Software vulnerabilities are an unfortunate reality of enterprise IT. New vulnerabilities are being discovered all the time, and while most will never be exploited by an adversary, without a program to quickly discover and remediate high-priority vulnerabilities, organisations are putting themselves at risk.
2024 saw another jump in the volume of vulnerabilities, according to the Common Vulnerability Scoring System (CVSS) with the year’s total tally at 40,289, a near 40% increase compared to 2023. That’s an overwhelming number for security teams to understand and potentially respond to, a challenge made harder by knowing that only a small fraction of those vulnerabilities may actually be exploited and post imminent danger to their organization. This puts pressure on security teams to identify and prioritise the most high-risk vulnerabilities, which can be difficult to achieve without proper expertise and understanding of the IT environment.
While the majority of organisations employ some kind vulnerability remediation strategy, many use a traditional approach to vulnerability management: infrequent manual scans are used to identify software vulnerabilities; they are then prioritised based solely on their common vulnerabilities and exposures (CVE) score. From there, organisations patch the vulnerabilities, starting with the ones that have the highest CVE score, but there is never enough time to patch them all, and security managers often struggle to determine if the process reduces their risk.
Clearly, this traditional approach to vulnerability management no longer seems sufficient in a threat landscape where not only are vulnerabilities multiplying, but threat actors are also turning to tried-and-true exploits for intrusion. Arctic Wolf research found the top 10 observed vulnerability exploits by Arctic Wolf® Incident Response in 2024 had patches available at the time of exploitation.
Instead of trying to play “Whack-a-Mole” as new vulnerabilities appear within their environments, organisations need a better approach, one that more accurately assesses the risk a vulnerability poses and better prioritises vulnerability remediation efforts to reduce risk quickly and efficiently. They need risk-based vulnerability management.
What is Risk-based Vulnerability Management?
Risk-based vulnerability management (RBVM) is a form of vulnerability management where vulnerabilities are prioritised and remediated based on internal and external risk factors, including those that are unique to an organisation, its business objectives and its IT environment.
The key philosophical difference behind RBVM is that not only is every organisation different, with unique business and security goals that could be in flux, but also that vulnerabilities can be classified in a multitude of ways, influencing how their overall risk to an organisation is assessed.
Vulnerabilities fit into four categories — network, operating system, process, and human — and are classified using a system called the common vulnerability scoring system (CVSS), which rates them based on factors such as potential damage and ease of exploit. However, just because a vulnerability is classified by CVSS as critical does not mean it presents a critical risk for a given organisation. Risk-based vulnerability management also incorporates internal factors such as asset criticality, difficulty an attacker may have in accessing the affected resource, and the extent of potential damage. Then, that information is used to inform how vulnerabilities are classified, prioritised, remediated (with a patch or other mitigation), or in cases where a vulnerability is deemed low risk, ignored with a certain level of risk acceptance.
For example, Arctic Wolf identified 25 of the most exploited vulnerabilities in 2024. These vulnerabilities vary in criticality and rating, but the fact that they were exploited so often serves to alter the assessment of how risky they could be to a given organisation. However, an organisation may not contain all 25 or may deem some as low risk. It’s a subjective process that should be continually evaluated and refined as contextual factors change.
Risk-based Vulnerability Management vs. Traditional Vulnerability Management
The main difference between risk-based vulnerability management and a more traditional program is, simply, the inclusion of and emphasis on risk factors.
Traditional vulnerability management is primarily focused on repeating the vulnerability management lifecycle ad nauseum, remediating as many vulnerabilities as possible, often using a vulnerability’s CVSS ranking as the key prioritisation metric. This approach does not take into consideration a specific organisation’s environment or assets and may or may not integrate real-world threat intelligence into the prioritisation process.
Risk-based vulnerability management, however, is a more customised approach, focused on operationalising remediation based on reducing risk, thereby creating a more efficient and effective vulnerability management program. Risk-based vulnerability management moves beyond the CVSS score and, additionally, considers the likelihood of a given vulnerability will be exploited, threat intelligence available around that vulnerability, potential business impact if that vulnerability is exploited, and what security controls exist that may compensate for a lack of remediation.
This approach allows security teams to focus on the most impactful and riskiest vulnerabilities, creating efficiency while improving an organisation’s overall security posture.
Risk-based Vulnerability Management and the Vulnerability Management Lifecycle
Vulnerability management, broadly, follows a standard life cycle, which consists of four stages:
1. Discover. This phase involves completing a scan of assets and applications within the environment which contain known vulnerabilities. A comprehensive inventory of assets and applications should be conducted in advance to determine scope.
2. Assess. In this phase, after known vulnerabilities are discovered, they are assessed and ranked based on their CVSS. It’s often impossible to remediate every single vulnerability, so this stage is critical in terms of prioritisation, and often involves weighing risk reduction versus risk acceptance.
3. Harden. This is the phase where vulnerability remediation, patching, and mitigation occurs.
4. Validate. In this phase, an organisation will verify that the vulnerabilities have been remediated through rescanning and reassessing. This phase will also involve monitoring of the given assets and applications.
Risk-based vulnerability management follows this lifecycle while enhancing it by considering and accounting for risk factors in every stage.
In the discovery stage, risk-based vulnerability management will not only classify vulnerabilities, but also categorise and classify assets to understand their business and security value. In the assessment stage, vulnerabilities will be assessed utilising not just CVSS scores, but also threat intelligence, relevance to high-priority applications and devices as well as core business functions, and other pre-determined factors.
The hardening phase is the most important one to risk-based vulnerability management. Based on what information is gathered and what decisions are made in the previous two lifecycle stages, vulnerability remediation is initiated and prioritised based not solely on CVSS scores, but rather on likelihood and impact of an exploit to an organisation’s specific environment, and related business impact.
This more contextually driven approach to the vulnerability management lifecycle is just one of the ways risk-based vulnerability management differs from more traditional or legacy approaches.
Learn more about the vulnerability remediation process.
Benefits of Risk-based Vulnerability Management
Approaching vulnerability management this way, with risk as the main deciding factor, can have multiple benefits for an organisation.
- It reduces the effort and time required for remediation and patching, as certain vulnerabilities that pose little to no risk may be left alone, while others posing higher risk can be attended to first
- It allows security teams to use the RBVM’s risk prioritisation insights to help map out how they will harden their attack surface over time
- It improves the decision-making process by taking in multiple sources of information (threat intelligence, business goals, current risk levels) allowing for more precise vulnerability remediation and management
- It allows for broader visibility, assessment, and attack surface management, as every component is weighed in the decision-making and action process
- It can help reduce risk and the likelihood of a cyber attack as those vulnerabilities that pose the highest risk (including those that have been exploited in the wild) are remediated first
- It facilitates swifter action on high-risk vulnerabilities, hardening an organisation’s defenses faster
Risk-based vulnerability management is an evolution of traditional vulnerability management that is more suitable for a rapidly changing modern IT environment. It allows organisations to look at vulnerability management as part of a whole proactive security strategy, instead of an isolated “find and remediate” process.
How To Implement a Risk-based Vulnerability Management Program
Before embarking on a vulnerability management program, there are six questions an organisation should ask itself:
- How does our organisation define risk, and what risk do we accept?
- What assets exist in my environment, and how do we classify them?
- Where are my organisation’s vulnerabilities, and which vulnerabilities should be remediated first?
- How can those vulnerabilities be remediated efficiently and effectively?
- How does my organisation prioritise those vulnerabilities based on resources and risk tolerance?
- How should realistic vulnerability remediation and patching deadlines be set?
The answers to these questions will help your organisation create a framework that can be followed every time new vulnerabilities appear or when your security team conducts assessments. Of course, asking these questions is easier than answering them, and easier still than dedicating the time, resources, and expertise to conduct the actions needed.
The fact is, vulnerability management is an ongoing process that should improve with time and experience, and while RBVM can help organisations get better outcomes by customising the vulnerability management lifecycle, every implementation and outcome depend on your organisations’ resources, appetite for business risk, and expertise. No two outcomes will be the same.
Arctic Wolf and Vulnerability Management
Even for well-tuned security teams, answering the questions above, creating a framework for evaluating vulnerabilities, and then continually discovering, assessing, and remediating them can be too tall a mountain to climb.
Arctic Wolf Managed Risk was designed to streamline this process, allowing your organisation to actively reduce risk while utilising the resources you have efficiently and effectively.
Managed Risk allows your security teams to:
1. Discover assets in your environment and define your attack surface to gain broader visibility
2. Assess risk points and determine your cyber risk in context of your business
3. Harden your attack surface by leveraging actionable remediation guidance to close vulnerability gaps and continually harden your security posture
This technology is backed by the Arctic Wolf Concierge Delivery Model, which offers personalised remediation and risk guidance and Arctic Wolf Threat Intelligence, which ensures your organisation has the most up-to-date information about various vulnerabilities and their potential impact.
Learn more about how Managed Risk optimizes vulnerability management.
Explore vulnerability risks and other threats with the 2025 Arctic Wolf Threat Report.
Understand which vulnerabilities posed the most danger in 2024 with our on-demand webinar.
