6 top vulnerability management tools and how they help prioritize threats

Organizations handle vulnerability management in various ways, from training and best-practice implementations to filtering out all but the most dangerous threats. Here's a look at some of today's more innovative solutions.

Unlocked circuit board / security threat

The science and technology behind vulnerability management has changed a lot in a short time. When originally deployed, vulnerability management companies acted almost like antivirus vendors in that they tried to get their scanners to uncover as many potential threats as possible. They would even brag about being able to detect more vulnerabilities hiding in testbeds than their competitors.

The trouble with that logic is that unlike viruses and other types of malware, vulnerabilities are only potentially a problem. For a vulnerability to be truly dangerous, it must be accessible to an attacker and relatively easy to exploit. So, a vulnerability sitting on an internal resource isn’t much of a potential threat, nor is one that requires additional components like secure access to other network services. Knowing what is truly dangerous is important so that you can plan what to fix now, and what to put off until later or even ignore.

It’s also helpful to categorize vulnerabilities based on their potential impacts should they be exploited. This includes the potential severity of the exploit like wiping out an entire database versus locking out a single user and the value of the resources affected. Having your public-facing website defaced is embarrassing, but having confidential data stolen can be critical.

The best vulnerability management programs should add context to scans. Some even offer automatic fixes, training or preventative assistance using artificial intelligence (AI). Understanding compliance standards, legal mandates and best practices that apply to the organization launching the scan is also important. With potentially thousands of vulnerabilities hiding in any large enterprise network, it’s the only way that fixes can be reliably prioritized.

The following six products push the envelope for at least one aspect of vulnerability management.

Kenna Security Vulnerability Management

The Kenna Security Vulnerability Management platform was one of the first to incorporate real-time threat data into vulnerability management several years ago. Since then, the platform has been expanding to include more threat feeds including one that the company manages specifically based on its client’s networks. It has also added support for more vulnerability scanners and today works with just about everyone on the market.

Kenna does not do any scans itself. Instead, it provides connector programs that allow it to ingest data from almost any vulnerability scanner including those made by Tripwire, Qualys, McAfee and CheckMarx. The platform itself is deployed as a service, with customers logging into a cloud portal to check their information and to give Kenna permission to learn about the network that it’s protecting.

The idea behind Kenna is that it collects the many vulnerability alerts sent in by scanners, and then compares that with threat data in real time. It can tie a discovered vulnerability back to an active threat campaign that is exploiting it and prioritize a quick fix. Any vulnerabilities being exploited out in the world are automatically elevated in priority, so defenders can fix the most dangerous problems before attackers discover and exploit them.

The platform does a good job of explaining why vulnerabilities exist in a protected network and gives tips on how to fix them. It can prioritize discovered flaws based on what assets they could affect and the severity of the problem. That is a good feature to have, but the prioritization of vulnerabilities based on active threat campaigns is the ace in the hole that makes Kenna’s platform one of the best at highlighting critical issues that must absolutely be fixed first.

Flexera Vulnerability Manager

While many vulnerability managers concentrate on apps and code that a company develops itself, the Flexera platform is more concerned with third-party software programs that almost every enterprise uses to conduct business. In most cases, fixing a vulnerability in bought or licensed software is done by applying a patch. For an enterprise, that can become a huge deal, especially if they have to take thousands of systems or critical services offline to apply the patch. It’s even possible that because of how tightly software is integrated these days, that fixing one problem could create quite a few others.

The Flexera Software Vulnerability Management software helps with this problem by creating a secure patch management process across an entire enterprise. It can find vulnerabilities in third-party software and advise administrators about the severity of the potential threat. There may be little to gain in putting out a massive patch to thousands of users to fix a minor vulnerability, or to patch a feature that isn’t installed or used by the protected organization. Flexera can help make those decisions by providing context and then deploying the patch when it becomes necessary.

It can also be used to anchor an automated patch management system by fixing vulnerabilities when needed in ways that don’t hurt operations. Finally, it can generate customized reports about vulnerability and patch management, and also on how an organization is complying with relevant frameworks, laws and best practices.


Tenable is well known in the industry for creating security dashboards for any environment. They bring that same diagnostic technology to their vulnerability management program, Tenable.io. This platform is managed in the cloud, so it has a small footprint inside a protected organization. It uses a combination of active scanning agents, passive monitoring and cloud connectors to search for vulnerabilities. Tenable.io then applies machine learning, data science and AI to predict which fixes need to be made first before an attacker can exploit them.

One of the biggest strengths of Tenable.io is the fact that it uses both the dashboard and its customized reports to show vulnerabilities in a way that anyone can understand. Whether someone is a developer, part of the operations team or a member of IT security, they can easily comprehend the warnings generated by Tenable.io. In a way, Tenable.io provides vulnerability management to everyone with no specialized training or expertise required.


Including ZeroNorth in a roundup of vulnerability management programs might seem a little odd, since the platform doesn’t actually scan anything itself. Instead, it was designed to consolidate other vulnerability scanners and help make up for their shortfalls. Given the impossible number of vulnerabilities that most large enterprises face, it’s a tool that will quickly demonstrate its usefulness.

ZeroNorth is deployed as a service, with users logging into a secure web platform to monitor their environment. Connecting various scanners in our test network to the ZeroNorth platform was easy, and we were up and running in no time. Of course, you need to have vulnerability scanners in your environment to start getting data with ZeroNorth, but it can handle data coming from any part of the network, from the development environment to production. If you don’t have any scanners, the platform offers an easy way to add open-source or commercial scanners to your environment, which are then automatically connected with the platform.

The ZeroNorth platform does a lot of work consolidating and analyzing data coming from scanners. One nice feature is that it can show how vulnerabilities are related and even dependent on one another. For example, while a raw scan might reveal 20 new vulnerabilities, most of the time it won’t tell you that 19 of them exist because of the first flaw. ZeroNorth will. Then by fixing just one vulnerability, you can remove 20 others from your network. In our test network, each vulnerability that ZeroNorth recommended we fix eliminated an average of 14 others.

It also does a great job of tracking who created vulnerable resources and who is managing them. It can, of course, report all of its findings to administrators and its central console but can also send alerts and recommended fixes to application owners. That way, the people most responsible for a vulnerable application, and likely the most concerned with correcting any problems, can immediately start working on a fix.

It also does a nice job of monitoring the vulnerability scanners themselves. For example, it will tell you if a scanner is missing a critical vulnerability that others are discovering. That way, you can tell if your investment in specific vulnerability scanners is paying off. As such, ZeroNorth would be a highly valuable addition for any organization trying to tame the deluge of scanner sprawl alerts or improve their scanning accuracy with either new policies or tools.


One of the most well-known vulnerability management platforms, ThreadFix centralizes test data from a variety of sources in one place and with one dashboard. It can ingest scan results in formats such as SAST, DAST, IAST and Software Composition Analysis (SCA).

Not only can it collect and collate results, it also breaks them down and provides help with analyzing vulnerabilities and prioritizing fixes. It does this in advanced ways that are rare for vulnerability managers. For example, it can de-dupe and correlate between application-level vulnerabilities and security weaknesses that are ingrained in the infrastructure itself. Being able to separate critical distinctions like that can help IT teams to tailor specific vulnerability fixes without breaking anything new in the process.

Besides balancing and coordinating the results from multiple commercial and open-source vulnerability scanners, ThreadFix can also help to automate the process of scanning and fixing vulnerabilities by streamlining the backend flow between security and development teams. The fact that it can act in real time makes it a perfect tool to implement in a DevSecOps environment, where developers can take responsibility for creating secure code from the start. ThreadFix can find vulnerabilities as they are being generated, and help developers to fix them before they make it anywhere near a production environment.

ThreadFix also can quantify vulnerability resolution activities and the time it is taking to fix discovered errors. Armed with this data, security teams can get a better idea of their true vulnerability windows, while management can see if and how the situation is improving over time.

Infection Monkey

The Infection Monkey program from Guardicore might be considered another odd choice for a vulnerability roundup, but the level of detail that it provides regarding security flaws and vulnerabilities makes it valuable for almost any organization. It’s also free, with modifiable source code, so you have nothing to lose by trying it.

Infection Monkey is a great tool because it not only identifies vulnerabilities but shows exactly how an attacker could potentially exploit them. You can employ the program to check for security holes in Windows, Linux, OpenStack, vSphere, Amazon Web Services, Azure, OpenStack and Google Cloud Platform environments. Because the Python-based source code is also provided, users can configure it to work in any proprietary or unique environment, too.

The program uses real attacks and techniques that are constantly upgraded and updated by Guardicore. In fact, it’s not technically a simulation because it’s actually attacking a network. It just doesn’t have a malicious payload. If your existing security tools can stop Infection Monkey, so much the better, because it means that any vulnerability hiding behind that defense could be considered a low priority.

The real value comes when Infection Monkey successfully breaks in, which can take anywhere from a few minutes to many hours depending on the complexity of the attacked network. Once it finds a weakness and exploits it, the program records every step that it took along the way including what vulnerabilities it exploited and which defenses were bypassed or tricked.

If you are staring at a list of thousands of vulnerabilities, use Infection Monkey to find out which ones are exploitable by attackers. Then patch those first and deploy the monkey once again to check your work.

Copyright © 2020 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022