Vulnerability Coverage & Management

New
  • Updated on May 2, 2025
  • Published on May 1, 2025
  • 5 minute(s) read
Prev Next

Prioritize & Remediate Vulnerabilities

Introduction

Vulnerability Coverage and management are one of the cornerstones of Cybersecurity. Axonius makes it simple to evaluate your attack surface and focus on the most critical and vulnerable assets.

Audience: SOC Teams, Compliance and Risk Teams, Desktop and Server Teams, CISO & Executive Teams
Difficulty: Intermediate to Advanced
Execution Time: 1 week, ongoing refinement
Duration of Use Case: Perpetual
Value: Policy Compliance, Targeted Remediation, Cost Reduction, Risk Reduction, & Improved Security Posture

What is this use case?

The primary objective of Vulnerability Coverage & Management is ensuring that all systems, applications, and networks within an organization are continuously monitored to identify, assess, prioritize, and remediate vulnerabilities. This involves ensuring that all devices have proper vulnerability tool coverage, which then enables you to understand the overall security posture, mitigate risks associated with potential threats, and maintain compliance with industry standards and regulations.

Use Case in Action:

We’ll use Tenable.io coverage to demonstrate this use case today, however, this use case applies to a multitude of security tools, including:

  • Qualys

  • Tenable

  • Rapid7

We will then use data from vulnerability scanners, CISA, and EDR tools to demonstrate some of the core starting points for this use case. This use case can be expanded to include metrics as defined by your organization and policies.

Why is it Relevant?

Compliance with Standards: Essential for meeting regulations like ISO/IEC 27001, PCI DSS, GDPR, HIPAA, and more.

Protecting your attack surface: Ensuring assets are hardened from attack through your security tool suite.

Coverage Overview

Scope

How do I build this use case?

The starting point for any use case is always queries. For Vulnerability Management, we first begin with vulnerability tool coverage queries; we will focus on 3 core areas: Scoping Queries, Metric Queries, and Combination/Presentation Queries. Each of the below queries are essential in identifying a devices context and providing insight into the tools appropriate for that context and will underpin the visualization and automation components for this use case.

  1. Scoping Queries

    1. Establish what assets are in-scope or out-of-scope.

    2. Examples:

      OS Type

      Business Units

      High Priority Assets

  2. Metric Queries (Tenable.io)

    1. Examples: Tool Footprint, Recently scanned or not

  3. Combine Scoping and Metric Queries

    1. In-scope devices not seen by Tenable.io

      In-scope devices with Remote\Network Scan Only

Visibility

How do I visually explain this use case?

Reporting on the Vulnerability tool coverage is often expected as a singular number, what % of my devices are covered (or not covered)? However, visually explaining the use case requires several facets to ensure executives and analysts alike understand the trajectory of each security tool’s coverage

Recommended Visualizations

There are several key visualizations we recommend when starting this use case which attempt to answer key questions by leadership/executives.

Coverage Measurement – How many of my devices are not seen by this tool?

Coverage State – How many devices seen have a Network\Remote Scan only

Agent Health – Are all of my agents healthy and up-to-date, and have they recently scanned the devices

Actionability

How do I automate this use case?
Automation is a key component for the Vulnerability Tool coverage use case, allowing us to immediately take action to resolve the issues we identify. We can break this down into several categories of automation, in increasing order of complexity.

Reporting
Automatically deliver timely, detailed, and accurate reports to stakeholders through emails, report PDFs, and CSV dumps.

Ticketing
Automatically create work tickets for responsible parties directly in your ticketing system of choice, creating seamless workflows.

Update VA Coverage
Automatically Deploy Agents to endpoints by executing scripts such as PowerShell or leveraging repositories such as SentinelOne Remote Script Orchestration

Automatically configure the Vulnerability Solution to Scan IPs not currently covered, such as Tenable.io - Add IP Addresses to Scan

Management Overview

Scope

How do I build this use case?

We have determined in the prior set of queries what devices are and are not covered by our vulnerability tools. This part of the Vulnerability Management use case will now explore what vulnerabilities are present in our environment. Using the same queries, we will explore what vulnerabilities are present. In the below queries we’ll be tracking metrics related to CISA, critical severity vulnerabilities, and assets needing extra attention. Using our standard steps of developing scoping queries (from our coverage use case), metric queries and Combination/Presentation Queries. Each of the below queries are essential in tracking vulnerabilities and will underpin the visualization and automation components for this use case. We will also be utilizing the Relationship query type for advanced vulnerability tracking.

  1. Scoping Queries (From Tool Coverage)

    1. Establish what assets and vulnerabilities are in-scope or out-of-scope.

    2. Examples:

      OS Type

      High Priority Assets

      Exceptions/Exclusions

  2. Metric Queries

    1. Establish what we want to measure.

      1. Examples:

        Vulnerability Severity

        Vulnerability Exploitability

        Vulnerability Count

  3. Combine Scoping and Metric Queries

    1. Combining scoping and metric queries helps to target your vulnerability management work by identifying and prioritizing vulnerabilities within specific contexts.

      1. Examples:

               Trend of assets with critical vulnerabilities.

               Assets with known-exploited vulnerabilities missing Crowdstrike.

      2. NOTE: Relationship queries allow for greater control for vulnerable devices.

Visibility

How do I visually explain this use case?

Reporting on vulnerability management is often expected as a set of key metrics, such as the percentage of vulnerabilities identified, assessed, and remediated. Creating visual dashboards that represents these key metrics requires multiple facets to ensure executives and analysts alike understand the overall security posture and the effectiveness of the vulnerability management process.

Recommended Visualizations

We recommend several key visualizations when starting this use case, which attempt to answer key questions posed by leadership and executives.

Vulnerability Coverage – How many assets are being scanned for vulnerabilities?

Vulnerability Trend – Count of vulnerabilities over time.

Vulnerability Breakdown Charts – Breakdown of vulnerability information, such as CISA, Vendor, OS Type, (etc.).

Actionability

How do I automate this use case?
Automation is a key component for the vulnerability management use case, allowing us to immediately take action to resolve the issues we identify. We can break this down into several categories of automation, in increasing order of complexity.

Reporting
Automatically deliver timely, detailed, and accurate reports to stakeholders through emails, report PDFs and CSV dumps

  • Examples Include:

    • Send Email or Send Message, such as to Slack or Microsoft Teams

    • Send CSV to S3 or Azure Storage

    • Reports, or sending Reports automatically.

Ticketing
Create work tickets for directly in your ticketing system of choice, creating seamless workflows without relying on inbox spelunking or message tracking.

  • Examples Include:

    • ServiceNow, Cherwell – Create Incident

    • Fresh Service, Zendesk, Jira Service Management – Create Ticket

    • ManageEngine ServiceDesk Plus – Create Request