Back to Projects
Vulnerability Management

Vulnerability Management Program

A comprehensive vulnerability management program implementation simulating real-world enterprise security operations, from policy creation to full remediation cycles.

Tenable
PowerShell
Azure VMs
Bash
View on GitHub

Project Overview

Inception State

The organization has no existing policy or vulnerability management practices in place. No formal scanning, assessment, or remediation processes exist.

Completion State

A formal policy is enacted, stakeholder buy-in is secured, and a full cycle of organization-wide vulnerability remediation is successfully completed.

Program Phases

Phase 1: Policy Development

  • Drafted comprehensive Vulnerability Management Policy
  • Defined scope, responsibilities, and remediation timelines
  • Adjusted timelines based on stakeholder feedback (48h to 1 week for critical)

Phase 2: Stakeholder Engagement

  • Conducted mock meetings with server team for policy buy-in
  • Negotiated scan permissions and credential management
  • Implemented just-in-time AD credentials for secure scanning

Phase 3: Scanning & Assessment

  • Provisioned insecure Windows Server to simulate environment
  • Performed authenticated Tenable scans
  • Prioritized vulnerabilities by ease of remediation and impact

Phase 4: Remediation Cycles

  • Round 1: Outdated Wireshark removal via PowerShell
  • Round 2: Insecure protocols & cipher suites remediation
  • Round 3: Guest account group membership fix
  • Round 4: Windows OS updates applied

Results

80%

Total Vulnerability Reduction

100%

Critical Vulnerabilities Resolved

90%

High Vulnerabilities Reduced

76%

Medium Vulnerabilities Reduced

Ongoing Maintenance Mode

After completing the initial remediation cycle, the vulnerability management program transitions into Maintenance Mode. This phase ensures vulnerabilities continue to be managed proactively.

Scheduled Scans

Weekly/monthly scans to detect new vulnerabilities as systems evolve

Patch Management

Continuous security patches ensuring no critical vulnerabilities remain

Remediation Follow-ups

Address newly identified vulnerabilities promptly based on risk

Policy Reviews

Periodic review to align with latest security best practices

Audit & Compliance

Internal audits ensuring compliance with policy and regulations

Stakeholder Communication

Maintain open coordination with remediation teams