Skip to content

Walk me through the vulnerability management lifecycle.

Short answer

Vulnerability management is a continuous loop: discover assets and vulnerabilities (scanning, asset inventory), prioritize by real risk (CVSS plus exploitability, exposure, and asset criticality — frameworks like EPSS and SSVC help), remediate or mitigate, verify the fix, and report on trends and SLAs. The scan is the easy part; the discipline is prioritizing and closing the loop so risk actually goes down over time.

Vulnerability management is not "running Nessus." It is a continuous program that keeps measurable risk trending downward, and interviewers ask about it to see whether you understand that scanning is the trivial part — prioritizing and closing the loop is the work.

The lifecycle

  1. Discover. You cannot protect what you cannot see, so it starts with an accurate asset inventory. Then authenticated and unauthenticated scans, cloud posture checks, and software composition analysis surface the vulnerabilities across that inventory.
  2. Prioritize. This is the hard, value-adding step. Raw CVSS base score is necessary but not sufficient — a 9.8 on an isolated internal box matters less than a 7.5 on an internet-facing crown-jewel app with public exploit code. Layer in exploitability (EPSS, CISA KEV), exposure, and asset criticality. Decision frameworks like SSVC formalize this.
  3. Remediate or mitigate. Patch where you can; where you cannot, apply compensating controls — segmentation, WAF rules, disabling a feature — and track the residual risk.
  4. Verify. Re-scan or re-test to confirm the fix actually landed and did not regress. An untracked "we patched it" is not closure.
  5. Report. Track metrics — mean time to remediate, SLA compliance, open critical count — so leadership can see risk going down and resource the program accordingly.

Why prioritization dominates

A large estate generates thousands of findings; only a small fraction are realistically exploitable. Treating CVSS 10s as the only priority both wastes effort and misses the medium-severity, actively-exploited, internet-facing bug that actually gets you breached.

What interviewers look for

They want to hear risk-based prioritization (not severity-only), reliance on an asset inventory, the verify step that many teams skip, and pragmatic handling of vulnerabilities with no patch available.

Likely follow-ups

  • Why is CVSS base score alone a poor way to prioritize patching?
  • How do EPSS or CISA KEV change your remediation order?
  • What do you do about a critical vuln that has no available patch?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.