5.3.3. Response, Remediation, and Validation

💡 First Principle: Finding a vulnerability is only useful if you fix it. The response phase closes the loop by applying fixes, verifying they worked, and documenting the process. Speed matters — the time between vulnerability disclosure and active exploitation is shrinking.

Patching — applying vendor-released fixes. The primary remediation method for software vulnerabilities. The patching workflow follows a disciplined process: vulnerability announced → patch released → testing in non-production → change management approval → staged deployment (pilot group first) → production rollout → validation scan. Critical vulnerabilities with active exploits may justify emergency patching with abbreviated testing.

Remediation SLAs — organizations should define maximum time-to-remediate based on severity: critical vulnerabilities (e.g., 72 hours), high (30 days), medium (90 days), low (next maintenance window). These SLAs create accountability and prevent vulnerability backlogs from growing unchecked.

Insurance — cyber insurance transfers financial risk but doesn't fix the vulnerability. It's risk transference, not risk mitigation.

Segmentation — isolating vulnerable systems behind network boundaries as a compensating control when patching isn't immediately possible.

Compensating controls — applying alternative protections when direct remediation isn't feasible (WAF rules for web application vulnerabilities, IPS signatures for network-exploitable vulnerabilities).

Exceptions and risk acceptance — documenting the decision to accept a vulnerability when remediation cost exceeds risk, with management sign-off and a review date.

Validation of remediation — rescanning after patching to confirm the vulnerability is actually fixed. Critical step that's often skipped, leaving false confidence.

Reporting — documenting findings, remediation actions, and remaining risk for management and compliance. Trends over time show whether the vulnerability management program is improving. Key metrics include mean time to remediate (by severity), percentage of vulnerabilities remediated within SLA, recurring vulnerability rates, and overall risk score trends.

⚠️ Exam Trap: Risk acceptance requires documented management approval and a review date. It's not the same as ignoring the vulnerability — it's a deliberate, accountable decision to accept the remaining risk after evaluating alternatives.