A completable programme design document: ownership RACI, SLA structure, exception framework, and escalation paths for an audit-defensible VM programme.

The technology stack at each of the four VM maturity levels: what to deploy, what it integrates with, and what compliance evidence it produces as a natural consequence of the tooling decisions, not as a selection criterion.

Adding a SAST scanner to your CI/CD pipeline is not the same as securing it. Three documented incidents from the past 13 months — tj-actions, Trivy, and Axios — show how the pipeline execution layer, dependency installation, and runner credentials are all being targeted at scale. Episode 9 builds the threat model your shift-left programme is missing.

FIRST is projecting a median of 59,427 CVEs for 2026. At that volume, a process that requires a human to review each inbound finding is not a triage model — it is a queue that will never clear. Episode 8 covers vulnerability management at scale: the composite scoring model that handles automated classification, why KEV is a hard floor and not a scoring input, and where the asset inventory is still the bottleneck.