Service

Vulnerability Management Program Setup

Find your vulnerabilities before attackers do — then fix them systematically.

The problem

Unpatched systems are the most common entry point for ransomware and targeted attackers. Most SMEs either do not scan at all, or run a one-time scan without follow-up — meaning vulnerabilities pile up undetected for months or years. A vulnerability management program converts ad-hoc patching into a repeatable, measurable process: you know what you have, you know what is vulnerable, and you have a documented plan to fix it.

Our methodology

Asset discovery and inventory — establishing what devices, systems, and services exist on your network
Authenticated vulnerability scanning deployment (Tenable Nessus or open-source equivalent, selected based on budget)
Baseline scan and initial findings analysis
Risk-based prioritisation — scoring vulnerabilities by exploitability and business impact, not just CVSS
Patching cadence design — critical, high, medium, and low patch windows based on your operational reality
Remediation tracking workflow setup
Executive reporting template for non-technical stakeholders
Optional: ongoing managed scanning retainer (monthly or quarterly)

What you will receive

Baseline vulnerability scan report with full findings
Prioritised remediation plan
Patching policy document
Remediation tracking template (spreadsheet or lightweight ticketing integration)
Monthly executive report template
Program runbook — how to operate the program month-to-month

Estimated timeline

3 weeks for program setup; ongoing scanning retainer available separately

Overview

You cannot protect what you do not know is vulnerable. A vulnerability management program gives you continuous visibility into the weak points in your systems — and a structured process to close them before attackers find them first.

This engagement builds the program from the ground up: the scanning tooling, the risk prioritisation logic, the patching policy, and the reporting cadence.

The Problem with Ad-Hoc Patching

Many SMEs patch when they remember to, or when a vendor sends a notification, or when an incident forces the issue. This approach guarantees that vulnerabilities accumulate undetected. The average time between a vulnerability being disclosed and being exploited in the wild is getting shorter every year. Waiting is not a strategy.

How the Program Works

A functioning vulnerability management program has four stages, running on a continuous cycle:

Discover — inventory assets and run authenticated scans to identify vulnerabilities across all systems.

Prioritise — score findings by real-world exploitability and business impact. A critical vulnerability on a system with no network exposure is not the same risk as a medium vulnerability on your public-facing customer portal.

Remediate — patch or mitigate findings within the target windows defined in your patching policy, with tracking to ensure nothing slips through.

Report — produce concise, non-technical summaries for business owners and leadership that show the trend over time: are we improving?

What You Get

By the end of the engagement, you have a running vulnerability management program: scanning deployed, findings triaged, patching policy documented, and a reporting cadence in place. Your team knows what to do each month without needing to call a consultant.

Frequently asked questions

What is the difference between authenticated and unauthenticated scanning?

An unauthenticated scan checks what is visible from the network — open ports, running services, and publicly-exposed vulnerabilities. An authenticated scan logs into each system with credentials and can see the full patch state, installed software versions, and configuration weaknesses from the inside. Authenticated scanning finds significantly more vulnerabilities and produces far fewer false positives. We always recommend authenticated scanning for production environments.

How often should we scan?

For most SMEs, monthly scanning is the right cadence — often enough to catch newly disclosed vulnerabilities before they are exploited, infrequent enough to not overwhelm your team with noise. Environments with higher risk profiles — fintech, healthcare, high-volume payment processing — should scan more frequently. We will recommend a cadence as part of the program setup.

What if we cannot patch everything immediately?

Patching everything immediately is rarely realistic. The program is designed around risk-based prioritisation: critical and high vulnerabilities on internet-facing systems get patched first, on a short cycle. Medium and low vulnerabilities on internal systems follow a longer schedule. We document compensating controls for cases where patching is not immediately possible — isolating a system, disabling a service, or applying a configuration workaround while the patch is scheduled.

Do we need to buy Tenable Nessus?

Not necessarily. Tenable Nessus is industry-standard and the tool we have used extensively in enterprise environments. For SMEs with tighter budgets, we can implement an equivalent programme using OpenVAS or similar open-source tooling. We will recommend the right tool based on your environment size, budget, and technical capacity.

Will the scanning disrupt our systems?

Vulnerability scanning can put some load on systems. We schedule scans during low-traffic windows and start with a lighter scan profile on critical systems. In the baseline engagement, we will test scanning against non-production systems first if available. The goal is to find vulnerabilities, not create incidents.

Ready to get started?

All engagements begin with a free 30-minute discovery call. No commitment, no jargon — just an honest conversation about your situation.

Request a quote View all services