VM Program Phases
Click a phase to explore scope, goals, and common failure modes.
1. Discover
Asset inventory & continuous discovery
2. Scan
Credentialed + uncredentialed scans
3. Assess
CVSS scoring, KEV correlation, context
4. Prioritize
Risk-based ranking vs. raw CVSS sort
5. Remediate
Patch, mitigate, or accept with SLA
6. Verify
Rescan, close tickets, track compliance
7. Report
Metrics, trends, and board-level rollup
← Select a phase to see details
VM Lifecycle — Instructor Notes
VM program maturity varies enormously between organizations. The key mental shift for students: VM is not about finding vulnerabilities — it is about reducing the window of exploitability faster than attackers can discover and weaponize CVEs. In 2024, the average time from CVE publication to active exploitation dropped below 5 days for high-profile vulnerabilities. A VM program with monthly scan cycles is structurally incapable of meeting that threat. Emphasize the lifecycle as a continuous loop, not a waterfall project. Discussion prompt: which phase is weakest at Ficsit? Guide students toward two answers: Verify (no automated rescan after patching) and Discover (incomplete asset inventory — WIN-LEGACY-01 was missing for 14 months).
Asset Criticality Tiers
Select a tier to see asset examples and patch SLA.
Tier 1 — Critical
Domain controllers, prod databases, internet-facing
Tier 2 — High
Application servers, VPN gateways, CI/CD pipelines
Tier 3 — Medium
Internal workstations, file servers, dev environments
Tier 4 — Low
Test systems, isolated lab hosts, decommission queue
← Select a tier to view details
Asset Inventory — Instructor Notes
Asset criticality tiering is a business conversation, not a technical one. The security team proposes tiers, but the business defines what "critical" means — a database storing PII is Tier 1 for a healthcare company but potentially Tier 3 for a manufacturing firm. At Ficsit, DC01 and PORTAL-EXT are Tier 1 not because of their technical role alone but because their compromise has immediate material business consequences. Discussion exercise: ask students what tier WIN-LEGACY-01 (the PLC controller) should receive. Most will say Tier 4. The correct answer may be Tier 1 — if that PLC controls physical manufacturing equipment, its availability directly impacts production revenue and potentially worker safety. Context determines criticality, not the IT team's opinion.
Ficsit Inc. — Latest Scan Results
Analyst Context
You are reviewing Ficsit's weekly credentialed scan results from June 17, 2026 — two weeks after the IRON CHIMNEY breach was contained. This is the first full-scope scan following the incident. Three hosts have Critical findings: PORTAL-EXT (3 criticals, 8 highs), DC01 (2 criticals, 5 highs), and GITLAB-01 (2 criticals, 4 highs). Your task: triage this list and determine which hosts demand immediate action. Note that WIN-MCHEN-WS01 — the initial breach vector — has zero Critical findings. The attacker exploited a phishing email and macro execution, not a known CVE. VM programs protect against exploitation of known flaws; they do not protect against social engineering.
| Host | IP | OS | Critical | High | Medium | Low | Last Scan |
|---|
Analyst Tip
A zero-Critical result on a host does not mean that host is secure — it means no known CVEs with a Critical CVSS score are present. WIN-MCHEN-WS01 shows zero criticals but was the initial breach vector. VM programs complement, not replace, EDR telemetry, email security, and configuration benchmarks (CIS Baselines). Always ask: what attack paths does this scan not cover? Zero-days, misconfigurations without CVE assignments, and social engineering attacks all fall outside the scope of vulnerability scanning.
Exercise
Using the scan results table: (1) PORTAL-EXT has 3 Critical findings and is internet-facing (Tier 1). DC01 has 2 Criticals but is internal-only. If you could only action one host this week, which do you choose? Justify your reasoning. (2) GITLAB-01 runs the CI/CD pipeline — all production deployments pass through it. Does that context change its priority ranking relative to the other hosts? (3) FILE-SHARE-01 shows zero Criticals but 11 Lows. Should this influence your remediation plan, and why or why not?
Vulnerability Scanning — Instructor Notes
Use this section to break the false equivalence between "the scan ran" and "we're secure." Key teaching points: (1) Credentialed vs. uncredentialed — most enterprise scanners default to credentialed, but students entering immature organizations will encounter uncredentialed scans that miss 30–40% of vulnerabilities. Always ask: were these scans credentialed? (2) Coverage gap — a vulnerability on an unscanned host is worse than no scanner at all, because it creates false confidence. (3) False positives — Nessus and similar tools have false positive rates of 5–15%. Teach students not to auto-ticket every finding without verification. (4) Scan timing — weekly scans mean a vulnerability can exist for up to 6 days before it's detected. Continuous agent-based monitoring (EDR telemetry, software inventory agents) fills this gap.
CVSS v3.1 Calculator
Adjust base metric values to compute a CVSS score.
Base Metrics
Attack Vector (AV)
Attack Complexity (AC)
Privileges Required (PR)
User Interaction (UI)
Scope (S)
Confidentiality
Integrity
Availability
CVSS v3.1 Score
9.8
CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability3.9
Impact5.9
Key Concept — CVSS vs. Risk
CVSS measures technical severity, not business risk. A CVSS 9.8 on an air-gapped test machine poses less real-world risk than a CVSS 7.5 on your customer-facing authentication service. Three things CVSS does not account for: (1) Asset criticality — the base score is identical regardless of what the host does. (2) Threat intelligence — a 9.8 with no public exploit is lower priority than a 7.5 being mass-exploited in the wild. (3) Compensating controls — a vulnerability behind a WAF blocking the relevant attack vector has a lower effective risk than its base score implies. Use CVSS as a starting signal, not a final answer.
Exercise — Score Ficsit CVEs
Use the CVSS calculator to score these Ficsit vulnerabilities, then compare to NVD: (1) CVE-2024-21762 (FortiOS) — AV:Network, AC:Low, PR:None, UI:None, Scope:Unchanged, C:High, I:High, A:High. What do you get? (2) CVE-2023-23397 (Outlook NTLM) — AV:Network, AC:Low, PR:None, UI:None, Scope:Unchanged, C:High, I:None, A:None. Score it — then explain why zero Integrity and Availability impact still makes this critical in practice. (3) Change CVE-2024-21762 to AV:Local. How does the score change, and under what real-world scenario would Local be the correct attack vector classification?
CVE & CVSS — Instructor Notes
The CVSS calculator uses the official v3.1 formula. Use the scoring exercise to build intuition about which metrics drive the score most: Attack Vector (Network vs. Local) and CIA impact are the two biggest drivers — AV:Network with High CIA across all three hits 9.8 with no Scope change. Students should understand why Scope:Changed pushes scores above 9.0 even when CIA is not all-High: a scope-changed vulnerability compromises resources beyond the vulnerable component itself. Common student error: confusing Privileges Required (PR) with the privilege level required on the target system after exploitation. PR:None means the attacker needs no credentials to trigger the exploit — it does not describe what access they gain once it succeeds.
CISA KEV — Ficsit Asset Matches
Analyst Context
You are cross-referencing Ficsit's asset inventory against the CISA Known Exploited Vulnerabilities catalog as of June 2026. CISA KEV lists CVEs with confirmed active exploitation in the wild — not theoretically exploitable, but observed in real attacks. Federal agencies must remediate KEV entries within CISA's mandated timeframes. For private organizations, KEV is the single highest-signal prioritization input available: if a CVE is on the list, attackers have working exploits and are using them today. Three entries below are past their CISA-mandated remediation deadline. Nation-state actors, ransomware operators, and opportunistic scanners are actively attempting to exploit these exact CVEs on internet-facing infrastructure right now.
| CVE ID | Vulnerability Name | Vendor / Product | Ficsit Host | CVSS | Due Date | Status |
|---|
Key Concept — KEV vs. CVSS Priority
CVSS measures theoretical severity. KEV measures observed exploitation. A CVE with CVSS 7.5 on the KEV list is more urgent than a CVSS 9.8 not on the list — because the KEV entry proves a real attacker built and used a working exploit. CISA's analysis found that only about 4% of all published CVEs are ever exploited in the wild. KEV is your signal that you're in that 4%. For internet-facing assets, treat KEV + exposed service as your absolute highest urgency tier regardless of CVSS. For internal assets, weight KEV + asset criticality tier together. Never let a moderate CVSS score override a KEV listing when setting remediation priority.
Exercise
1. Triage conflict: DC01 carries CVE-2020-1472 (CVSS 10.0, KEV-listed) and CVE-2023-28252 (CVSS 7.8, KEV-listed). A colleague argues you should patch the 7.8 first because it has a newer KEV add date. Do you agree? What additional information would you request before deciding?2. Scope creep check: PORTAL-EXT appears in both the KEV table and the prioritized queue as two separate CVEs — CVE-2021-44228 and CVE-2024-3400. One is In Progress. Walk through whether having one patch in flight changes your urgency assessment for the other. What's the risk if you assume they'll both be fixed by the same maintenance window?
3. Compensating controls: VPN-GW-01 has CVE-2024-21762 (KEV-listed, CVSS 9.6) but engineering says the interface is only reachable from trusted partner IPs. Does that move it off your immediate action list? What would you need to verify about that network restriction before accepting it as a real control?
CISA KEV — Instructor Notes
The KEV table is the fastest way to show students why CVSS alone is an unreliable prioritization signal. All six KEV entries for Ficsit are CVSS 9.0+, which might make it seem like KEV and CVSS agree — they don't always. In real environments you will encounter KEV entries with CVSS 6–7 that outrank CVSS 9s in practice because active exploitation was observed at scale. Use Exercise 3 to drive home the compensating controls discussion: students will often accept "trusted IPs only" at face value. Push them to ask: Is that ACL on the firewall or just the application config? Is it tested? Does it cover all interfaces on the device? Who owns verifying it? A compensating control that hasn't been tested under adversarial conditions is a paper control.
Ficsit — Prioritized Vuln Queue
Click a vulnerability to see its full risk score breakdown.
← Select a vulnerability to see risk breakdown
Risk Prioritization — Instructor Notes
The prioritization queue uses a composite score that weights KEV status, CVSS, asset tier, and age. Students should understand that the score is a decision-support tool, not a substitute for analyst judgment. Two teaching points: First, PORTAL-EXT appears twice in the queue (CVE-2021-44228 and CVE-2024-3400) — one In Progress, one Open. Ask students whether the In Progress patch for one changes their sense of urgency for the other. Answer: No. They are separate vulnerabilities requiring separate fixes; an in-flight patch for Log4Shell does not reduce your exposure to PAN-OS command injection. Second, EXCHANGE-01's CVE-2023-23397 (Outlook NTLM relay, no click required) sits at score 91 despite being on an internal asset — because the preview-pane trigger means every email received is a potential exploit attempt, even from a user who never opens it. Use this to challenge the assumption that internal-only assets are lower urgency.
Ficsit Patch Pipeline
Patch Lifecycle Stages
Every patch moves through five stages before it's complete: Identified (CVE detected in scan, ticket opened, SLA clock starts) → Approved (change control board or security team approves the patch for the environment; for critical/KEV entries this may be expedited) → Testing (patch validated in staging or lab environment; skipping this stage is how patches break production) → Deployed (patch applied to production asset; confirmation that the binary/config change is in place) → Verified (rescan or authenticated check confirms the vulnerability no longer registers; SLA clock stops here, not at deployment). A patch that is Deployed but not Verified is still open on your SLA. Ficsit has a systemic gap: patches are marked complete at deployment. The verification step is manual and inconsistent, meaning the program has false-closed tickets across all tiers.
| # | CVE | Asset | Tier | Patch | Stage | SLA | Owner |
|---|
Analyst Tip
Watch for SLA age vs. patch stage mismatch. If a ticket shows Stage: Testing but was opened 28 days ago for a Tier 1 critical (7-day SLA), the SLA has already breached — the stage label doesn't pause the clock. Always anchor your status report to discovered date, not current stage. Also watch for patch rollback events that reset the stage from Deployed back to Approved or Testing: the original SLA clock doesn't restart, so rollbacks extend your breach window silently unless you catch them in the patch table.
Exercise
1. SLA breach hunt: Scan the patch table for tickets where the SLA column shows Breached. For each: identify the asset tier, calculate how many days past SLA deadline the ticket is, and determine who the escalation owner should be per the tiering policy.2. Patch ordering: DC01 has two patches pending — KB5034441 (Zerologon) and KB5004442 (Print Spooler). Change control will only approve one maintenance window this week. Which patch do you push through first and why? Would your answer change if DC01 were Tier 2 instead of Tier 1?
3. Verification gap: EXCHANGE-01's patch for CVE-2023-23397 is listed as Deployed. Write the verification steps you would run to confirm the vulnerability is actually remediated before closing the ticket. What scan type would you use and what would a clean result look like?
Patch Management — Instructor Notes
Ficsit's patch table intentionally includes a Breached entry (CVE-2020-1472 on DC01) and an In Testing entry that is approaching its deadline. Students often focus on the Breached entry; redirect them to also ask why a Tier 1 critical is still in Testing after 19 days when the SLA is 7. The answer: change control approval delays and no expedited lane for KEV-listed CVEs. This is a program design failure, not just a ticket delay. Exercise 3 (verification steps) is frequently skipped in real programs. Push students to name concrete verification actions: run a credentialed scan targeting the specific CVE plugin, review the KB number in the Windows Update history, confirm with the asset owner that no rollback occurred. "Check that it's fixed" is not a verification step.
Ficsit — Open Exceptions
Click an exception to review the business justification and compensating controls.
← Select an exception to review
Risk Acceptance — Instructor Notes
Risk acceptance is one of the most common real-world VM activities and one of the least taught. Students should understand three things: (1) Risk acceptance is a business decision, not a security team decision — the security team documents the risk, but the approving executive owns it. (2) Every exception must have a hard expiry — open-ended exceptions are how "temporary" workarounds become permanent. Ficsit's WIN-LEGACY-01 exception expires December 2026 but has no committed decommission date; this is the failure mode to watch for. (3) Compensating controls on an exception are meaningless unless they are tested and monitored. Ask students: what happens to the WIN-LEGACY-01 exception if the network isolation VLAN is misconfigured in a firewall rule change? Is there a detection? The honest answer is no — and that gap should be documented in the exception or rejected as a compensating control. Also note CVE-2018-13379 on VPN-BACKUP-01: FortiOS credential exposure with no external access is a believable control, but only if the device is confirmed off the routing table. Students should ask whether "no external access" has been audited recently.
Ficsit — SLA Dashboard
SLA Tiers — Ficsit Policy
Ficsit SLA windows are defined per asset tier and vulnerability severity. The SLA clock starts at discovery date — when the vulnerability first appeared in a credentialed scan — not the date the ticket was opened or assigned. Tier 1 (Critical assets): Critical vulns 7 days / High 14 days / Medium 30 days. Tier 2 (High assets): Critical 14 days / High 30 days / Medium 60 days. Tier 3 (Medium assets): Critical 30 days / High 60 days / Medium 90 days. Tier 4 (Low assets): Critical 60 days / High 90 days / Medium 180 days. Breached SLAs require documented escalation to the asset owner's management chain. Ficsit currently has no automated breach notification — analysts must manually audit the SLA table to identify overdue items, which means breaches are often discovered days after they occur.
| CVE | Host | Severity | Discovered | SLA Due | Days Remaining | Status |
|---|
Exercise
1. Breach identification: Review the SLA table. For every row where the deadline has passed, write: (a) asset tier, (b) days breached, (c) who receives the escalation notification under Ficsit policy, and (d) whether the root cause is a process, resource, or prioritization failure.2. Discovery date dispute: An asset owner for FILE-SHARE-01 argues the SLA clock should start from when they were notified, not when the scan detected the vulnerability. Detection: June 3. Owner notified: June 6. SLA deadline based on discovery: June 17 (Tier 3, Critical). How do you respond? What policy language would prevent this dispute in future cycles?
3. SLA automation gap: Ficsit has no automated breach alerts. Design the minimum viable notification system: what data fields would you query, what threshold triggers the alert, who receives it, and how do you prevent alert fatigue if 30 items breach simultaneously?
Remediation Tracking — Instructor Notes
The SLA dashboard surfaces two structural gaps: no automated breach notification, and no escalation chain below CISO level. Exercise 2 (discovery date dispute) is drawn from a real enterprise pattern — asset owners frequently push back on SLA clocks that started before they were notified. The correct answer is that discovery date is the clock start regardless of notification lag, because the vulnerability was exploitable from that date. If you accept the owner's argument, ask: what prevents every owner from delaying acknowledgment by 3–5 days as a de facto SLA extension? The policy fix is explicit language: "SLA commences at scan detection date as recorded in the vulnerability management platform." Exercise 3 should produce varied answers — accept any design that queries days-to-deadline, sets a warning threshold before breach (e.g., T-2 days), and routes to asset owner plus their manager rather than just the VM team alone.
Ficsit — VM Program Metrics
Key Metrics — What to Track and Why
Four metrics define a mature VM program: Patch Compliance Rate (PCR) — percentage of vulnerabilities remediated within SLA, by tier. Ficsit target: 95% Tier 1, 90% Tier 2. Current: 62% Tier 1 critical. The gap between target and actual is your program's primary risk signal. Mean Time to Remediate (MTTR) — average calendar days from discovery to verified closure, segmented by severity. Ficsit post-breach MTTR for critical vulns was 34 days; target is under 7 for Tier 1. KEV Exposure Time — how long KEV-listed CVEs remain open on any asset. This is the metric CISA and cyber insurers focus on. Every day a KEV is open on an internet-facing system is measurable risk the board should see. Vulnerability Density — critical/high vulns per asset, trended monthly. Rising density signals that scan cadence or patch bandwidth has not kept up with the threat environment. Report all four monthly; trend data over 90 days is more meaningful than any single snapshot.
Analyst Tip — Board Reporting
Boards do not respond to raw CVE counts. They respond to business risk expressed in operational terms. Translate your metrics: instead of "we have 6 KEV-listed vulnerabilities," say "three systems that process customer payment data have unpatched vulnerabilities currently being exploited in the wild — two are past their remediation deadline." Quantify exposure time: "CVE-2020-1472 on our primary domain controller has been exploitable for 3 days; a successful attack would give an attacker administrative control over every Windows system in the environment." For positive reporting: show trend improvement, not just current state. A PCR that moved from 48% to 62% in 30 days tells a story of program progress even if the number is still below target.
Exercise — Build the Executive Summary
Using only the data visible in this section's metrics dashboard, write a 3-paragraph executive summary suitable for the Ficsit board of directors. Paragraph 1: Current state — what is the program's overall health and where are the critical gaps? Paragraph 2: Highest-priority risks — name the two or three specific vulnerabilities or systems that represent the most immediate business risk, and why in non-technical terms. Paragraph 3: 30-day remediation target — what will you commit to closing, what resource or process changes are needed, and what does success look like? Aim for under 200 words total. Avoid CVSS scores, CVE IDs, and technical acronyms in the first draft.
VM Metrics & Reporting — Instructor Notes
The metrics section is where the lab connects technical VM work to business communication — a skill gap that is consistently cited in enterprise security hiring. Ficsit's numbers are intentionally unflattering: 62% PCR on Tier 1 criticals, 34-day average MTTR against a 7-day SLA, and 6 KEV entries open. Students will want to soften the board summary; push them not to. The board needs the honest picture because they are the ones who approve the headcount, tooling, and process changes required to fix it. The exercise's "no CVE IDs" constraint is intentional — it forces translation. A student who writes "CVE-2020-1472 with CVSS 10.0 on DC01 requires immediate remediation" has not completed the translation. A student who writes "a three-year-old vulnerability in our domain controller authentication system can be exploited without a password, giving an attacker control of every Windows computer in the building" has understood the communication task. Accept both versions but discuss which one moves a board to act.