█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Vulnerability Management/What is Vulnerability Management?
35 minBeginner

What is Vulnerability Management?

After this lesson, you will be able to: Explain the vulnerability lifecycle (discover → prioritize → remediate → verify) and why it never ends.

Vulnerabilities are weaknesses in software, configuration, or process that an attacker could exploit. Vulnerability management is the continuous discipline of finding them faster than attackers can, and fixing the ones that matter most.

Prerequisites:Intro to Cybersecurity

Vulnerability vs threat vs risk

A vulnerability is a weakness (an unpatched server). A threat is something or someone that could exploit it (a ransomware crew). Risk is the likelihood × impact of a threat exploiting a vulnerability. You manage risk by reducing vulnerabilities, but not all vulnerabilities matter equally.

The lifecycle

Discover (scan systems for known weaknesses), Prioritize (rank by severity and business impact), Remediate (patch, configure, or compensate), Verify (rescan to confirm the fix), Repeat, forever. The lifecycle never ends because new CVEs publish every day.

Discover
scan and inventory
→
Prioritize
by severity + exposure
→
Remediate
patch or mitigate
→
Verify
rescan to confirm
↩loops back to Discover
Vulnerability management is a loop, not a project. New CVEs land constantly and feed straight back into Discover.

💡 Why 'just patch everything' fails

Patches break things. Production systems can't always be patched immediately. Some systems can't be patched at all (vendor-end-of-life, embedded). Real vulnerability management is choosing what to fix first, not racing to fix everything.

Where vulnerabilities come from

Coding mistakes (buffer overflows, injection flaws). Misconfigurations (S3 bucket public, default password). Outdated software (a 2017 OpenSSL with known CVEs). Architecture flaws (a single trust zone with no segmentation). Most real exploits chain two or three of these together.

Quick Check

What's the difference between a vulnerability and a risk?

Pick the cleanest answer.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
Back to Vulnerability Management
Scanning and Discovery→