What Is Vulnerability management? Security Definition
On This Page
What do you want to do?
Quick Definition
Vulnerability management is a cycle that helps organizations find and fix security holes before attackers can exploit them. It involves scanning systems for weaknesses, evaluating which ones pose the greatest risk, and then applying patches or other fixes. This process repeats regularly because new vulnerabilities are discovered all the time. By doing vulnerability management consistently, companies reduce their chances of a data breach or system compromise.
Common Commands & Configuration
wmic qfe list brief /format:tableLists all installed Windows updates (Quick Fix Engineering) on a local system. Useful for manual vulnerability verification after patching.
Appears in Security+ and MD-102 exams to demonstrate how to check installed patches without GUI. Often compared against known patch requirements for specific CVEs.
Get-HotFix | Where-Object {$_.InstalledOn -ge '2025-01-01'}PowerShell command to list all security patches installed after a specific date. Used for compliance reporting and vulnerability scan validation.
MS-102 and MD-102 exams test knowledge of PowerShell cmdlets for patch management and reporting. This is faster than GUI methods.
sudo apt-get update && sudo apt-get upgrade -yUpdates all packages on a Debian/Ubuntu Linux system. Applies security patches non-interactively. Commonly used in Linux server vulnerability remediation.
Appears on Security+ and CySA+ exams when discussing Linux patching workflows. The -y flag auto-approves, which is important to remember in scripts.
aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,ImageId,State.Name]' --output tableLists all EC2 instances with their AMI IDs and state. Use this to identify instances that may be running outdated or vulnerable AMIs as part of vulnerability management in AWS.
AWS SAA exam tests knowledge of EC2 inventory and AMI management. This command helps identify unpatched instances for vulnerability scanning.
Get-AzVM | Where-Object {$_.ProvisioningState -eq 'Succeeded'} | Select-Object Name, ResourceGroupNameLists all Azure VMs that have successfully provisioned. Useful for inventory purposes before scheduling vulnerability scans with Microsoft Defender for Cloud.
AZ-104 exam may ask about using Azure PowerShell to inventory resources for vulnerability assessment. Combine with Update Management for patching.
msiexec /p 'patch.msp' /quiet /norestartSilently installs a Windows Installer patch (.msp) without user interaction and without restarting. Used for deploying security patches to managed endpoints.
MD-102 and MS-102 exams test silent installation parameters. The /quiet and /norestart options are key for automated deployments without disrupting users.
curl -s https://api.github.com/repos/octocat/Hello-World/releases/latest | jq '.tag_name'Retrieves the latest release tag from a public GitHub repository. Used to check if a deployed software version is outdated compared to the latest release, aiding in vulnerability detection.
CySA+ and CISSP exams may present scenarios where open-source component versions must be verified. This command simulates checking for known vulnerable versions.
sconfigOpens the Server Configuration tool on Windows Server Core. Used to check for updates and configure Windows Update settings on minimal interface servers.
Security+ and MD-102 exams mention sconfig as a method to manage updates and network settings on Windows Server Core, especially in a headless environment.
Vulnerability management appears directly in 28exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA Security+. Practise them →
Must Know for Exams
Vulnerability management is a fundamental concept that appears across multiple certification exams. For CompTIA Security+, it is covered under Domain 3 (Implementation) and Domain 4 (Operations and Incident Response). You will see questions about the phases of the vulnerability management lifecycle, the difference between vulnerability scanning and penetration testing, and the use of CVSS scores to prioritize remediation. The exam expects you to know that vulnerability management is a continuous process, not a one-time event, and that it must include asset inventory, scanning, analysis, remediation, and verification.
For CompTIA CySA+, vulnerability management is even more central. The entire exam focuses on threat and vulnerability management. You will be asked to interpret scan results, identify false positives, prioritize findings based on risk context, and determine appropriate remediation actions. You must understand concepts like credentialed scanning vs. non-credentialed scanning, the role of SCAP, and how to handle vulnerabilities that cannot be immediately patched (e.g., risk acceptance or compensation controls).
For (ISC)² CISSP, vulnerability management falls under Domain 7 (Security Operations) and Domain 3 (Security Architecture and Engineering). The exam emphasizes the management and governance side. You need to understand how vulnerability management fits into a broader risk management program, including policy creation, reporting to management, and integrating with change management. CISSP questions often focus on the difference between vulnerability assessment, vulnerability management, and penetration testing, as well as the importance of SLAs for remediation.
For AWS SAA, vulnerability management appears in the context of the shared responsibility model. You are expected to know that AWS manages the security of the cloud (e.g., patching the hypervisor), but you are responsible for security in the cloud (e.g., patching your AMIs, scanning your containers, and using AWS Inspector). Exam questions may ask about how to automatically remediate vulnerabilities found by AWS Inspector using AWS Systems Manager or AWS Lambda.
For Azure-related exams such as AZ-104, MD-102, MS-102, and SC-900, vulnerability management is covered through Microsoft Defender for Cloud and Microsoft Defender Vulnerability Management. You need to know how to enable vulnerability scanning, interpret security recommendations, prioritize by severity, and implement just-in-time access or adaptive application controls. Questions may present a scenario where a critical vulnerability is found on a virtual machine and ask you to select the best remediation approach, such as applying a patch, implementing a WAF rule, or isolating the VM.
In all these exams, you are expected to think critically about prioritization. Not all vulnerabilities are equal, and not all systems are equal. A critical vulnerability on an internet-facing web server is more urgent than a medium vulnerability on an internal file server. You must also understand that vulnerability management is a cycle, and that verification scanning after remediation is a required step.
Simple Meaning
Imagine you own a house with many doors and windows. Some doors might have weak locks, some windows might not close properly, and maybe there is a hidden entrance you forgot about. If a burglar finds one of these weak spots, they could get inside and steal your valuables.
Vulnerability management is like having a security guard who walks around your house every week checking every door, every window, every lock, and every possible entry point. When the guard finds a problem, such as a broken lock, they note it down and decide how urgently it needs to be fixed. A broken lock on the back door is a big problem because it lets anyone in, so that gets fixed right away.
A small crack in a window on the second floor might be less urgent because it is harder to reach, but it still gets scheduled for repair. The guard also keeps a list of all known weak spots from other houses in the neighborhood and checks if your house has the same issues. Over time, the guard comes back every week because new problems can appear.
Perhaps a lock gets rusty, or a new type of burglar tool is invented that can open a certain kind of lock. The guard updates the checklist and keeps working. In the IT world, vulnerability management works exactly the same way.
Computer systems, networks, and applications all have weaknesses. Some are known publicly, like a software bug that allows an attacker to take control. Others are discovered by security researchers or even by attackers themselves.
A vulnerability management program uses special tools to scan all the computers, servers, and devices on a network, looking for these known weaknesses. It then creates a report that lists every vulnerability found, along with a severity score. The most critical vulnerabilities, such as one that allows remote code execution without a password, are fixed immediately.
Less critical ones, like a minor information disclosure, might be scheduled for the next maintenance window. The key idea is that this is not a one-time thing. New vulnerabilities are announced every day, sometimes by the software vendors themselves.
So the scanning and fixing must happen continuously. That is why vulnerability management is called a cycle. It goes around and around: identify, analyze, remediate, and repeat. This constant attention helps organizations stay ahead of attackers who are always looking for the next open door.
Full Technical Definition
Vulnerability management is a structured, cyclical process that encompasses the identification, classification, prioritization, remediation, and verification of security vulnerabilities across an organization's information technology assets. It is a foundational component of an enterprise security program and is prescribed by numerous frameworks, including NIST SP 800-40, ISO 27001, and the CIS Controls. The process is typically implemented using a combination of automated scanning tools, manual assessment techniques, and a formalized policy that defines frequency, scope, and response procedures.
The vulnerability management lifecycle consists of several distinct phases. The first phase is asset discovery and inventory. Before any scanning can occur, an organization must have a complete and accurate inventory of all devices, servers, applications, and network components. Without this, scanning may miss critical systems, leaving them unprotected. Asset discovery tools use active scanning, passive listening, and integration with configuration management databases (CMDB) or cloud provider APIs to build this inventory. This phase often includes identifying the operating system, version, installed applications, open ports, and running services for each asset.
The second phase is vulnerability scanning. Automated scanners, such as Nessus, Qualys, OpenVAS, or Microsoft Defender Vulnerability Management, probe each asset for known vulnerabilities. These scanners reference databases of Common Vulnerabilities and Exposures (CVEs) maintained by the MITRE Corporation. Each CVE is assigned a severity score using the Common Vulnerability Scoring System (CVSS), which considers factors like attack vector, attack complexity, privileges required, user interaction, and impact on confidentiality, integrity, and availability. Scans can be authenticated or unauthenticated. Authenticated scans use credentials to log into the system and perform a deeper inspection of configuration settings, missing patches, and registry values, yielding more accurate results. Unauthenticated scans operate from the network side and may detect fewer issues but provide an attacker's perspective.
The third phase is analysis and prioritization. Raw scan results often contain hundreds or thousands of vulnerabilities, many of which may be low risk or false positives. Security analysts must triage the findings. This involves validating each vulnerability, correlating it with the organization's risk appetite, considering the criticality of the affected asset (e.g., a public-facing web server vs. an internal development workstation), and factoring in the presence of compensating controls such as firewalls or intrusion prevention systems. Vulnerability prioritization is often guided by the CVSS score, but many organizations also incorporate threat intelligence feeds that indicate which vulnerabilities are currently being exploited in the wild. This allows teams to focus on zero-day vulnerabilities or actively exploited flaws first, rather than simply patching in order of CVSS severity.
The fourth phase is remediation. Remediation strategies include applying patches or updates from the vendor, implementing configuration changes, applying workarounds such as disabling a vulnerable service, or deploying virtual patches via a web application firewall (WAF) or intrusion prevention system (IPS). For vulnerabilities that cannot be immediately patched due to operational constraints, formal risk acceptance or a mitigation plan must be documented and approved by management. Remediation is typically tracked through a ticketing system, with assigned owners and target completion dates based on severity. Typical SLA targets for critical vulnerabilities range from 24 hours to 7 days, while low-severity issues may have 90 days or longer.
The fifth phase is verification and reporting. After remediation actions have been applied, the organization rescan the affected assets to confirm that the vulnerability has been successfully eliminated. This step also includes generating reports for stakeholders, such as IT management, compliance officers, and auditors. Reports typically show metrics like mean time to remediate (MTTR), patch compliance percentage, vulnerability trends over time, and risk score improvement. These reports are essential for demonstrating due diligence to regulators and for justifying additional security investments.
The final phase is continuous improvement. Vulnerability management is not a point-in-time activity. The cycle repeats on a defined schedule, which may be weekly, monthly, or quarterly depending on the organization's risk profile and regulatory requirements. Continuous improvement involves refining scanning configurations, updating asset inventories, integrating new threat intelligence sources, and adjusting prioritization criteria based on lessons learned from past incidents.
From a technical implementation perspective, vulnerability management relies on several standards and protocols. The Security Content Automation Protocol (SCAP) is used to automate the exchange of vulnerability data between scanners and management platforms. SCAP includes the Common Platform Enumeration (CPE) for naming software, the Common Configuration Enumeration (CCE) for configuration issues, and the Open Vulnerability and Assessment Language (OVAL) for describing checks. The Extensible Configuration Checklist Description Format (XCCDF) is used for benchmark checklists.
In cloud environments such as AWS and Azure, vulnerability management includes scanning of virtual machine images in the cloud, container images, serverless functions, and Infrastructure as Code (IaC) templates. Cloud-native tools like Amazon Inspector and Microsoft Defender for Cloud provide integrated vulnerability scanning that aligns with the shared responsibility model. For on-premises environments, vulnerability scanners are often deployed as virtual appliances within the network, and agents may be installed on endpoints that leave the corporate network, such as laptops.
Vulnerability management is distinct from vulnerability assessment, which is a point-in-time evaluation, and from penetration testing, which is a goal-oriented attack simulation. Vulnerability management is the ongoing operational process that ensures the organization's security posture is continually maintained and improved.
Real-Life Example
Think of vulnerability management like taking your car for regular maintenance. When you own a car, you know that over time things will wear out. The tires will lose tread, the brake pads will get thin, and the oil will become dirty. If you ignore these issues, eventually something will fail, possibly causing an accident or expensive damage. To prevent that, you follow a maintenance schedule. Every few months, you check the oil, inspect the tires, and look at the brake pads. You also pay attention to recall notices from the manufacturer. If the car company discovers a defect in the braking system and issues a recall, you take the car to the shop immediately to get it fixed, even if your brakes feel fine. That is because the defect is a known vulnerability that could lead to a serious crash.
Now map this to vulnerability management. The car represents your organization's entire IT environment: servers, laptops, network devices, cloud instances, and applications. The scheduled maintenance checks are your regular vulnerability scans. You run them on a recurring basis, maybe weekly or monthly, to look for known weaknesses. The recall notices are like CVE alerts from software vendors. When Microsoft issues a patch for a critical remote code execution vulnerability in Windows, that is like a recall. You need to apply that patch as soon as possible, because attackers already know about the flaw and may be exploiting it.
But there is a deeper layer. Not all issues are equal. A slow oil leak that leaves a small stain on your driveway is a problem, but it is not going to cause a crash tomorrow. However, a brake line that is about to rupture is an immediate danger. In vulnerability management, you assign a severity score to each finding. A vulnerability that allows an attacker to take over a server without a password is a critical issue, like the brake line. An information disclosure vulnerability that reveals the server's operating system version is a low severity issue, like a slow oil leak. You prioritize the brake line fix first.
You also have to consider the context of your car. If you only drive your car around the neighborhood at low speed, worn tires might be less urgent than if you drive on the highway at high speed every day. Similarly, a vulnerability on a public-facing web server is much more critical than the same vulnerability on an isolated internal test machine. The risk is higher because the exposure is greater.
Finally, after you fix a problem, you don't just assume it is done. You drive the car around the block and check that the brake pedal feels right again. In vulnerability management, you rescan the system to verify the patch was applied correctly and the vulnerability is gone. This whole cycle repeats because new issues will arise. New software versions will have new bugs, new attack techniques will emerge, and the car will continue to age. Vulnerability management is not a one-time fix; it is an ongoing discipline that keeps your systems running safely.
Why This Term Matters
Vulnerability management matters because it is the primary proactive defense against cyberattacks. Most data breaches and ransomware incidents are caused by attackers exploiting known vulnerabilities that the organization had not patched. According to industry reports, over 90% of successful cyberattacks exploit vulnerabilities that have a known patch available. This means that if a company had simply applied the available patches, the attack would have failed. Vulnerability management directly reduces this attack surface by systematically identifying and fixing those weaknesses before an attacker finds them.
For IT professionals, vulnerability management is not optional. Regulatory frameworks like PCI DSS, HIPAA, and GDPR require organizations to implement a vulnerability management program. Auditors will ask for scan reports, remediation records, and proof that the process is ongoing. Failure to have a proper program can result in fines, loss of certification, or legal liability. Vulnerability management helps prioritize security spending. With thousands of potential vulnerabilities to address, you need a data-driven way to decide which ones to fix first. Vulnerability management provides that prioritization, ensuring that the most dangerous issues get attention immediately.
From a career perspective, understanding vulnerability management is essential for roles such as security analyst, security engineer, SOC operator, and compliance officer. It is a core skill that appears in many certification exams, including Security+, CySA+, CISSP, and cloud-specific certifications like AWS SAA and Azure AZ-104. Knowing how to design, implement, and report on a vulnerability management program demonstrates a mature understanding of risk management and operational security.
How It Appears in Exam Questions
Exam questions about vulnerability management typically fall into three categories: scenario-based, configuration-based, and troubleshooting-based.
Scenario-based questions present a real-world situation and ask you to decide the best course of action. For example: A security analyst receives a vulnerability scan report showing a critical remote code execution vulnerability on a public-facing web server. The server cannot be patched immediately because the application vendor has not yet released a fix. What should the analyst do next? The correct answer might be to implement a virtual patch using a web application firewall while awaiting the vendor patch. Other options might include taking the server offline, which is too disruptive, or ignoring the vulnerability, which is unacceptable. These questions test your understanding of compensating controls and risk management.
Configuration-based questions ask about the tools and settings involved in vulnerability scanning. For instance: An administrator wants to perform a vulnerability scan on a set of servers to get the most accurate results. Which type of scan should be used? The answer is an authenticated scan because it has credentials and can check for missing patches and configuration issues that an unauthenticated scan would miss. Or: Which protocol is used to automate the exchange of vulnerability data between a scanner and a management platform? The answer is SCAP (Security Content Automation Protocol).
Troubleshooting-based questions focus on why a vulnerability might not have been detected or why a remediation failed. For example: After applying a critical security patch, a system still appears in the vulnerability scan report as vulnerable. What could be the cause? Possible answers include: the system was not rebooted after patching, the patch was not installed correctly, the vulnerability is actually a different but similar CVE that was not patched, or the scan was using an outdated plugin database. Another troubleshooting scenario: A vulnerability scanner reports a critical vulnerability on a server, but a manual review shows the server does not have the affected software. This is a false positive. The correct action is to mark the finding as a false positive and adjust the scanner configuration to exclude it in future scans.
Multiple-choice questions also test your knowledge of the vulnerability management lifecycle stages. You might be asked: Which phase of the vulnerability management process involves ranking vulnerabilities based on their criticality and the asset value? The answer is the prioritization phase. Or: What is the final step in the vulnerability management cycle after remediation has been applied? The answer is verification scanning or rescanning to confirm the vulnerability is fixed.
Some questions integrate vulnerability management with broader incident response. For instance: During a security incident, the incident response team finds evidence that an attacker used a known vulnerability on an unpatched server. What should the organization do after the incident? The best answer is to treat the root cause as a gap in the vulnerability management program and improve the scanning and patching schedule for similar assets. This tests your ability to see vulnerability management not just as a tool but as a process that feeds into continuous improvement.
Practise Vulnerability management Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are a security analyst at a mid-sized company that runs a customer-facing e-commerce website and an internal network with file servers and workstations. Your manager asks you to run a vulnerability scan on the entire network. You use a commercial scanner to perform an authenticated scan on all servers and workstations. The scan completes after two hours and generates a report with 450 findings.
Upon reviewing the report, you notice three critical vulnerabilities on the e-commerce web server. One is a remote code execution vulnerability in the web server software that allows an attacker to execute commands on the server without authentication. Another is a SQL injection vulnerability in a custom web application that could allow an attacker to extract customer credit card data. The third critical finding is an outdated SSL/TLS configuration that uses weak ciphers, which could allow a man-in-the-middle attack.
You also find several medium-severity vulnerabilities on the internal file server, including a missing patch for a privilege escalation vulnerability and a weak password policy that allows users to set short passwords. On the workstations, there are low-severity issues such as outdated software versions and missing security updates for media players.
Using the vulnerability management process, you prioritize the critical vulnerabilities on the public-facing web server because they have the highest potential impact and the greatest exposure. You immediately contact the web server administrator and request that the remote code execution vulnerability be patched within 24 hours. For the SQL injection vulnerability, you inform the development team that a code fix is needed and suggest implementing a web application firewall rule as a temporary mitigation. The weak SSL/TLS configuration is addressed by disabling outdated ciphers and forcing TLS 1.2 or higher.
The medium vulnerabilities on the internal file server are scheduled for the next scheduled monthly patching cycle, but you note the privilege escalation patch should be applied earlier because it could allow an attacker with user access to gain admin rights. The low-severity workstation issues are assigned to the desktop support team with a 60-day remediation deadline.
After the patches are applied, you schedule a verification scan on the web server to confirm the critical vulnerabilities are resolved. The scan shows that the remote code execution and SSL issues are fixed, but the SQL injection vulnerability still appears because the development team only implemented the WAF rule and has not yet pushed the code change. You update the report to show the compensating control in place and set a follow-up scan for two weeks later.
This scenario illustrates how vulnerability management works in practice: continuous scanning, prioritization based on risk, remediation with appropriate urgency, verification, and tracking of outstanding issues until closure.
Common Mistakes
Treating vulnerability management as a one-time project instead of a continuous process
New vulnerabilities are discovered daily. A single scan only provides a snapshot of that moment. Without repeating the process, new weaknesses will go unnoticed and unpatched.
Implement a recurring scan schedule, such as weekly or monthly, and integrate vulnerability management into ongoing operations, not just at project milestones.
Relying solely on unauthenticated scans to save time or avoid system impact
Unauthenticated scans cannot see inside the operating system and miss missing patches, misconfigured registry settings, and other deep issues. This gives a false sense of security.
Use authenticated scans with appropriate credentials and permissions, even if it requires more setup and coordination with system owners.
Fixing vulnerabilities in order of CVSS score without considering business context
A critical vulnerability on an isolated internal dev machine may be less urgent than a medium vulnerability on an internet-facing production server. Context matters for risk.
Factor in asset criticality, exposure, and the presence of compensating controls when prioritizing. Use a risk-based approach, not just a CVSS score alone.
Not verifying that remediation was successful by scanning again
Patches can fail to apply, systems may not reboot, or the wrong patch might have been installed. Without verification, you cannot be sure the vulnerability is resolved.
After any remediation action, schedule a follow-up scan of the same system to confirm the vulnerability no longer appears. Document the verification result.
Ignoring false positives or assuming all scan findings are accurate without manual validation
Scanners are imperfect and can flag vulnerabilities that do not actually exist due to outdated plugin data or incorrect detection logic. Chasing false positives wastes time and diverts resources from real issues.
Manually validate critical and high-severity findings before escalating. Use a ticketing system to track and mark false positives so they are not rescanned repeatedly.
Failing to keep the vulnerability scanner itself updated with the latest plugins and signatures
A scanner that is out of date will not detect newly published CVEs. This leaves the organization blind to the most current threats.
Configure the scanner to automatically update its vulnerability database daily or before each scan run. Verify that updates are applied successfully.
Scanning production systems without proper change management or notification, causing performance degradation
Intensive scans can consume CPU, memory, or network bandwidth, potentially causing outages or slowdowns on critical systems.
Schedule scans during maintenance windows, use throttling options, and communicate scanning plans with system owners. For critical systems, consider agent-based scanning that has less impact.
Exam Trap — Don't Get Fooled
{"trap":"You are presented with a scenario where a vulnerability scan finds several critical vulnerabilities on a server. The question asks for the 'first step' in the vulnerability management process for these findings. A tempting wrong answer is 'immediately patch all critical vulnerabilities.'
","why_learners_choose_it":"Learners often jump to the action of patching because it seems like the most direct way to fix the problem. They overlook the necessary steps before remediation, such as validation, prioritization, and risk analysis.","how_to_avoid_it":"Remember that the vulnerability management cycle has a specific order.
After scanning, you must first analyze and validate the findings, then prioritize them based on risk context, then plan remediation. Patching without validation can lead to wasted effort on false positives or breaking critical systems. Always think: validate, prioritize, then remediate."
Commonly Confused With
A vulnerability assessment is a point-in-time evaluation that identifies vulnerabilities. Vulnerability management is the ongoing, cyclical process that includes assessment, but also prioritization, remediation, verification, and continuous improvement. An assessment is a snapshot; management is a program.
Running a vulnerability scan once a year is a vulnerability assessment. Running scans every week, fixing issues, and tracking progress is vulnerability management.
Penetration testing is a goal-oriented, simulated attack designed to exploit vulnerabilities to gain unauthorized access. Vulnerability management is broader and focuses on identifying and fixing weaknesses, not on exploiting them. Penetration testing is often done after a vulnerability management program is in place to test its effectiveness.
Vulnerability management finds the unlocked door. Penetration testing sends someone to try to open that door and see what is inside.
Patch management is a subset of vulnerability management. It focuses specifically on applying software updates from vendors to fix known bugs. Vulnerability management includes scanning for missing patches, but also includes configuration changes, compensating controls, and other remediation methods. Patch management is one tool in the larger vulnerability management toolbox.
If a vulnerability can be fixed by changing a configuration setting and not by applying a patch, that is still part of vulnerability management but not patch management.
Risk management is a high-level business process that evaluates and treats all types of risk, including security, financial, and operational. Vulnerability management is a technical process that specifically addresses security vulnerabilities. Vulnerability management feeds into risk management by providing data on technical weaknesses, but risk management considers broader factors like business impact and insurance.
Vulnerability management finds a critical SQL injection bug. Risk management decides whether to fix it immediately or accept the risk because the application is retiring in two months.
Step-by-Step Breakdown
Asset Discovery and Inventory
First, you must know what systems you have. This step identifies all hardware, software, cloud instances, virtual machines, containers, and network devices in the environment. Without a complete inventory, you may miss scanning critical assets, leaving them vulnerable. Tools like network scanners, CMDB integrations, and cloud provider APIs are used here.
Vulnerability Scanning
Using an automated scanner, you probe each asset for known vulnerabilities, missing patches, weak configurations, and insecure protocols. Scans can be authenticated or unauthenticated. Authenticated scans provide deeper insight because they log into the system and check settings from inside. Scanners reference CVE databases and use CVSS scores to rate severity.
Result Analysis and Validation
Raw scan results are reviewed by security analysts. Each finding is checked to confirm it is a real vulnerability and not a false positive. Analysts also look at the context, such as which asset is affected and whether there are any existing controls that reduce the risk. This step prevents wasted effort on invalid issues.
Prioritization and Risk Scoring
Not all vulnerabilities are equally dangerous. You prioritize based on CVSS score, asset criticality, exposure level, and any threat intelligence showing active exploitation. A critical vulnerability on a public web server gets top priority, while a low-severity issue on an internal test machine may be deprioritized. This ensures resources are used effectively.
Remediation Planning
For each prioritized vulnerability, a remediation plan is created. This may involve applying a patch, changing a configuration, disabling a service, implementing a workaround, or using a virtual patch via a WAF. If a vulnerability cannot be fixed immediately, a risk acceptance or mitigation plan is documented. Timelines are set based on severity SLAs.
Remediation Execution
The plan is executed by the appropriate team, such as system administrators, network engineers, or application developers. Patches are applied, configurations are changed, and compensating controls are deployed. All changes should follow the organization's change management process to avoid unintended disruptions.
Verification Rescan
After remediation is completed, the same assets are scanned again to confirm that the vulnerability has been successfully eliminated. If the vulnerability still appears, the team investigates whether the patch failed, needs a reboot, or if the fix was applied to the wrong system. Verification closes the loop.
Reporting and Continuous Improvement
Reports are generated for management, auditors, and stakeholders. They show metrics like remediation rates, mean time to remediate, and vulnerability trends. The team reviews lessons learned, adjusts scanning configurations, updates asset inventories, and refines prioritization criteria. The cycle then repeats on the next scheduled scan date.
Practical Mini-Lesson
In practice, vulnerability management is not just about running a scanner and applying patches. It requires coordination across many teams, a clear policy, and a culture that accepts that security is everyone's responsibility. As a security professional, you will likely be the person who runs the scans, but you will also need to communicate findings to system administrators who may be overloaded with other work. You must learn to present risk in business terms so that managers understand why a critical vulnerability needs immediate attention even if it means delaying a feature release.
One common challenge is handling vulnerabilities on legacy systems that cannot be patched because the vendor no longer supports them, or because the application running on them requires a specific operating system version. In such cases, you cannot simply apply the patch, so you must implement compensating controls. These might include isolating the system on a separate network segment, placing it behind a firewall with strict access control lists, deploying an intrusion prevention system that blocks exploit attempts, or using application whitelisting to prevent unauthorized executables. Every compensating control must be documented and its effectiveness tested regularly.
Another practical aspect is the integration of vulnerability management with configuration management and change management. When a vulnerability is found due to a configuration error, such as an open SMB port that should be closed, the fix is not a patch but a configuration change. That change must go through the change management process to ensure it does not break connectivity or applications. Configuration drift can occur after a system is initially hardened, so regular scanning helps detect when settings revert to insecure defaults.
From an architectural perspective, large organizations often deploy vulnerability scanners in a distributed fashion. A management console centralizes policies and results, while remote scanners are placed in different network segments to reduce firewall congestion. Firewall rules must allow scanner traffic to all target systems on the necessary ports. For cloud environments, agent-based scanning is often preferred because it does not require opening inbound ports. Agents are installed on virtual machines and send scan results to the cloud provider's management platform.
A critical success factor is obtaining the right credentials for authenticated scans. Windows systems need domain accounts with appropriate privileges, Linux systems need root or sudo access, and database servers need database credentials. Storing these credentials securely is a challenge; many scanners integrate with privileged access management solutions to retrieve credentials on demand rather than storing them permanently.
Finally, vulnerability management programs must adapt to the speed of modern development. DevOps and agile practices mean new code is deployed multiple times per day. Traditional weekly or monthly scanning may not catch vulnerabilities introduced between scans. This has led to the rise of continuous vulnerability management, where scanning is integrated into CI/CD pipelines. Containers are scanned at build time, and running containers are scanned periodically. Infrastructure as Code (IaC) templates are analyzed for misconfigurations before deployment. This shift left approach catches vulnerabilities earlier, reducing remediation cost and effort.
The Vulnerability Management Lifecycle and Its Exam-Relevant Phases
The vulnerability management lifecycle is the structured, continuous process that organizations use to identify, classify, prioritize, remediate, and mitigate vulnerabilities in their systems and applications. This lifecycle is central to many security certifications, including the CompTIA Security+, CySA+, ISC2 CISSP, and AWS SAA. Understanding each phase in depth is critical for exam success and real-world implementation.
The first phase is discovery and inventory. Before any vulnerability can be managed, an organization must have a complete and accurate inventory of all assets, including hardware, software, cloud instances, and network devices. This phase involves asset discovery tools, configuration management databases (CMDB), and cloud inventory services like AWS Config or Azure Resource Graph. Without a full asset inventory, vulnerability scans will miss critical systems, leaving gaps in the security posture. Exam questions often test whether candidates understand that asset discovery must precede scanning.
The second phase is vulnerability scanning and assessment. This involves using tools like Nessus, Qualys, OpenVAS, or cloud-native solutions such as Amazon Inspector or Microsoft Defender for Cloud to scan systems for known vulnerabilities. Scans can be authenticated or unauthenticated, internal or external, and can target specific operating systems, applications, or network protocols. It is crucial to understand the difference between credential-based (authenticated) scans, which provide deeper insight, and unauthenticated scans, which simulate an external attacker's view. In exams, you may be asked to choose the appropriate scan type based on a scenario.
The third phase is prioritization and risk scoring. Not all vulnerabilities pose the same level of risk. Frameworks like CVSS (Common Vulnerability Scoring System) provide a base score, but real-world risk also depends on asset criticality, exploit availability, and threat intelligence. For example, a CVSS 9.0 vulnerability on an internet-facing web server might be prioritized higher than a CVSS 10.0 vulnerability on an isolated internal printer. The CySA+ and CISSP exams emphasize the need to combine CVSS with business context. Prioritization techniques include using the EPSS (Exploit Prediction Scoring System) and integrating threat feeds.
The fourth phase is remediation and mitigation. Remediation involves applying patches, updating software, or reconfiguring systems to eliminate the vulnerability. Mitigation is used when a patch is not immediately available, and may involve compensating controls such as firewall rules, intrusion prevention signatures, or disabling vulnerable services. It is important to distinguish between remediation (fixing the root cause) and mitigation (reducing risk without fixing). In incident response and vulnerability management workflows, SLAs are often defined for critical vulnerabilities, and automated patch management tools like WSUS or AWS Systems Manager Patch Manager are used.
The fifth phase is verification and reporting. After remediation, a rescan is performed to confirm that the vulnerability has been successfully addressed. Reports are generated for stakeholders, including technical teams, management, and auditors. These reports often include metrics such as mean time to remediate (MTTR), vulnerability density, and risk score trends. For the Security+ and MS-102 exams, understanding how to interpret vulnerability scan results and generate meaningful reports is a key objective.
The final phase is continuous improvement. Vulnerability management is not a one-time project; it is a cyclical process. Lessons learned from past incidents, scan results, and threat intelligence are used to refine the scanning schedule, update asset inventories, and improve prioritization criteria. This aligns with the Deming cycle (Plan-Do-Check-Act) often referenced in CISSP and ISO 27001 contexts.
the vulnerability management lifecycle provides a structured approach to reduce organizational risk. Exam questions frequently test the order of phases, the purpose of each step, and the tools associated with them. Candidates who master this lifecycle will be well-prepared for both exams and their careers.
Authenticated vs. Unauthenticated Scans in Vulnerability Management
A critical distinction in vulnerability management is between authenticated and unauthenticated scans. Both scan types serve different purposes and provide different levels of insight. Understanding when to use each is a frequent objective in exams like Security+, CySA+, and AZ-104. This section explains the technical differences, use cases, and exam scenarios.
An unauthenticated scan, also known as an external scan, does not provide any credentials to the target system. The scanner attempts to discover vulnerabilities by probing open ports, analyzing banners, and attempting to interact with services from a remote perspective. This simulates what an external attacker would see without any privileged access. Unauthenticated scans are faster, require less configuration, and are often used for external perimeter assessments or internet-facing systems. However, they are limited because they cannot access file systems, registry settings, or configuration details that require authentication. Many vulnerabilities, especially those related to missing patches or misconfigured registry keys, are only detectable via authenticated scans. In exams, you may be presented with a scenario where an unauthenticated scan missed critical vulnerabilities, and you need to recommend authenticated scanning.
An authenticated scan, or credential-based scan, uses valid user credentials (often domain administrator or local administrator) to log into the target system. This allows the scanner to perform a deep inspection of the operating system, installed software, registry, file permissions, and configuration settings. For example, an authenticated scan can check whether a specific security update is installed by querying the Windows Update history or by checking file versions directly. It can also detect vulnerabilities in service accounts, weak local passwords, or insecure registry keys that would be invisible to an unauthenticated scan. However, authenticated scans require careful management of credentials, increased network traffic, and potentially elevated privileges that must be stored securely. In cloud environments, such as AWS, authenticated scans of EC2 instances require the Systems Manager agent and appropriate IAM roles. The AZ-104 exam may ask about using Azure Update Management or Microsoft Defender for Cloud with credential-based scanning.
When choosing between the two, consider the scope and objectives. For a comprehensive internal vulnerability assessment, authenticated scans are strongly recommended because they reduce false negatives and provide a more accurate picture of the security posture. For external penetration tests or firewall audits, unauthenticated scans may suffice. In SIEM and SOAR workflows, both scan results are often ingested and correlated to prioritize findings.
Exam trick: Questions often describe a scenario where an organization only runs unauthenticated scans and discovers that many vulnerabilities are not being detected. The correct answer is usually to implement authenticated scanning with appropriate credentials and least-privilege permissions. Another trick is to recognize that authenticated scans require network access to the target, so if a system is isolated or has host-based firewalls blocking the scanner, authenticated scans may fail. Understanding these nuances is critical for passing vulnerability management questions.
authenticated scans provide depth, while unauthenticated scans provide breadth from an external attacker's perspective. The best vulnerability management programs use both in combination, with authenticated scans running monthly or weekly and unauthenticated scans running continuously for external assets. This dual approach ensures comprehensive coverage and is a theme across multiple certification domains.
CVSS Scoring and Prioritization in Vulnerability Management
CVSS, or the Common Vulnerability Scoring System, is the industry standard for assigning a numerical score to vulnerabilities based on their severity. However, on its own, CVSS is insufficient for effective prioritization in a real-world vulnerability management program. Exams such as the CISSP, CySA+, and Security+ test not only the mechanics of CVSS scoring but also its limitations and how to combine it with other factors.
CVSS version 3.1 scores vulnerabilities from 0.0 to 10.0, with 10.0 being the most severe. The base score is calculated from three metric groups: the Base metrics (exploitability and impact), Temporal metrics (current exploit status and patch availability), and Environmental metrics (specific to the organization's environment). The Base metrics are the most commonly cited, and include Attack Vector (AV), Attack Complexity (AC), Privileges Required (PR), User Interaction (UI), Scope (S), Confidentiality (C), Integrity (I), and Availability (A). For example, a vulnerability with AV:N (network), AC:L (low), PR:N (none), UI:N (none) and high impact on all CIA triad components would receive a high base score, possibly 9.0 or 10.0.
While CVSS provides a standardized severity rating, exam questions often highlight its weaknesses. First, CVSS does not account for the specific business context. A CVSS 7.5 vulnerability on an internet-facing web server handling payment data is far more critical than a CVSS 9.0 vulnerability on a printer used only internally. Second, CVSS does not consider exploit maturity. A vulnerability that has a documented proof-of-concept exploit and is being actively used in the wild should be prioritized much higher than one that is only theoretical. Third, CVSS does not factor in the value of the affected asset. High-value servers, domain controllers, and databases should receive higher priority regardless of CVSS score.
To address these limitations, modern vulnerability management programs use risk-based vulnerability management (RBVM) frameworks. RBVM combines CVSS with threat intelligence feeds (e.g., CISA KEV, Exploit-DB), asset criticality ratings (tier 1, tier 2, etc.), and exposure factors (e.g., internet-facing vs. internal). The result is a prioritized list that answers the question, Which vulnerabilities should we fix first? Tools like Qualys VMDR, Tenable.io, and Rapid7 InsightVM incorporate these techniques. In the CISSP exam, you may be asked to describe how to create a risk-based prioritization policy that aligns with business objectives.
EPSS (Exploit Prediction Scoring System) is becoming increasingly important. EPSS uses machine learning to predict the likelihood that a vulnerability will be exploited in the next 30 days. A vulnerability with a high EPSS score (e.g., >0.9) indicates a high probability of exploitation and should be remediated urgently, even if its CVSS score is moderate. The CySA+ exam may include questions about using EPSS alongside CVSS.
In practice, a common prioritization workflow is: first, filter for vulnerabilities that have known exploits (CISA KEV or EPSS >0.5). Second, apply asset criticality – assign higher priority to systems that handle sensitive data or are critical to business operations. Third, consider the network exposure – internet-facing systems are higher risk. Fourth, use CVSS score to fine-tune within that subset. This multi-step approach is more effective than relying solely on CVSS.
Exam clue: A question may present a list of vulnerabilities with CVSS scores and ask which should be patched first. The correct answer is not always the highest CVSS score; it is the one that combines a high CVSS score with a known exploit and a critical asset. Understanding that CVSS is just one input in a broader decision-making process is key.
mastering CVSS and its integration with other prioritization factors is essential for vulnerability management professionals. The ability to articulate why a CVSS 7.5 vulnerability might be more urgent than a CVSS 10.0 vulnerability is exactly the kind of analytical thinking that exams and real-world roles require.
Remediation, Mitigation, and Acceptance Strategies for Vulnerabilities
Once vulnerabilities have been identified and prioritized, organizations must decide how to respond. The three primary strategies are remediation, mitigation, and acceptance. Each has its own place in a vulnerability management program, and exam questions from Security+ through CISSP frequently test the differences and appropriate applications.
Remediation means completely eliminating the vulnerability. The most common form of remediation is applying a software patch or security update. For example, if a critical vulnerability exists in a Windows Server version, installing the latest cumulative update from Microsoft would be remediation. Remediation can also involve upgrading the software to a newer, non-vulnerable version, or replacing the hardware entirely. In cloud environments, remediation might mean updating an Amazon Machine Image (AMI) or redeploying an Azure VM with the latest configuration. From an exam perspective, remediation is always the preferred option when feasible because it removes the root cause. However, it may not be immediately possible due to operational constraints, compatibility issues, or scheduled maintenance windows.
Mitigation refers to reducing the risk of a vulnerability without actually fixing the underlying flaw. This is often used when a patch is unavailable or cannot be applied quickly. Common mitigation measures include applying a firewall rule to block the vulnerable port, implementing an intrusion prevention system (IPS) signature to block exploit traffic, disabling vulnerable services or features, or using network segmentation to isolate the vulnerable system. For example, if a vulnerability exists in the RDP service, mitigation could involve disabling RDP or restricting access to specific IP addresses. Another example is enabling Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) to make exploitation more difficult. Mitigation is temporary and should be followed by full remediation as soon as possible. In the CISSP exam, you will be asked to identify appropriate compensating controls when a patch cannot be applied.
Acceptance is a risk management decision where the organization acknowledges the vulnerability but decides not to take any action. This is only valid when the risk is deemed low or the cost of remediation exceeds the potential impact. Acceptance must be formally documented, typically through a risk acceptance form signed by an authorized manager or risk owner. The vulnerability management team should track accepted risks and periodically review them to see if conditions have changed (e.g., a new exploit is released). In regulated environments, acceptance may be limited or require additional approvals. The CySA+ exam may present a scenario where an administrator must decide whether to accept a risk based on business impact.
A fourth, less common strategy is remediation through configuration change. Sometimes a vulnerability is not caused by missing patches but by misconfiguration. For example, a server with default credentials, open permissions, or unnecessary services running. Fixing these is a form of remediation that does not involve patching. Hardening baselines like CIS Benchmarks or Microsoft Security Baselines are excellent references for such fixes.
Important exam concepts: SLA-driven remediation – many organizations have Service Level Agreements that dictate how quickly vulnerabilities must be fixed based on severity. For example, critical vulnerabilities must be patched within 24 hours, high within 72 hours, and medium within 30 days. Also, understanding patch management cycles – not all patches can be deployed immediately due to testing requirements. In the MS-102 exam, you might manage update rings for Windows 10/11 devices using Windows Update for Business, ensuring patches are tested in a pilot group before broad deployment.
Finally, verification after remediation is crucial. A rescan must confirm that the vulnerability no longer exists. False positives can occur if a patch was applied incorrectly or the scanner misidentified the issue. The vulnerability management team should have a process for marking findings as fixed only after successful verification.
the choice between remediation, mitigation, and acceptance depends on factors like patch availability, operational impact, and risk appetite. Security professionals must be able to recommend the most appropriate strategy based on a given scenario, and exams will test this decision-making ability thoroughly.
Troubleshooting Clues
Authenticated Scan Fails with 'Access Denied'
Symptom: Vulnerability scanner returns 'Access Denied' or 'Unable to log in' for multiple Windows systems during authenticated scan.
The scanner's credentials are incorrect, expired, or lack necessary privileges (e.g., not a local admin). Alternatively, the scanner's IP might not be in the Windows Firewall allow list, or WinRM is disabled.
Exam clue: Exam questions often present this scenario and require enabling WinRM and adding the scanner to the local Administrators group. Also check UAC remote restrictions.
Vulnerability Scan Shows False Positives for Missing Patches
Symptom: The scanner reports a missing patch, but manual inspection confirms the patch is installed. Scan results are inaccurate.
This can happen if the scanner uses file version detection but the file was updated by a later patch. Or the patch was installed but the scanner's database is outdated. Also, the scan may have used unauthenticated checks that cannot see installed patches.
Exam clue: CySA+ and Security+ exams test the concept of false positives and recommend running authenticated scans and keeping the scanner's plugin database updated.
Network Scanner Misses Internal Devices on a Separate VLAN
Symptom: The vulnerability scan does not detect devices on a specific internal VLAN, even though the scanner has network access to other VLANs.
The scanner is likely not on the same broadcast domain or the VLAN has ACLs blocking the scanner's IP. Alternatively, the target devices have host-based firewalls that block scan traffic on common ports.
Exam clue: Questions on network segmentation and scanning coverage appear in Security+ and CISSP. The fix is to deploy a scan appliance inside the VLAN or configure firewall rules to allow scanner traffic.
High Severity Vulnerabilities Remain Unpatched Past SLA
Symptom: Critical vulnerabilities are still unpatched after 30 days, exceeding the organization's 72-hour SLA.
Possible reasons: patch testing cycle is too slow, change management blockers, lack of owner accountability, or the patch is incompatible with critical applications. The organization may need a risk acceptance or emergency change process.
Exam clue: CISSP and CySA+ exams test knowledge of patch management policies and exceptions. The correct answer often involves implementing a risk acceptance form or emergency change advisory board (ECAB).
Vulnerability Scanner Performance Impact on Production Systems
Symptom: During scans, production servers experience high CPU usage, slow response times, or service disruptions.
Authenticated scans use significant resources, especially when checking all file versions and registry keys. The scanner may be running too many concurrent checks, or the scan schedule overlaps with peak business hours.
Exam clue: Security+ and MS-102 exams ask about scheduling scans during maintenance windows and using network-based throttling. Also consider using agent-based scanning that performs low-impact scans continuously.
Virtual Machine Snapshots Cause Inconsistent Scan Results
Symptom: Scanning a VM that was reverted to a previous snapshot shows old vulnerabilities that were already patched.
The VM was rolled back to a pre-patch state, so vulnerabilities reappear. The vulnerability management system may not be aware of the snapshot or the change in state.
Exam clue: AZ-104 and AWS SAA exams test the impact of snapshots and AMI management on vulnerability posture. The solution is to trigger a fresh scan after any VM restoration.
Third-Party Software Not Detected by Scanner
Symptom: The vulnerability scanner does not detect known CVEs in custom or third-party applications installed on endpoints.
The scanner's software database may not include that specific application. Custom applications may require manual integration or custom plugins. Also, the scanner may not have deep inspection capabilities for non-standard file paths.
Exam clue: CySA+ exam mentions the need for custom scanning profiles or script-based assessments for proprietary software. The exam may ask to use SBOM (Software Bill of Materials) feeds for accuracy.
Memory Tip
Vulnerability management is a cycle, not a point in time. Remember the six phases: Identify, Analyze, Prioritize, Remediate, Verify, Repeat. The acronym IAPRVR can help: I Am Protecting Real Vulnerabilities Repeatedly.
Learn This Topic Fully
This glossary page explains what Vulnerability management means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
CISSPCISSP →CS0-003CompTIA CySA+ →SY0-701CompTIA Security+ →MD-102MD-102 →MS-102MS-102 →AZ-104AZ-104 →SC-900SC-900 →SAA-C03SAA-C03 →220-1102CompTIA A+ Core 2 →PT0-003CompTIA PenTest+ →CDLGoogle CDL →ISC2 CCISC2 CC →Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
A/B testing is a controlled experiment that compares two versions of a single variable to determine which one performs better against a predefined metric.
Quick Knowledge Check
1.A security analyst runs an unauthenticated vulnerability scan on an internal network and receives no critical findings. However, a subsequent authenticated scan reveals several critical missing patches. What is the most likely reason for the discrepancy?
2.An organization has identified a critical vulnerability with a CVSS score of 9.8 on a web server that is part of a DMZ. The server cannot be patched immediately because it runs a legacy application that is incompatible with the patch. Which of the following is the BEST initial course of action?
3.A vulnerability scanner reports a 'missing patch' for a Windows server, but an administrator verifies the patch is installed and shows in the installed updates list. What is the most likely cause of this false positive?
4.Which of the following would be the best approach to prioritize vulnerabilities in a risk-based vulnerability management program?
5.An Azure administrator needs to inventory all VMs in a subscription to prepare for a vulnerability assessment. Which command should they use?
Frequently Asked Questions
How often should vulnerability scans be performed?
Most frameworks recommend at least monthly scans for internal assets and weekly or continuous scans for public-facing systems. The exact frequency depends on your organization's risk profile, regulatory requirements, and rate of change. Some environments scan daily or integrate scanning into their CI/CD pipeline.
What is the difference between a vulnerability scan and a penetration test?
A vulnerability scan is an automated process that checks for known vulnerabilities and produces a list of findings. A penetration test is a manual or semi-manual simulation of an attack that attempts to exploit vulnerabilities to determine actual risk. Vulnerability scans are broader and more frequent; penetration tests are deeper and usually occur less often.
What should I do if a vulnerability cannot be patched immediately?
If a patch is not available or cannot be applied due to operational constraints, implement compensating controls. This could include isolating the system, applying firewall rules, using a virtual patch via a WAF, or disabling the vulnerable feature. Document the risk acceptance and set a timeline for when a permanent fix will be applied.
What is a false positive in vulnerability scanning?
A false positive is a finding that a vulnerability scanner reports as present, but when manually checked, the vulnerability does not actually exist. False positives can occur due to outdated scanner plugins, incorrect detection logic, or misconfigurations in the scan. It is important to manually validate critical findings before taking action.
What is the role of CVSS in vulnerability management?
CVSS (Common Vulnerability Scoring System) provides a standardized numerical score for each vulnerability based on its characteristics, such as attack vector, complexity, and impact. CVSS scores help prioritize which vulnerabilities to fix first, but they should be supplemented with business context and threat intelligence.
Do I need to scan all assets, including personal devices?
You should scan all assets that connect to your corporate network or that handle corporate data. Personal devices that are not managed by the organization fall outside the scope of your vulnerability management program, but you may implement policies like requiring VPN access that enables scanning.
How do I get started with vulnerability management?
Start by creating an asset inventory, then choose a vulnerability scanner that fits your environment. Begin with a baseline scan to understand the current state. Establish a policy that defines scan frequency, severity thresholds, and remediation SLAs. Then set up a recurring scan schedule and a process for handling findings.