# Vulnerability Management Lifecycle One-sentence definition: Continuous process to discover, assess, remediate, and verify vulnerabilities. ## Key Facts - Steps: asset inventory → scan → analyze → prioritize → remediate/mitigate → verify → report. - Account for compensating controls and exceptions with deadlines. - Track SLAs by severity/asset criticality; report aging and risk. - Validate fixes with rescans and regression tests. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose lifecycle approach vs ad hoc patching. **Mnemonic:** “**Find → Fix → Verify → Report**.” ## Mini Scenario Q: Critical vuln remains after “patched”—why? A: No verification; rescans/regression missing. ## Revision Checklist - List core steps. - Exception handling rule. - Verification method. ## Related [[Risk-Based Prioritization (CVSS EPSS Business Impact)]] · [[Network Vulnerability Scanning (Internal External)]] · [[Configuration Review and Benchmarks]] · [[Remediation Verification and Regression Testing]] · [[Security Metrics for Testing Programs]] · [[Domain 6 - Index]]