What is vulnerability management and how does it work?
Vulnerability management (VM) is the process of finding, assessing, prioritizing, and patching Common Vulnerabilities and Exposures (CVEs) in enterprise IT systems.
VM is especially critical in the cloud because configuring cloud assets is a complex process that often results in misconfigurations and other vulnerabilities. Here’s a quick look at how VM works:
Discovery
The VM cycle begins with discovery, a foundational phase where comprehensive asset inventorying happens. This step involves cataloging all components within an organization’s environment: cloud resources, on-premises servers, containerized applications, APIs, and networked devices. Modern solutions employ automated tools such as cloud service provider APIs, network scanners, and agent-based technologies to identify these assets and eliminate gaps caused by shadow IT or ephemeral assets.
Continuous vulnerability scanning
Following discovery, continuous vulnerability scanning provides persistent oversight. Automated scanners, integrated with cloud-native platforms and runtime environments, detect vulnerabilities as they emerge—from unpatched software in development pipelines to publicly exposed storage buckets. This phase prioritizes immediacy, ensuring risks are identified in near real-time rather than through periodic manual audits.
The Ultimate Vulnerability Management Playbook [AWS Edition]
Actionable steps to identify, assess, and mitigate AWS vulnerabilities, ensuring your cloud infrastructure is protected.
Get cheat sheet
Prioritization
Prioritization follows scanning, transforming raw vulnerability data into actionable insights. Frameworks like CVSS, EPSS, and CISA’s Known Exploited Vulnerabilities (KEV) catalog help evaluate severity, exploitability, and threat activity. A risk-based vulnerability management approach takes it further by adding business context, such as asset criticality, blast radius, and exposure to the internet—helping teams focus on vulnerabilities that pose the highest real-world risk.
Remediation
Remediation involves addressing identified vulnerabilities through patching, mitigation, or risk acceptance. While automated tools like infrastructure-as-code (IaC) platforms and configuration management systems enable rapid patch deployment at scale, exceptions such as legacy systems may require compensatory controls—think network segmentation, web application firewalls (WAFs), or runtime protection mechanisms.
Validation
Validation ensures remediation efficacy. Re-scanning assets confirms successful mitigation, while advanced techniques like penetration testing or runtime behavior analysis provide deeper assurance. This phase also serves as a critical checkpoint for compliance with standards such as SOC 2 and ISO 27001, offering auditable evidence of risk reduction.
Reporting and feedback
The VM cycle concludes with reporting and feedback, which synthesizes processed data into actionable intelligence. Detailed reports highlight recurring vulnerabilities, team performance metrics, and systemic weaknesses, enabling organizations to refine workflows, update service-level agreements (SLAs), and sunset obsolete technologies.
What is exposure management and how does it work?
Exposure management (EM) is the process of finding, prioritizing, and mitigating potential vulnerabilities and security risks in organizations’ exposed assets like cloud-native applications, APIs, and networks.
Exposure management identifies conditions in externally-facing assets that make vulnerabilities exploitable—like misconfigurations, risky identities, and overly permissive access.
Like the VM workflow, the EM workflow is an ongoing process. Let’s take a closer look at each phase.
Asset discovery
The workflow begins with asset discovery, a foundational step focused on cataloging all external-facing resources. This includes cloud instances, APIs, SaaS applications, and shadow IT infrastructure that may otherwise evade sight.
Risk assessment
Following asset discovery, risk assessment evaluates which assets are susceptible to exploitation. This phase goes beyond identifying vulnerabilities—it maps interconnected assets to potential attack paths and overlays risk data such as CVSS, EPSS, and KEV status to determine real-world exploitability.
For example, a misconfigured public-facing server with access to sensitive internal databases presents a higher risk than an isolated system. Tools such as attack surface management platforms and graph-based analysis solutions help visualize these relationships.
Intelligence gathering
Intelligence gathering brings external threat data into the workflow. By monitoring sources like CVE databases, exploit marketplaces, and dark web forums, organizations gain context about active exploits targeting specific vulnerabilities.
Risk prioritization
Risk prioritization is the process of ranking vulnerabilities by severity, exploitability, and potential business impact. It ensures that teams focus on risks with observable exploitation activity rather than theoretical threats. Frameworks such as CVSS and EPSS provide standardized scoring, but contextual factors—such as an asset’s role in critical business functions or its exposure to the internet—further refine priorities.
Mitigation
Mitigation involves addressing identified risks through patching, configuration adjustments, or compensating controls.
CTEM
Continuous threat exposure management (CTEM) closes the loop by persistently monitoring for new risks and emerging threats. The focus of this phase is to detect anomalies by fusing two techniques: attack surface monitoring and behavioral analytics.
So how do EM and VM compare?
Exposure management vs. vulnerability management: Overlaps and differences
Here's a high-level view of how EM and VM stack up:
| Metric | EM | VM |
|---|---|---|
| Scope | External-facing systems; vulnerabilities that are visible to attackers | External- and internal-facing systems |
| Focus | CVEs, KEVs, EOL systems, cloud risks, user risks, third-party risks, and other risks inherent in exposed assets | CVEs, KEVs, cloud vulnerabilities (like misconfigurations, third-party vulnerabilities, etc.) |
| Goal | To reduce the attack surface | To harden IT systems to reduce the attack surface |
| Prioritization technique | Prioritizes by CVSS, EPSS, KEV status, threat activity, internet exposure, asset criticality, and attack paths | Prioritizes by CVSS, EPSS, KEV status, exploitability, business context, and blast radius |
| Integration | Incorporates threat intel | Works as a siloed process |
| Method |
|
|
| Example frameworks | Mitre, STRIDE | CVE, KEV |
| Strength | Focuses on low-hanging risks in the most exploitable assets, such as public-facing resources | Works on the premise that exploits can come from within and without; assesses and prioritizes both internal and external vulnerabilities for robust vulnerability remediation |
| Weakness | Traditionally focuses on external risks, but with CTEM, exposure management also accounts for internal paths attackers might exploit post-breach. | Traditional VM focuses on vulnerability severity without always incorporating real-time exploit activity or attacker context. |
| Ideal Use Case | Securing public-facing assets, prioritizing real-world exploitability, and reducing external attack surface | Systematically hardening internal and external systems by identifying and remediating known vulnerabilities |
| Best practices |
|
|
EM vs. VM
The most important similarity between EM and VM is that they both involve continuously mitigating risks and vulnerabilities to reduce the attack surface. But to do so, they employ contrasting approaches.
For example, while VM focuses on patching CVEs across all systems, exposure management adds attacker context by identifying and prioritizing exposed assets, non-CVE risks, and reachable attack paths that make those CVEs exploitable.
Case in point, EM would consider how outdated software in exposed end-of-life (EOL) systems can lead to breaches or data loss and determine if compensating controls can address the risks or if replacing the system is the best course of action.
On the other hand, VM considers internal vulnerabilities and insider threats, in addition to vulnerabilities in exposed assets.
Still, both EM and VM have limitations like poor risk prioritization and a lack of real-time threat data. These limitations are addressed through cloud vulnerability management, risk-based vulnerability management, and continuous threat exposure management.
Cloud vulnerability management
Cloud vulnerability management considers exposures and vulnerabilities in cloud assets. Unlike traditional vulnerability management, which takes a static approach to asset discovery and vulnerability assessment, cloud vulnerability management dynamically discovers the cloud's ephemeral resources, uncovering risks in real time as new assets and configurations emerge.
And with more than 9 of 10 enterprise IT environments hosted primarily in cloud environments, CVM has become indispensable.
Risk-based vulnerability management
While traditional vulnerability management relies solely on scoring systems, ignoring context and potential impact, risk-based vulnerability management (RBVM) combines CVSS/EPSS scores with business context, incorporating crucial insights like:
How critical is this vulnerability?
Can it really be exploited?
Has it ever been exploited?
Is it currently being exploited?
How exposed are the vulnerable systems?
Will any other critical system be impacted if the vulnerability is exploited?
This way, RBVM abstracts alert fatigue and wasted resources, focusing efforts on vulnerabilities that pose the greatest risk to organizations.
Continuous threat exposure management
Gartner introduced continuous threat exposure management (CTEM), a framework that monitors enterprises' entire threat landscape. (Remember: Traditional EM only considers external threats!)
CTEM is a proactive framework that simulates attacker behavior across your environment. It combines exposure discovery, attack path analysis, real-time threat intelligence, and exploit simulation to continuously identify which risks are truly exploitable—and how attackers could use them to move laterally or reach critical assets.
Choosing between exposure management and vulnerability management
Because EM and VM are both aimed at securing enterprise systems from breaches and compliance violations, it can be tempting to simply pick one.
The better approach is to see EM and VM as complementary strategies: VM addresses security vulnerabilities to prevent attackers from exploiting them, while EM addresses exposures and attack paths that could lead attackers to security vulnerabilities.
Considering that it’s nearly impossible to fix all vulnerabilities in a system, addressing the most critical while also mitigating all exposures and attack paths to the vulnerabilities is your best bet.
TL;DR? Enterprises should consolidate risk-based vulnerability management and cloud vulnerability management with continuous threat exposure management.
Wrapping up
Exposure management finds exposed resources, digs into how the exposure occurred, finds out if it can be exploited, and mitigates the risk. On the other hand, vulnerability management uncovers security weaknesses like CVEs and misconfigurations and hardens the security of vulnerable system components.
Both help to reduce organizations' attack surfaces and should be implemented together. To do this right, you need Wiz.
Why Wiz?
Wiz consolidates exposure management and vulnerability management as part of its cloud native application protection platform (CNAPP) capabilities. Here’s how Wiz turbocharges your EM and VM efforts.
Exposure management with Wiz
Attack path analysis: Wiz continuously analyzes cloud environments to identify attack paths that could be exploited by attackers, considering factors like misconfigurations, excessive permissions, and exploitable vulnerabilities. Wiz blocks the attacker’s path before they even know it exists.
Contextual risk prioritization: Wiz brings CTEM principles to life by mapping exposures, misconfigurations, and vulnerabilities to real attack paths. Instead of treating every issue the same, Wiz evaluates how risks intersect—such as when a public-facing VM has exploitable CVEs and overly permissive access—so you can act on what actually matters.
Identity and access risk management: Wiz automatically detects over-permissioned identities, unintended network access, and configuration drift—then correlates them to highlight lateral movement paths and cloud exposure risks before attackers can exploit them.
Vulnerability management with Wiz
Agentless vulnerability scanning: Wiz provides agentless vulnerability scanning for virtual machines, containers, and serverless functions, detecting vulnerabilities without requiring software installation. VM just got easier with Wiz!
Software bill of materials (SBOM) and software supply chain security: Wiz analyzes software dependencies and identifies vulnerabilities in third-party packages to mitigate supply chain risks.
Zero-day detection and threat intelligence: Wiz incorporates real-time threat intelligence and flags zero-day vulnerabilities based on patterns observed in global cloud environments.
Ready to start fixing vulnerabilities and exposures in your stack? Get a demo today to see Wiz in action.
