-week operational pilot to validate ticket throughput and owner acceptance.
- Define Future State in Operational Terms
- Agree on the prioritized remediation sequence and specific early-win targets for the first 30 days.
- Assign owners and resources for each tranche and confirm timelines for delivery.
- Establish a communication plan to showcase early wins to build IT ops trust.
- Introductions & Objectives
- Publish a 30/60 day remediation roadmap with owners, milestones, and target completion dates.
- Assign ownership for each early-win item and create corresponding tickets in ops with agreed SLAs.
- Prepare the communication brief and stakeholder notification templates for reporting early wins.
- Baseline Metrics Recap
- Finalize KPI definitions, formulas, and owners for each metric to ensure consistent measurement.
- Agree on reporting cadence and dashboard content for operational and executive stakeholders.
- Set acceptance gates and escalation thresholds that determine readiness for broad rollout.
- Establish a data validation process to maintain trust in reported metrics.
- Publish final KPI definitions with calculation examples and assign metric owners.
- Configure dashboards and schedule automated reports per the agreed cadence.
- Define and schedule the recurring measurement review meetings (operational, monthly, quarterly).
- Validate that POC met the predefined success signals (suppression %, top-20 alignment, ticket acceptance).
- Secure executive sign-off to proceed to the defined next-phase rollout or agree on required corrective actions.
- Agree on a single board-ready metric and the narrative the CISO will use to explain risk reduction.
- Assign an executive sponsor and confirm high-level budget/ownership for the pilot rollout.
- Circulate a one-page executive summary with the board-ready metric and POC headline stats.
- Record executive approval (or required changes) for next-phase rollout and list resource commitments.
- Assign an executive sponsor and confirm initial pilot timeline (30/60 days).
- Recap of Data Inputs & Baseline
- Obtain customer SME confirmation that POC prioritization aligns with expert judgment for the sampled findings.
- Confirm suppression decisions are technically justified and acceptable to the VM team.
- Identify any data or mapping issues requiring rule adjustments before rollout.
- Agree on acceptance gate criteria (e.g., % of sampled items accepted) to mark technical validation complete.
- Deliver an annotated sample report showing justification for each prioritized and suppressed finding.
- Implement any agreed rule or enrichment adjustments and plan a re-run on the POC dataset if needed.
- One-sentence Current State
- POC Ticket Sample Review
- Sample Walkthrough — Top-20 Assets
- KPI Definitions & Formulas
- Select Early Win Candidates
- Suppression Rationale Review
- Live Ticket Creation Test
- Dashboard & Reporting Cadence
- POC Outcome Snapshot
- Sequence & Timeline (30/60 day plan)
- Exploit & Threat Correlation
- Ownership & SLA Mapping
- Resource & Owner Allocation
- Acceptance Gates & Escalation Thresholds
- Business Consequence & Impact
- Escalation & Acceptance Workflow
- Validation Exercise (Customer Vote)
- Board-ready Metric & Narrative
- Data Validation & Audit Process
- Communication & Stakeholder Plan