The firehose problem

A modern scanner will hand a 20-person company tens of thousands of findings. Treating them as a flat to-do list guarantees failure: the team burns out, nothing gets prioritized, and the genuinely dangerous vulnerabilities hide in the noise.

Prioritize by exploitability, not just severity

CVSS scores are a starting point, not an answer. A "critical" on an internal box with no network path is less urgent than a "medium" on an internet-facing service with a known exploit.

  1. Is it reachable? Internet-facing beats internal beats air-gapped.
  2. Is it being exploited? Cross-reference CISA's KEV catalog and EPSS scores.
  3. What does it protect? A vuln on the database with customer PII outranks one on the marketing CMS.

Set SLAs and mean them

  • Actively exploited, internet-facing: 72 hours.
  • Critical, reachable: 7 days.
  • High: 30 days.
  • Everything else: quarterly batch.

Publish the SLAs, track aging, and report breaches up the chain. An SLA nobody measures is a wish.

Close the loop

Patching isn't done until you've re-scanned and confirmed. Track three numbers: open count, mean time to remediate, and SLA-breach rate. If MTTR is climbing, you have a capacity problem, not a tooling problem.

The goal isn't zero vulnerabilities — that's impossible. It's a predictable, shrinking backlog with the dangerous ones always at the top.