Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Risk-Based Vulnerability Management Principles

Section 1. Risk-Based Vulnerability Management Overview

What is risk-based vulnerability management?

Risk-based vulnerability management (RBVM) is a subset of Cyber Exposure and helps you identify and manage risks that threaten your organization.

Risk-based vulnerability management uses machine-learning analytics to associate vulnerability severity and threat actor activity with asset criticality so you can prioritize and remediate the ones that cause the greatest risk to your organization and then deprioritize those that create lesser risk.

RBVM, which has a foundation in legacy vulnerability management practices, helps you reduce your vulnerability overload by about 97% by identifying the top 3% that pose most risk to your enterprise.

How are risk-based vulnerability management and legacy vulnerability management different?

Legacy vulnerability management tools give you a theoretical view of risks to your enterprise. They show you which threats a vulnerability could introduce into your environment, without showing you which threats pose real risk. This can lead your security team down a rabbit hole trying to remediate vulnerabilities that aren’t a real risk for your organization, meaning they can miss critical vulnerabilities that are more likely to impact your business.

Risk-based vulnerability management, on the other hand, does more than just discover vulnerabilities. It also helps you understand risks, along with threat context, and gives you insight into potential business impact of those risks.

Legacy vulnerability management also returns mountains of vulnerability data with no real insight into which ones you should fix first. Risk-based vulnerability management eliminates that guesswork.

And while it’s true that legacy vulnerability management helps you discover risks, it doesn’t do a good job helping you adequately prioritize which threats are actual risks for your organization, and it can’t handle a modern attack surface with increasing threats.

Because of the complexity of your attack surface, legacy vulnerability management can’t give you complete insight into all of the devices that traverse your network and all of the risks that come with them. That’s because your modern attack surface is no longer just traditional IT assets. Today’s attack surface includes web apps, cloud infrastructure, mobile devices, containers, internet of things (IoT devices), industrial internet of things (IIoT) devices, and operational technologies (OT) that converge and connect with your IT infrastructure.

Legacy vulnerability management leaves you with blind spots that risk-based vulnerability management can better shine a light on so you can see where you may have weaknesses in your existing security programs.

With a risk-based approach to vulnerability management, your team can focus on vulnerabilities and assets that matter most and address your organization’s true business risk instead of wasting valuable time on vulnerabilities attackers may not likely exploit.

Here are some other ways RBVM and legacy VM are different:

Legacy vulnerability management

  • Assesses traditional on-premises IT assets such as:
    • Desktop computers
    • Servers
    • Devices on your network
  • Ignores modern devices on your attack surface such as:
    • Web apps
    • Mobile devices
    • 클라우드 인프라
    • IoT
    • IIoT
    • 컨테이너
    • OT
  • Creates blind spots and puts your organization at risk
  • Meets minimum compliance requirements
  • Provides static, point-in-time snapshots of your vulnerability data
  • Is reactive

Risk-based vulnerability management

  • Enables assessment of both traditional and modern assets
  • Uses machine learning to combine vulnerability data with asset criticality, threat intelligence and exploit intelligence to predict a vulnerability’s impact on your organization
  • Uses best practices to reduce risk
  • Facilitates continuous and dynamic visibility into your assets and vulnerabilities
  • Is proactive and focused

Section 2: Risk-Based VM Processes

Implementing a risk-based approach to your vulnerability management program

To better protect your modern attack surface from threats, it’s time to implement a risk-based approach to your existing vulnerability management program. This approach can help your organization move from being IT- and infrastructure-focused to having the tools and resources you need to more efficiently protect your entire attack surface.

A good starting point is to understand how a risk-based vulnerability management process aligns with your Cyber Exposure lifecycle. It looks like this:

  • Discover: First, identify and map all of your assets for complete visibility into your computing environments
  • Assess: Assses all assets across all of your environments seeking out vulnerabilities, misconfigurations and other security health concerns
  • Prioritize: With an understanding of the context of your exposures, you can prioritize remediation based on asset criticality, vulnerability severity, and threat context
  • Remediate: Prioritize which vulnerabilities need your attention first and then apply appropriate remediation or mitigation techniques
  • Measure: To make better security and business decisions, understand your Cyber Exposure so you can calculate, communicate and compare cyber risks internally and against peer organizations

Risk-based vulnerability management best practices

Blind spots within your attack surface put your organization at risk. If you can’t see a device on your network or know which vulnerabilities exist for your assets, you can’t accurately secure your attack surface.

Today, you’re no longer protecting just traditional assets. You need complete visibility into your enterprise so you can see every endpoint and all traffic—no matter how infrequent or how short-lived—that connects to your network.

Because legacy vulnerability management tends to be reactive, you can better secure your organization with a more proactive security approach that you get from adopting a risk-based approach to vulnerability management.

Here are a few best-practice recommendations:

  • Continually gather and analyze data across your entire attack surface.
  • Go beyond traditional IT and include all of your endpoints, your cloud environments, mobile devices, web apps, containers, IoT, IIoT and OT.
  • Use process automation to streamline your processes such as configuration management, asset management, incident response, and change management.
  • Adopt a risk-based vulnerability management solution with easy-to-understand analytics and customizable reports. Be sure these reports meet your organizational needs and are scalable as your company changes and grows.
  • Use reports and analytics to communicate your program’s successes and gaps with your key stakeholders. Role-specific insights will help you communicate technical data in a way that everyone understands, regardless of cybersecurity expertise. For example, when talking about security with your executives, align those reports with company goals and objectives.
  • Use analytics and data to determine how well your teams inventory assets and collect assessment information. Don’t forget to include success metrics to determine how well your team successfully remediates prioritized vulnerabilities, including processes uses and time to remediate.

Section 3. Scanning and Discovery

What’s a security vulnerability?

A security vulnerability is a software flaw or programming mistake that creates a security risk. When talking about your vulnerability management program, these vulnerabilities are considered weaknesses that make your enterprise vulnerable to attacks.

What is active scanning?

Active scanning is a vulnerability management process that gives you detailed information about all of your assets, such as if you have open ports, if malware exists on your devices, which software is installed where and if you have any security configuration issues.

Uncredentialed scans (also known as unauthenticated scans), credentialed scans (also known as authenticated scans) and agent-based scans are all variants of active scanning.

Section 4: Prioritization

What is What Predictive Prioritization and what’s its role in risk-based vulnerability management?

Legacy vulnerability management returns a mountain of vulnerability data that makes it difficult—if not impossible—for your security teams to dig out and know which vulnerabilities are priorities for remediation.

Risk-based vulnerability management, on the other hand, uses tools that help you prioritize your actual risks and reduce your vulnerability overload by 97%.

One effective way to prioritize your vulnerabilities is through Tenable’s Predictive Prioritization. Predictive prioritization strengthens your vulnerability management processes because it reduces the number of vulnerabilities that need your immediate attention and pinpoints the 3% you should focus on first.

Predictive prioritization relies on machine learning to identify the few vulnerabilities that pose the greatest risk to your organization. It gives you ongoing and complete insight into your modern attack surface.

Predictive Prioritization uses Tenable’s vulnerability data and combines that with third-party vulnerability and threat data. It then analyzes them together with an advanced data science algorithm Tenable Research developed.

By taking a risk-based approach to comprehensive vulnerability analysis, Predictive prioritization determines the likelihood an attacker could leverage a weakness against your organization.

Predictive prioritization updates nightly, analyzing 109,000 distinct vulnerabilities. It then

predicts if an attacker might exploit a vulnerability in the near future.

Unlike the Common Vulnerability Scoring System (CVSS) traditionally used in legacy vulnerability management—which rates more than 60% of vulnerabilities as critical or high—Predictive Prioritization assigns each vulnerability a Vulnerability Priority Rating (VPR) and an Asset Criticality Rating (ACR) to help determine prioritization for remediation.

CVSS, VPR, and ACR are discussed in more detail below.

What is a Vulnerability Priority Rating (VPR)?

In legacy vulnerability management, the Common Vulnerability Scoring System (CVSS) takes a theoretical view of the risk a vulnerability could potentially introduce.

CVSS starts with 0 as the lowest priority and goes up to 10—the most critical. Unfortunately, CVSS assesses about 60% of all vulnerabilities with a high or critical CVSS score, even though they may pose little risk to your organization.

CVSS is unaware of real-world risk and doesn’t take into account the criticality of each asset within your environment. These are critical pieces of information you need to prioritize remediation effectively.

In risk-based vulnerability management, Tenable’s Predictive Prioritization builds on CVSS and anticipates the likelihood a threat actor may exploit a vulnerability. It also differentiates between real and theoretical risks. Tenable supplements CVSS with a Vulnerability Priority Rating (VPR) and an Asset Criticality Rating (ACR).

A VPR gives you more insight into risks by including threat and attack scope, vulnerability impact and threat score, whereas an (ACR) represents the criticality of each asset on your network based on several key factors.

Tenable calculates a VPR for most vulnerabilities, which is updated regularly to reflect the current threat landscape.

VPR uses a machine learning algorithm and threat intelligence to analyze every vulnerability ever published in the National Vulnerability Database (NVD). To date, there are almost 144,000 vulnerabilities published in the NVD. Vulnerabilities that are not listed in NVD do not get a VPR; however, you can still remediate those vulnerabilities based on a CVSS score.

VPR Range

VPRs range from 0.1-10.0, where higher values represent higher likelihood of exploits.

  • Critical: 9.0 to 10.0
  • High: 7.0 to 8.9
  • Medium: 4.0 to 6.9
  • Low: 0.1 to 3.9

Calculating VPRs

Here are some of the key drivers used to calculate VPRs:

  • Vulnerability age: Number of days since NVD published the vulnerability
  • CVSS Impact Score: NVD-provided CVSSv3 impact score (if there is no NVD score,, Tenable.io displays a Tenable-predicted score)
  • Exploit code maturity: Relative maturity of a possible exploit based on the existence, sophistication, and prevalence of exploit intelligence from internal and external sources
  • Product coverage: Relative number of unique products affected by the vulnerability
  • Threat sources: All sources where related threat events occurred
  • Threat intensity: Relative intensity based on the number and frequency of recently observed threat events related to this vulnerability
  • Threat recency: Number of days (0-730) since a threat event occurred
  • Threat event examples:
    • Exploit of vulnerability
    • Posting vulnerability exploit code in a public repository
    • Discussion of vulnerability in mainstream media
    • Security research
    • Discussion of vulnerability on social media
    • Discussion of vulnerability on dark web and underground
    • Discussion of vulnerability on hacker forums

VPRs supplement the Common Vulnerability Scoring System (CVSS) used in legacy vulnerability management. CVSS scores often rank many vulnerabilities as high or critical, even if there aren’t exploits active in real world scenarios, so VPRs help you better understand actual risk.

What is a Common Vulnerability Scoring System (CVSS) score?

The Common Vulnerability Scoring System (CVSS) is a theoretical view of vulnerability risk.

Like VPRs, CVSS starts with 0 as the lowest priority and goes up to 10—the most critical; however, CVSS rates about 60% of all vulnerabilities as high or critical, even though they may pose little risk to your organization.

CVSS doesn’t account for real-world risk or asset criticality within your environment. You need these critical pieces of information, which are included in VPRs, to effectively prioritize remediation.

An article in Security Week highlighted one report that indicated that if a security team focuses on remediating vulnerabilities exclusively based off of a high CVSS score, it’s akin to randomly picking a vulnerability to fix.

In other words, a CVSS assessment doesn’t correlate the reasonable likelihood of an exploit or even if an attacker has ever successfully exploited the threat in the wild.

What is an Asset Criticality Rating (ACR)?

An Asset Criticality Rating (ACR) represents asset criticality for every asset on your network. It’s based on several key metrics such as business purpose, asset type, location, connectivity, capabilities and third-party data.

ACRs range from 0 to 10. If an asset has a low ACR, it is not considered business critical. If it’s high, it is.

ACR Range

  • Critical: 9 to 10
  • High: 7 to 8
  • Medium: 4 to 6
  • Low: 1 to 3

Tenable provides an ACR value when you scan an asset on your network for the first time. After that, Tenable will automatically generate an ACR, which is updated daily.

You can customize ACR values to reflect your organizational needs.

Calculating ACRs

Here are some of the key drivers used to calculate VPRs:

  • Device type
    • For example: hypervisor (the device is a Type-1 hypervisor that hosts a virtual machine) or printer (the device is a networked printer or a printing server)
  • Device capability
    • The device's business purpose. For example: it’s a file server or a mail server
  • Internet exposure
    • The device's location on your network and proximity to the internet. For example: it’s internal and within your local area network (LAN), possibly behind a firewall or it’s external and it’s outside your LAN and not behind a firewall.

What is an Asset Exposure Score (AES)?

In addition to VPRs and ACRs, Tenable also issues an Asset Exposure Score (AES) that can further support your risk-based vulnerability management approach.

Tenable calculates AES based on the current ACR and VPRs associated with an asset. It accounts for each asset’s vulnerability threat, criticality, and scanning behavior to quantify its vulnerability landscape.

An AES represents each asset's relative exposure ranging between 0 and 1000. A higher AES indicates higher exposure.

What is a Cyber Exposure Score?

A Cyber Exposure Score (CES) represents your organization’s cyber risk and combines your VPR with your ACR.

A CES ranges between 0 (minimal risk) and 1,000 (highest risk) and represents the average of AESs in your organization.

CES helps you prioritize remediation by:

  • Examining asset criticality
  • Analyzing your business goals
  • Reviewing the severity of each potential threat within your attack surface
  • Determining how likely an attacker may exploit the threat in the next 28 days
  • Understanding threat context related to how prevalent the exploitation risk is in the real world

CES also helps benchmark your risk-based vulnerability management success internally and against peer organizations.

Tenable calculates your CES as a number between 0 and 1000, based on the AES values for all assets scanned in the last 90 days. The higher the CES, the higher risk.

Cyber Exposure Scores are available for:

  • Your entire organization
  • Assets in a specific business context

Section 5: Choosing a Solution

Choosing a risk-based vulnerability management solution

If you’re interested in applying a risk-based approach to your existing vulnerability management program or you’re starting a new program from scratch, a risk-based vulnerability management solution can help you identify risks, prioritize and plan for remediation and give you unprecedented visibility into your organization’s cyber risks.

The right risk-based vulnerability management tool can even help you align your cybersecurity program with business goals and objectives so you can more effectively communicate your cyber risks to your teams and key stakeholders.

Here are a few recommendations to help you select which risk-based vulnerability management solution may be right for you:

First, it’s important to note that not all risk-based vulnerability management solutions are the same. You should have a good understanding of which features and capabilities are most important for your organization and how you will use them to keep your enterprise safe.

From there, you can align your information gathering process with the risk-based vulnerability management process to understand how a solution works in these phases.


  • How does the solution identify all the assets across your attack surface?
  • How does the solution discover vulnerabilities, weaknesses, misconfigurations, and other security health issues within your enterprise?
  • What strategy/approach does the solution use when discovering vulnerabilities and assets?
  • When it comes to asset and vulnerability discovery, what does this solution do well and where does it fall short?
  • Does the solution support regular and frequent scanning of your attack surface? If yes, how does this process work?
  • Can the solution identify and map all asset types, not just traditional IT, such as OT, IoT, IIoT, cloud, serverless, mobile devices, and containers?
  • Can the solution immediately discover new assets as soon as they connect to your network?


  • How does the solution assess all the assets across your attack surface?
  • How does the solution assess vulnerabilities, weaknesses, misconfigurations, and other security health issues within your enterprise?
  • What strategy/approach does the solution use when assessing vulnerabilities and assets?
  • Does the solution support immediate and ongoing assessments? If yes, how does this process work?
  • Can the solution correlate and analyze vulnerability data with other contextual elements such as asset criticality and assessment of current and possible attacker activities?
  • Is the solution supported by continuous, in-depth research from a focused vulnerability research team?
  • Can the solution deliver deep insight into every vulnerability discovered on your extended network?

우선 순위 지정

  • Does the solution offer vulnerability prioritization tools?
  • If yes, how does the solution prioritize vulnerabilities in your attack surface?
  • What strategy/approach does the solution use when prioritizing vulnerabilities?
  • Is the solution’s approach to vulnerability prioritization proactive or reactive?
  • Does the solution continuously update priority ratings for each vulnerability based on changes in the current threat landscape?
  • Does the solution use machine learning to analyze petabytes of data and assign a priority rating within seconds?
  • Can the solution determine vulnerability severity, threat actor activity, and asset criticality to accurately quantify true risk?
  • Does the solution use a data science model to predict which vulnerabilities are most likely to be exploited in the near future?


  • Does the solution have tools to help you remediate vulnerabilities? If yes, what are they? If not, you will likely have to do manual remediation processes.
  • Does the solution integrate with other security solutions, for example your SIEM, ticketing system or patch management tools?
  • Does the solution support a range of remediation actions such as remediate, mitigate or accept?
  • Does the solution automatically modify, or allow manual modification of, risk scores based on factors such as compensating controls?


  • How does the solution measure your risk-based vulnerability management program effectiveness?
  • Can the solution calculate key security and maturity metrics for risk reduction?
  • Does the solution effectively communicate your security team’s effectiveness (both within teams and beyond, for example to executives and other key decision-makers)?


  • Does the solution have tools to help you benchmark your program performance internally and against industry peers?
  • If yes, what does this process look like?
  • How large of a sample size does the solution need for benchmarking?
  • Do you already benchmark your program? If yes, can the solution offer similar or improved metrics for better benchmarking?


  • Does the vendor’s team do on-going research to support and enhance the solution?
  • How large is the vendor’s research team?
  • Is the research team known for rapid response for significant issues?
  • What’s the research team’s median response time?
  • On average, how many plugins does the research team develop per year?
  • On average, how many vulnerabilities does the research team discover and disclose each year?

Professional Services

  • How many people are part of the vendor’s professional services team?
  • What types of professional services does the vendor offer?
  • Does the vendor offer training for new users? If yes, what does that training look like?
  • Does the vendor have 24-7 customer support? If yes, what does that look like?
  • Does the vendor offer a dedicated team or advisor to help you when issues arise?

관련 제품

모든 것을 탐지하고
무엇이 중요한지 예측합니다.
클라우드에서 관리.
모든 것을 탐지하고
무엇이 중요한지 예측합니다.
온프레미스에서 관리.
위험을 관리하는 동시에 Cyber Exposure를 계산, 커뮤니케이션 및 비교합니다.
자세히 보기

Risk-Based Vulnerability Management Resources

5 Tips for Prioritizing Vulnerabilities Based on Risk

Vulnerabilities in Cybersecurity: How to Reduce Your Risk

Tenable Community for Risk-Based Vulnerability Management

Lumin: Manage Cyber Risk Across Your Entire Organization


비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오.

Tenable.io Vulnerability Management 평가판에는 Tenable Lumin, Tenable.io Web Application Scanning 및 Tenable.cs Cloud Security도 포함되어 있습니다.

tenable.io 구매

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오. 지금 연간 구독을 구매하십시오.

65 자산

구독 옵션 선택:

지금 구매

Nessus Professional 무료로 사용해 보기

7일간 무료

Nessus®는 오늘날 시장에서 가장 포괄적인 취약성 스캐너입니다. Nessus Professional은 취약성 스캔 프로세스를 자동화하고 컴플라이언스 주기에서 시간을 절약하고 IT 팀이 참여할 수 있도록 합니다.

Nessus Professional 구매

Nessus®는 오늘날 시장에서 가장 포괄적인 취약성 스캐너입니다. Nessus Professional은 취약성 스캔 프로세스를 자동화하고 컴플라이언스 주기에서 시간을 절약하고 IT 팀이 참여할 수 있도록 합니다.

여러 해 라이선스를 구매하여 절감하십시오. 연중무휴 전화, 커뮤니티 및 채팅 지원에 액세스하려면 Advanced 지원을 추가하십시오.

라이선스 선택

여러 해 라이선스를 구매하여 절감하십시오.

지원 및 교육 추가


비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오.

Tenable.io Vulnerability Management 평가판에는 Tenable Lumin, Tenable.io Web Application Scanning 및 Tenable.cs Cloud Security도 포함되어 있습니다.

Tenable.io 구매

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오. 지금 연간 구독을 구매하십시오.

65 자산

구독 옵션 선택:

지금 구매

Tenable.io Web Application Scanning 사용해 보기

Tenable.io 플랫폼의 일부로 최신 애플리케이션을 위해 설계된 최신 웹 애플리케이션 스캐닝 서비스에 대한 전체 액세스 권한을 누리십시오. 많은 수작업이나 중요한 웹 애플리케이션 중단 없이, 높은 정확도로 전체 온라인 포트폴리오의 취약성을 안전하게 스캔합니다. 지금 등록하십시오.

Tenable Web Application Scanning 평가판에는 Tenable.io Vulnerability Management, Tenable Lumin 및 Tenable.cs Cloud Security도 포함되어 있습니다.

Tenable.io Web Application Scanning 구매

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오. 지금 연간 구독을 구매하십시오.



지금 구매

Tenable.io Container Security 사용해 보기

취약성 관리 플랫폼에 통합된 유일한 컨테이너 보안 서비스에 대한 전체 액세스 권한을 누리십시오. 컨테이너 이미지에서 취약성, 맬웨어 및 정책 위반을 모니터링합니다. 지속적 통합 및 지속적 배포(CI/CD) 시스템과 통합하여 DevOps 실무를 지원하고 보안을 강화하고 기업 정책 컴플라이언스를 지원합니다.

Tenable.io Container Security 구매

Tenable.io Container Security는 빌드 프로세스와의 통합을 통해 취약성, 맬웨어, 정책 위반 등 컨테이너 이미지의 보안에 대한 가시성을 제공하여 DevOps 프로세스를 원활하고 안전하게 지원합니다.

Tenable Lumin 사용해 보기

Tenable Lumin을 사용하여 Cyber Exposure를 시각화 및 탐색하고 시간 경과에 따른 위험 감소를 추적하고 유사한 조직을 벤치마크하십시오.

Tenable Lumin 평가판에는 Tenable.io Vulnerability Management, Tenable.io Web Application Scanning 및 Tenable.cs Cloud Security도 포함되어 있습니다.

Tenable Lumin 구매

조직 전체에서 인사이트를 얻고 사이버 위험을 관리하는 데 Lumin이 어떻게 도움이 되는지 알아보려면 영업 담당자에게 문의하십시오.

Tenable.cs 사용해 보기

클라우드 인프라 구성 오류를 감지 및 수정하고 런타임 취약성을 볼 수 있는 전체 액세스 권한을 누리십시오. 지금 무료 평가판에 등록하십시오.

Tenable.cs Cloud Security 평가판에는 Tenable.io Vulnerability Management, Tenable Lumin 및 Tenable.io Web Application Scanning도 포함되어 있습니다.

영업 담당자에게 연락하여 Tenable.cs 구매

영업 담당자에게 연락하여 Tenable.cs 클라우드 보안에 대해 자세히 알아보고, 클라우드 계정을 온보딩하는 것이 얼마나 쉬운지 확인하고, 몇 분 내에 클라우드 구성 오류와 취약성에 대한 가시성을 얻으십시오.

Nessus Expert 무료로 사용해 보기

7일간 무료

최신 공격 표면을 방어하기 위해 구축된 Nessus Expert를 사용하면 IT부터 클라우드까지, 더 많은 것을 모니터링하고 조직을 취약성으로부터 보호할 수 있습니다.

Nessus Professional이 이미 있습니까?
7일간 Nessus Expert로 무료 업그레이드하십시오.

Nessus Expert 구매

최신 공격 표면을 방어하기 위해 구축된 Nessus Expert를 사용하면 IT부터 클라우드까지, 더 많은 것을 모니터링하고 조직을 취약성으로부터 보호할 수 있습니다.

라이선스 선택

프로모션 가격은 12월 31일까지 연장되었습니다.
여러 해 라이선스를 구매하여 비용을 더 절감하십시오.

지원 및 교육 추가