We covered vulnerability management, vulnerability scanning, vulnerability management frameworks and the lifecycle of a vulnerability management program starting with discover, prioritize, assess, report and ending with remediate. We used OpenVas as an open source vulnerability scanner to demonstrate an example of scanning assets for vulnerabilities and reporting the findings along with classifying the vulnerabilities according to severity and CVSS score.
What is Vulnerability Management

Vulnerability management is an ongoing, structured process within cybersecurity programs aimed at identifying, assessing, prioritizing, and remediating security vulnerabilities across digital assets. It integrates with risk management and includes more than just automated scanning, it’s a strategic approach involving multiple departments.
Distinction Between Vulnerability Scanning and Management
While vulnerability scanning uses tools to detect weaknesses, vulnerability management encompasses an end-to-end process. It includes asset inventory, choosing the appropriate tools (like OpenVAS or commercial options), deciding which threats to fix or accept, and ensuring long-term mitigation planning.
Tools for Vulnerability Scanning
Commercial: Nessus, Nexpose
Open-Source: OpenVAS, OWASP ZAP
Although tools like Nmap are also viable, the tutorial centers around OpenVAS. Demonstrations highlight how to add targets, initiate scans, and analyze outcomes in this software.
CVE-Based Classification
Vulnerabilities are standardized using CVE (Common Vulnerabilities and Exposures) IDs. Each ID includes the year and a sequence number. CVEDetails website can be used to examine specific CVEs and shows how to extract key attributes such as access complexity and affected software versions.
Understanding and Using CVSS Scores
CVSS scores, such as 4.6 (medium) or 2.1 (low), quantify the severity and exploitability of each vulnerability. These scores help determine which issues to tackle first. High-severity vulnerabilities are prioritized for immediate remediation, while low-risk ones may be accepted with monitoring.
Implementing the NIST Cybersecurity Framework (CSF)
The NIST CSF is presented as a foundational guide for organizing vulnerability management workflows. It covers steps like Identify, Protect, Detect, Respond, and Recover, and serves as the reference point for designing enterprise-grade security strategies.
Vulnerability Management Lifecycle in Detail
Discover: Identify all assets in the network, from servers to IoT devices. Scan these for known vulnerabilities.
Prioritize: Rank discovered vulnerabilities based on CVSS scores and asset criticality.
Assess: Evaluate business impact and decide on remediation urgency.
Report: Compile findings in structured formats like PDFs for audits or team coordination.
Remediate: Apply security patches, workarounds, or compensating controls. This might include OS upgrades or disabling vulnerable services.
Vulnerability Scanning with OpenVAS
The video tutorial at the end walks through setting up a new scan:
- Define asset (host) and IP address
- Add targets via manual entry or file upload
- Configure scanning task and schedule
- Launch scan and review results in the reports tab
- Download report and interpret detailed breakdowns (e.g., severity, detection method, references)
In one scan example, OpenVAS found one high, one medium, and two low vulnerabilities on a host. Each vulnerability entry included:
- Description and CVE ID
- Severity score
- Potential impact
- Solution (patch, mitigation, workaround)
- Detection method and affected products
TryHackMe Vulnerability Management Room Answers
Is the overall objective of vulnerability management to increase an organisation’s risk exposure? (yea/nay)
What is the Access Complexity for CVE-2013-1048?
With the fictional CVE-2023-2022, what would the CVE ID assign year be?
After scanning, what is the total number of medium-level vulnerabilities?
What is the severity score for the vulnerability “ICMP Timestamp Reply Information Disclosure“?
What is the operating system and the version number of the target machine?
What is the solution type for the “TCP timestamps” vulnerability?
What is the CVE for “ICMP Timestamp Reply Information Disclosure“?
Which phase entails updating and strengthening resilience plans and restoring any compromised capabilities or services caused by a cybersecurity event?