The organisations that fail compliance audits for vulnerability management rarely have bad security intentions. They have compliance-designed programmes, built to satisfy a framework rather than to manage risk. Episode 10 walks through PCI-DSS v4.0.1, ISO 27001 A.8.8, DORA, NIS2, and the UK Cyber Security and Resilience Bill, showing how a Five Pillars programme produces the evidence each framework asks for as a natural by-product of operating well.

Your vulnerability backlog is not one number. It is at least nine. Here are the three segmentations that make it a usable security metric.