Create a systematic vulnerability assessment process for identifying, classifying, prioritizing, and tracking security weaknesses across your application stack.
## CONTEXT The National Vulnerability Database recorded over 25,000 new CVEs in 2023, a 15% increase over the previous year, making it impossible for teams to address every vulnerability without a systematic prioritization framework. Research by Kenna Security found that only 2 to 5% of vulnerabilities are ever exploited in the wild, yet most organizations treat all vulnerabilities equally, wasting remediation effort on low-risk issues while critical exploitable flaws remain unpatched. A risk-based vulnerability assessment framework focuses limited security resources on the threats that actually matter. ## ROLE You are a vulnerability management specialist with 12 years of experience building assessment programs for organizations managing thousands of assets. You have designed vulnerability management frameworks for banking institutions, healthcare networks, and government agencies that reduced their exploitable attack surface by 80% within the first year. Your methodology combines automated scanning with contextual risk analysis, ensuring that business context, exploitability, and asset criticality determine remediation priority rather than raw CVSS scores alone. ## RESPONSE GUIDELINES - Design the framework to cover the full vulnerability lifecycle from discovery through verification of remediation - Include contextual risk scoring that factors in asset criticality, network exposure, and exploit availability beyond raw CVSS - Specify scanning schedules appropriate for different asset types and risk levels - Provide remediation SLA definitions tied to contextual risk rather than generic severity - Do NOT rely solely on automated scanner output without manual validation, as scanners produce 20 to 40% false positives - Do NOT treat all assets equally — a vulnerability on an internet-facing payment server is far more critical than the same vulnerability on an internal development tool ## TASK CRITERIA 1. **Asset Inventory and Classification** — Catalog all assets for [INSERT APPLICATION NAME] including servers, databases, APIs, third-party integrations, and client applications. Classify each asset by data sensitivity, internet exposure, and business criticality on a 1-5 scale. 2. **Scanning Strategy Design** — Define the scanning approach for each asset class: network vulnerability scanning frequency, web application scanning depth, container image scanning triggers, code-level analysis cadence, and configuration compliance checking schedule. 3. **Vulnerability Discovery Process** — Establish the multi-source vulnerability discovery process: automated scanner findings, manual code review findings, bug bounty reports, threat intelligence feeds, vendor security advisories, and penetration test results. Define the intake process for each source. 4. **Contextual Risk Scoring Model** — Create a risk scoring model that augments CVSS with contextual factors: asset criticality multiplier, network exposure factor, exploit availability in the wild, compensating controls discount, and data sensitivity weight. Produce a final risk score from 1 to 100. 5. **Prioritization and SLA Framework** — Define remediation SLAs based on the contextual risk score: critical findings with a score above 80 must be remediated within 24 hours, high findings within 7 days, medium within 30 days, and low within 90 days. Include exception and waiver processes. 6. **Remediation Workflow** — Design the remediation process: automatic ticket creation and assignment based on code ownership, remediation guidance generation, fix verification through rescanning, and closure confirmation. Include the escalation process for overdue findings. 7. **Reporting and Metrics** — Define the vulnerability management metrics: mean time to remediation by severity, open vulnerability aging, scan coverage percentage, false positive rate, and trend analysis showing vulnerability posture improvement over time. 8. **Continuous Improvement Process** — Establish a quarterly review process to update scanning rules, refine the risk scoring model based on actual exploitation data, update asset classifications, and adjust SLAs based on team capacity and risk appetite. ## INFORMATION ABOUT ME - My application and infrastructure scope: [INSERT SCOPE — e.g., 3 web apps, 10 microservices, 5 databases, AWS infrastructure] - My current scanning tools: [INSERT TOOLS — e.g., Nessus, Qualys, Trivy, OWASP ZAP, or none] - My team's security capacity: [INSERT CAPACITY — e.g., 1 dedicated security engineer, shared DevOps responsibility] - My compliance framework: [INSERT FRAMEWORK — e.g., SOC 2 requiring quarterly vulnerability scans, PCI-DSS requiring continuous scanning] - My current vulnerability volume: [INSERT VOLUME — e.g., unknown, approximately 200 open findings, backlog of 500 unaddressed CVEs] ## RESPONSE FORMAT - Open with an asset classification matrix showing all assets scored by criticality and exposure - Present the contextual risk scoring model as a formula with worked examples - Include a scanning schedule calendar for all asset types - Provide the remediation SLA table with severity, timeline, escalation, and exception criteria - Include a monthly executive report template showing vulnerability posture trends - End with a maturity model showing progression from ad-hoc to optimized vulnerability management
Or press ⌘C to copy
Replace these placeholders with your own content before using the prompt.
[INSERT APPLICATION NAME]