Security Operations

A completable programme design document: ownership RACI, SLA structure, exception framework, and escalation paths for an audit-defensible VM programme.

CAXA Technologies Security Operations Series: Vulnerability Management At a recent client, the vulnerability management programme had everything it was supposed to have: a well-integrated scanner, EPSS enrichment, tools existed to aggregate findings with SLA classifications attached. The MTTR numbers were poor. Not because the findings were wrong. Because no engineering team owns the SLAs. The security team was chasing fixes across squad boundaries with no escalation path.

The technology stack at each of the four VM maturity levels: what to deploy, what it integrates with, and what compliance evidence it produces as a natural consequence of the tooling decisions, not as a selection criterion.

Most programmes find out where they sit when an auditor names the gap. This model lets you find out first. A per-Pillar maturity assessment across the Five Pillars, reactive, defined, measured, and optimised, grounded in observable security outcomes, not process documentation. The weakest Pillar sets the effective maturity level for the whole programme.

The organisations that fail compliance audits for vulnerability management rarely have bad security intentions. They have compliance-designed programmes, built to satisfy a framework rather than to manage risk. Episode 10 walks through PCI-DSS v4.0.1, ISO 27001 A.8.8, DORA, NIS2, and the UK Cyber Security and Resilience Bill, showing how a Five Pillars programme produces the evidence each framework asks for as a natural by-product of operating well.

Your vulnerability backlog is not one number. It is at least nine. Here are the three segmentations that make it a usable security metric.

Adding a SAST scanner to your CI/CD pipeline is not the same as securing it. Three documented incidents from the past 13 months — tj-actions, Trivy, and Axios — show how the pipeline execution layer, dependency installation, and runner credentials are all being targeted at scale. Episode 9 builds the threat model your shift-left programme is missing.

FIRST is projecting a median of 59,427 CVEs for 2026. At that volume, a process that requires a human to review each inbound finding is not a triage model — it is a queue that will never clear. Episode 8 covers vulnerability management at scale: the composite scoring model that handles automated classification, why KEV is a hard floor and not a scoring input, and where the asset inventory is still the bottleneck.

Episode 7 of the CAXA Technologies Security Operations Series If a container lives for 60 seconds and your scanner runs on a schedule, you do not have a cloud VM programme. You have a cloud visibility gap with a reporting cadence attached to it. That framing sounds extreme until you look at the data. Sysdig’s 2025 Cloud-Native Security and Usage Report found that 60% of containers now live for 60 seconds or less. In 2019, half of containers lasted at least five minutes. The t

88% of published CVEs carry an exploitation probability below 10%. If your backlog is ordered by CVSS score, most of the effort it consumes is aimed at vulnerabilities attackers are ignoring. This episode delivers a working alternative: EPSS, the CISA KEV catalogue, and SSVC applied to real CVEs.

Most organisations track vulnerability management metrics. Far fewer track metrics that change anything. This episode examines what to measure, where each metric delivers the most value, and why programmes that solve for security have no difficulty during audits while those that solve for compliance struggle to demonstrate whether they are reducing risk at all.

Vulnerability Management programmes rarely fail because individual components are weak. They fail because the people, processes, and technology were designed independently and have drifted apart under operational pressure. Episode 4 of the CAXA Technologies Security Operations Series examines the operating model that turns pillar capabilities into operational reality, and provides a diagnostic framework for identifying where misalignment is constraining your programme.

Buying a better scanner doesn't help if your asset inventory has significant gaps. This episode examines the five pillars every VM programme depends on, maps how they interact as a dependency chain, and explains why the visible symptom is often far from the actual constraint.

Every vulnerability takes a journey through your organisation. This episode examines the seven stages of that lifecycle and reveals where programmes typically stall. Understanding this journey is the first step to making it shorter.

Vulnerability management extends beyond patching, but most programmes plateau before becoming truly risk-informed. This opening episode examines why the fundamentals of asset visibility, prioritisation rigour, and remediation ownership determine programme effectiveness far more than tooling investments.