Project case study

Vulnerability Management Program Implementation

A simulated end-to-end vulnerability management program covering policy creation, stakeholder buy-in, authenticated scanning, prioritization, remediation, and verification.

Full remediation cycle

32 to 4

Total Vulnerabilities

100%

Critical Reduction

92%

High Reduction

88%

Medium Reduction

Problem

The simulated organization began without an established vulnerability management policy or operating process. The project needed to move from an unmanaged baseline to a repeatable program with governance, scanning permission, prioritized remediation, and verification.

Approach

  • Drafted a vulnerability management policy that defined scope, responsibilities, remediation timelines, and a stakeholder review path.
  • Simulated stakeholder and server-team meetings to secure buy-in, adjust remediation expectations, and authorize credentialed scanning.
  • Provisioned an intentionally vulnerable Windows Server environment in Azure and performed authenticated vulnerability scans with Tenable Nessus.
  • Prioritized remediation work by impact and ease of remediation, including third-party software removal, insecure protocol and cipher hardening, guest account group membership, Windows updates, WinVerifyTrust validation, and outdated software cleanup.
  • Packaged remediation scripts and scan reports for remediation teams, then validated each remediation round through follow-up scans.

Evidence

  • The project repository documents policy drafting, stakeholder buy-in, initial scan permission, authenticated scan results, remediation emails, CAB review, and seven scan exports.
  • The remediation workflow includes generating PowerShell scripts for Wireshark removal, insecure protocol and cipher remediation, guest account cleanup, Windows updates, WinVerifyTrust validation, and outdated software removal or updates.
  • The supporting CVE remediation mapping repository connects findings to Tenable plugin IDs, CVEs, CVE descriptions, remediation method, and script locations.
  • The scripts repository provides the remediation scripts referenced by the vulnerability-to-remediation mapping.

Outcome

The full remediation cycle reduced total vulnerabilities from 32 to 4 across seven scans. Critical vulnerabilities were eliminated, high vulnerabilities decreased from 12 to 1, and medium vulnerabilities decreased from 17 to 2.

What I learned

  • Vulnerability reduction depends as much on governance and stakeholder coordination as it does on technical scanning.
  • Authenticated scanning and follow-up validation provide the evidence needed to show whether remediation actually worked.
  • Prioritizing fixes by operational impact and remediation effort creates a practical path from baseline discovery to maintenance mode.