Vulnerability Management Program

A VMP proactively identifies unexpected changes and vulnerabilities within an environment, which will ensure that security testing is done on a regular, continual basis.

A Vulnerability Management Program (VMP) provides critical insight into the effectiveness of the security controls that organizations rely upon to keep their presence safe from exploitation. The truth is many organizations have major flaws in their change management processes, patch management programs, and system hardening guidelines which result in major vulnerabilities within the organization’s presence.


The insight that a VMP provides into these controls assists the organization with identifying gaps in their existing controls. Once these gaps are identified, the organization can increase its security posture as a whole by developing new, or modifying existing, controls to fill in these gaps.


SecureState has assisted organizations in building automated processes surrounding traditionally manual and decentralized activities. Additionally, we have built components for the aforementioned processes that leverage cutting edge automation technology. Unlike most companies, SecureState specializes in developing customized security solutions for organizations. We understand what you mean, not what you say. Our size and experience level allows us to provide a solution that truly meets your company’s current and future vulnerability management needs.

Approach and Methodology

Rather than being a single assessment, the VMP is an ongoing program. The VMP can be broadly broken into a five step process with two additional parallel steps that run during the entire program:

  • System Discovery: SecureState performs a discovery scan of the organization’s assets, networks, and applications to identify what components are exposed.
  • Divide Assets into Logical Groups: SecureState works with the organization to divide the assets identified during the discovery phase into logical groups; systems are grouped according to the importance of the confidentiality and integrity of the data on the system and the importance of system’s availability.
  • Assess for Vulnerabilities: Vulnerability assessments with validation will identify the actual vulnerabilities that systems are exposed to. These assessments will identify vulnerabilities relating to the system’s configuration, missing patches, and services with known vulnerabilities.
  • Assist with Vulnerability Remediation: In this step, information regarding how to remediate each vulnerability is provided to the organization. SecureState uses the asset confidentiality, availability, and integrity information in order to prioritize which vulnerabilities the organization should address first. When possible, 
    SecureState will manually validate the vulnerabilities and provide awareness in order to remove false positives and give a reasonable level of acceptance from the assessment data. This is done so that the organization does not waste time trying to remediate a vulnerability that does not actually exist.
  • Perform Reassessments: SecureState reassesses the organization’s environment once the organization has finished remediating vulnerabilities. This verifies that patches and/or device configuration changes successfully remediated a particular vulnerability, that any compensating controls meant to address an existing vulnerability are truly effective, and that remediation activities did not create any new vulnerabilities within the organization’s presence.
  • Ongoing Tracking, Trending, and Analysis: SecureState tracks assessment results over time in order to perform vulnerability trending. This trending is important for identifying systemic issues in the organization’s security controls.
  • Manual Assessments to Audit VMP: SecureState augments the VMP with manual assessments. This measures the effectiveness of the VMP and may identify vulnerabilities that scanners overlook (Although scanners identify many of the most common vulnerabilities, they have been known to miss certain types of vulnerabilities which may be leveraged by an attacker in order to compromise the organization’s network).
Get Started!