Security
Vulnerability Management Is a Triage Problem, Not a Scanning Problem
Running the scanner is the easy part — the actual work is turning a weekly firehose of findings into a short list of what's genuinely exploitable, while not re-investigating the same accepted risks every single week.
- Security
- Vulnerability Management
- Operations
- Patching
A vulnerability scanner is a firehose pointed at your inbox. It will faithfully tell you about hundreds of “high severity” findings every week, and if you treat that list as a to-do list you will drown, burn out, and — worse — miss the handful of findings that actually matter inside the noise. I spent enough time turning weekly scan exports into something actionable to be sure of one thing: the scan is the easy part. The work is triage. Here’s the system that makes the firehose survivable.
The raw count is meaningless; the shape is everything
A number like “three hundred and some high-severity findings” is designed to alarm and does nothing to direct effort. The first job is to reshape the dump into views that expose structure:
- Per-asset: every machine and what’s on it.
- Per-finding: every vulnerability and every machine that has it — this is the view that reveals the one issue spread across fifty hosts that you fix once.
- By age: what’s brand new versus what’s been open for a year (very different conversations).
- By disposition: what’s already ticketed, already has an accepted risk exception, or has been fixed and just not rescanned yet.
Until you’ve reshaped it, you can’t even see the problem. “Three hundred findings” might be “one kernel update across most of the fleet plus four things that actually need a human.” Those are wildly different weeks, and only the reshaped view tells them apart.
Most of the volume is one boring, repeatable thing
In practice an enormous share of the weekly “high” findings is the same category: a fleet running a kernel that’s a few versions behind, and the vendor bundles dozens of CVEs into each advisory that all close with a single update. The CVE numbers churn every week; the remediation never changes.
When the same fix resolves a different list of CVE numbers every week, you don’t have a research problem. You have a patch-cadence problem wearing a different costume.
The response isn’t to investigate each CVE — it’s to systematize the remediation: snapshot, update the kernel, reboot, request a rescan. Same playbook, different numbers, every cycle. Recognizing that this bucket is mechanical frees your actual attention for the findings that aren’t.
Lead with what’s reachable, not what’s red
Severity scores and “critical” labels are a starting point, not a priority order. The findings that deserve your scarce attention first are the network-facing, remotely exploitable ones — a pre-auth remote code execution on a service that’s actually listening is a different universe of urgency than a local-only issue with a scary score. So I sort the genuinely-urgent to the top by exposure and exploitability, not by the raw severity column.
A trap worth knowing here: “known-exploited” flags often attach at the bundle level, so a single flagged advisory can over-attribute that flag to all the dozens of CVEs inside it, inflating your scary count. Trust the finding-level view over the raw per-CVE tally, or you’ll chase a number that’s an artifact of how the data was tagged.
A scanner that reads the label, not the package
The single most morale-draining category is the false positive, and one pattern dominates: scanners that judge a service by its version banner rather than what’s actually patched. Long-lived distributions backport security fixes while keeping the old version string, so the banner says “old and vulnerable” while the package is fully patched. The scanner flags it; it’s wrong; and it flags it again next week.
The fix isn’t to re-investigate each time — it’s to document the false-positive pattern once so the whole team can recognize and dismiss it on sight, and to verify it properly when in doubt (check the actual installed package and its changelog, not the banner). A false positive you re-litigate weekly is a standing tax; a false positive you documented is a footnote.
The real friction is re-notification, not vulnerabilities
Here’s the insight that reframed the whole exercise for me: in a mature program, most of the “new” findings each week are not new work at all. They’re items that already carry an accepted risk exception, already have a remediation ticket, or were already patched and just haven’t been rescanned. The scanner has no memory of your decisions, so it keeps surfacing things you already dispositioned.
That means the right response to most of the weekly report is not “go fix this” — it’s “point back at the exception ID or the ticket already on file.” And the only way to do that without re-deriving it every week is to track disposition over time: diff this week against last week, carry forward the IDs, and make “already handled” a first-class column. The week-over-week memory is what lets you push back on the volume instead of drowning in it. Without it, you re-triage your own past decisions forever.
Make it a workflow, not a heroics
All of the above only works if it’s repeatable rather than a weekly act of willpower. The reshaping, the age buckets, the disposition cross-reference, the false-positive suppression — that’s mechanical work that should run from one command against the week’s export, idempotently, with the historical diff filling itself in once you’ve kept two weeks of snapshots. The judgment (which RCE is urgent, which exception still holds) is where a human belongs; everything around it should be automated so the human’s attention lands on the judgment and not on reformatting spreadsheets.
Done this way, vulnerability management stops being a weekly panic and becomes a steady process: reshape the dump, mechanize the boring bulk, surface the genuinely exploitable, suppress the known false positives, and remember your own past decisions so you stop re-making them. The scanner finds the problems; triage is what turns finding into fixing. It’s the same security-as-a-practice mindset behind a real cybersecurity checklist and treating security as architecture. If you’re drowning in your own weekly scan, I’m easy to reach.