CAXA Technologies Security Operations Series: Vulnerability Management At a recent client, the vulnerability management programme had everything it was supposed to have: a well-integrated scanner, EPSS enrichment, tools existed to aggregate findings with SLA classifications attached. The MTTR numbers were poor. Not because the findings were wrong. Because no engineering team owns the SLAs. The security team was chasing fixes across squad boundaries with no escalation path.

Most programmes find out where they sit when an auditor names the gap. This model lets you find out first. A per-Pillar maturity assessment across the Five Pillars, reactive, defined, measured, and optimised, grounded in observable security outcomes, not process documentation. The weakest Pillar sets the effective maturity level for the whole programme.

The organisations that fail compliance audits for vulnerability management rarely have bad security intentions. They have compliance-designed programmes, built to satisfy a framework rather than to manage risk. Episode 10 walks through PCI-DSS v4.0.1, ISO 27001 A.8.8, DORA, NIS2, and the UK Cyber Security and Resilience Bill, showing how a Five Pillars programme produces the evidence each framework asks for as a natural by-product of operating well.