With 50,000 vulnerabilities published in 2025 by the CVE (Common Vulnerabilities and Exposures) program alone, it has become very difficult to keep track of and prioritize them. Yet vulnerability monitoring is an essential part of a vulnerability management and patching process.

Let’s state the obvious right away: it is impossible to fix all known vulnerabilities instantly. It is therefore essentially a matter of managing your vulnerabilities—that is, controlling the known vulnerabilities that are inevitably present in the information system.

Controlling them involves taking many factors into account, including:

• Maintaining an inventory of the technologies in use, including information such as the severity level and exposure of each one;
• Monitoring the technologies identified in this way: vendor information, vulnerability databases, news, etc.;
• Taking action at the right time based on the risk.

Managing your vulnerabilities may seem simple: you list everything in the information system and apply fixes with each new version of an item on the list. This is an illusion. It is necessary to implement strategies to avoid overburdening your teams.

Choosing Your Battle

A security strategy must be adopted based on the resources at your disposal and the risk model considered by the information systems security governance team.

These two elements stem directly from the nature of the business: a local government, a logistics platform, and a nuclear power plant do not have the same risk model or the same security teams.

This is where you must make your first decision: what to monitor.

Vulnerability management is an iterative process. It is by repeating the cycle that you improve, but above all that you take into account the dynamic nature of the information system.

If we follow this idea, it is not necessary to know everything right from the start. Worse, trying to be exhaustive can lead to premature burnout among your teams.

It is therefore necessary to prioritize monitoring critical assets and those most at risk first. This is how you can achieve a significant initial result with minimal effort.

Exposed assets are generally the easiest to identify. Numerous tools, particularly External Attack Surface Management tools, exist to discover those exposed on the Internet.

However, it can be a bit more challenging to identify critical assets when you’re new to the role and don’t yet have an in-depth understanding of your organization’s business operations. And these assets aren’t necessarily the most exposed ones. An initial discussion with your business teams is therefore important, both from a technical standpoint and to ensure their involvement in the process.

Identifying assets critical to the business, as well as those publicly exposed, provides an initial list of products to monitor. This is the list that will yield the greatest benefits for you at the outset.

Identify information sources

Once key products have been cataloged, it is important to carefully select the right information sources. Not all sources are created equal.

Some are essential, such as the CVE program, but they are not sufficient on their own. It is important to combine them and tailor your monitoring efforts to the organization’s actual needs: industry sector, regulations, and the types of products deployed in the information system.

It is advisable to adopt a differentiated approach depending on the information sources:

• Alerts from incident response teams (national or sector-specific CERTs);
• Vulnerability database feeds: CVE, NVD, EUVD, CISA KEV;
• Specialized or general news sources;
• Vendor alerts: private and public.

Alerts from vendors and CERTs are generally of particular importance because they aim to draw your attention to incidents that will trigger a crisis response. It is necessary to monitor these on a daily basis, especially with regard to your strategic vendors.

VulnPilot gives you the keys to accelerate your watch and take decisions quicker. Information is aggregated and analyzed for you to have the intelligence you need, at the right time, without needing to hire a security analyst team.

Vulnerability database feeds are more difficult to process. This is because the raw data they generate lacks context and constitutes a mass of unfiltered information that must be filtered, sorted, and prioritized.

They are nonetheless important for establishing a common language regarding known vulnerabilities. As such, it is worthwhile to consult them regularly (for example, once a week) to identify less critical vulnerabilities that may still impact your information system.

News reports provide you with a pre-screened overview to help you make a decision. They are particularly useful for quickly gaining a comprehensive view of an event related to the disclosure or exploitation of a vulnerability.

Be careful, however, not to get lost in them or place blind trust in them. News reports can be downplayed or exaggerated, and the information may be outdated or simply false.

Make intelligence actionable

Your threat intelligence efforts are useless if your teams aren’t properly informed.

Too many cyber threat intelligence teams send lists of vulnerabilities to their IT or business teams without any context.

Keep in mind that, ultimately, it is always people who will decide whether to take action on a system. Flooding them with information without context (for example, a ticket for every CVE vulnerability) will overwhelm them and cause them to stop reading. This is obviously a hindrance when a truly critical vulnerability goes unnoticed.

Take context and business risks into account. Your team will understand much better why it’s necessary to fix a vulnerability if it poses a tangible threat to their operations.

To do this, ask yourself the following questions (and answer them before communicating):

• What are the operational impacts in light of the risk model? Disruption of the supply chain, customer data breach, unavailability of the e-commerce site?
• What is the actual severity of the threat? Is the vulnerability being exploited? Is it exploitable in your situation? Is there interest from malicious actors?
• Are you required by regulation or internal policy to address this quickly?
• How do you implement the fix? Will the action result in downtime?

Consolidate the information. If a single action can resolve 10 or 100 vulnerabilities, your teams will see greater value in it. It is therefore counterproductive to immediately forward every new vulnerability to your teams; instead, consolidate them and monitor the timelines for applying patches.

When a vulnerability is significant —that is, when it checks several boxes on the list above—don’t hesitate to take a more immediate approach.

It’s up to you to convince your teams that they have a stake in acting quickly. And this is all easier when the stakes are understood and you demonstrate that the security teams are there to provide support, not to issue orders.

Conclusion

Monitoring vulnerabilities and leveraging them to benefit the information system is less straightforward than it seems.

We have seen that it is necessary to take a stance regarding the regulatory environment, the risk model, and internal policies. It is counterproductive to address all known vulnerabilities immediately.

Implementing such a process cannot happen without the involvement of business teams, who are at the heart of your prioritization and the choices you will make to guide your monitoring.

While it is important to have a minimum variety of sources—especially to adapt to different levels of urgency—you must also avoid getting overwhelmed by the sheer volume of available information. Alert fatigue can set in very quickly.

It is vital to process information to turn it into intelligence: contextualize, consolidate, and control the dissemination to provide the right information at the right time.

Be pragmatic and accept the risk that a vulnerability that is not actively exploited may remain in your information system for a while. And be responsive when necessary.