The firehose problem
A modern scanner will hand a 20-person company tens of thousands of findings. Treating them as a flat to-do list guarantees failure: the team burns out, nothing gets prioritized, and the genuinely dangerous vulnerabilities hide in the noise.
Prioritize by exploitability, not just severity
CVSS scores are a starting point, not an answer. A "critical" on an internal box with no network path is less urgent than a "medium" on an internet-facing service with a known exploit.
- Is it reachable? Internet-facing beats internal beats air-gapped.
- Is it being exploited? Cross-reference CISA's KEV catalog and EPSS scores.
- What does it protect? A vuln on the database with customer PII outranks one on the marketing CMS.
Set SLAs and mean them
- Actively exploited, internet-facing: 72 hours.
- Critical, reachable: 7 days.
- High: 30 days.
- Everything else: quarterly batch.
Publish the SLAs, track aging, and report breaches up the chain. An SLA nobody measures is a wish.
Close the loop
Patching isn't done until you've re-scanned and confirmed. Track three numbers: open count, mean time to remediate, and SLA-breach rate. If MTTR is climbing, you have a capacity problem, not a tooling problem.
The goal isn't zero vulnerabilities — that's impossible. It's a predictable, shrinking backlog with the dangerous ones always at the top.