A vulnerability program the team can run on Monday. Not a 400-page scan dump.

Why This Matters

The scanner is not the program. And the backlog isn't going down on its own.

Most organizations don't have a vulnerability problem. They have a vulnerability management problem. The scanner is licensed, the dashboards are lit, the weekly export goes to a SharePoint folder, and the backlog gets larger every quarter. The findings live in spreadsheets, the ownership is unclear, the SLAs are aspirational, and nobody can answer the auditor's question: "What's your process when a Critical lands at 4 p.m. on a Friday?"

Vulnerability Assessment & Program Uplift fixes the program, not just the findings. A senior team conducts a gap analysis across the six domains a real program runs on, builds the risk-based prioritization framework, configures the ITSM and scanner integrations that automate the work, and runs the backlog reduction sprint that proves the new process at scale. The deliverable is a program the client owns and operates, with the option to roll the run-state directly into Managed Security.

66

gaps identified across six vulnerability program domains in a recent uplift engagement for a regional payer: administrative controls, asset management, identification, prioritization, mitigation, and reporting.

Fortellar · Vulnerability Management Uplift SOW (Stella / BCBSMN, 2024)

By The Numbers

24-72hrs

remediation deadline for Critical vulnerabilities under the Fortellar Vulnerability and Patch Management Policy, with High at 30 days, Medium at 90, and Low at 365; the SLAs the uplift program operationalizes end to end.

Fortellar · Vulnerability and Patch Management Policy

30%

of organizations cite vulnerability backlog as the single largest unresolved security risk on the books — patches identified, owners unclear, SLAs missed, exceptions never re-evaluated.

Industry benchmark · vulnerability operations surveys

Three situations where the program, not the scan, is the gap.

Who This Is For

Situation 1

An audit finding or regulator has named the program

An auditor wrote up vulnerability management. A regulator has the team on a remediation timeline. A customer is asking for the SLAs and the evidence behind them. Buying another scanner won't answer the finding.

Situation 2

The backlog is large and growing every quarter

Critical and High findings are stacking up. Tickets sit unassigned. The same hosts appear scan after scan. The team can't tell leadership whether the trend line is improving or getting worse, because the prioritization is ad hoc.

Situation 3

Tooling is licensed but the workflow doesn't work

ServiceNow VR is on the contract. Tenable is scanning. Prisma Cloud is wired to the registry. But the findings don't flow to the right owner, the assignment rules don't fire, and remediation lives in spreadsheets next to the platform that was supposed to replace them.

Best Outcome

A documented program (governance, SLAs, ownership, evidence) built to close the finding and stand up under the re-review.

Best Outcome

A risk-based prioritization framework, a remediation sprint that clears Critical and High in the agreed window, and the operating cadence that keeps the backlog flat after we leave.

Best Outcome

Integrations configured end to end (scanner ingest, asset mapping, automated assignment, exception workflow, dashboards) so the platform actually runs the program.

Six domains. One method. The program reads against the way the team actually works.

The assessment is structured against the six domains a vulnerability program operates on, with the gap counts from a recent payer engagement shown for context. Every domain is read against governance ownership, control coverage, evidence as it operates today, and the residual risk the current state leaves on the table.

How It Works

Domain 1

Administrative Controls

Policy, standards, roles and responsibilities, executive ownership, exception process, risk acceptance, and the governance forum behind the program. The layer auditors test first, and the layer most programs document last.

Domain 2

Asset Management

CMDB completeness and currency, asset ownership tied to business service, scan-target coverage for endpoints, servers, network devices, cloud workloads, containers, and the reconciliation cadence that keeps the inventory honest.

Domain 3

Identification & Discovery

Scanner coverage, scan frequency, authenticated vs. unauthenticated scope, container and cloud-native scanning, code SAST / DAST, third-party penetration testing intake, and threat intelligence feeds that flag the next zero-day.

Domain 4

Prioritization

CVSS plus business context. Asset criticality, exposure, exploitability, compensating controls, and the risk scoring logic that decides which Critical actually gets remediated this week and which one waits behind a documented exception.

Domain 5

Mitigation & Remediation

Assignment rules, SLAs by severity, change and patch windows, deferral workflow with CISO approval, compensating-control declaration, and the integration with change management that keeps the audit trail intact.

Domain 6

Reporting

Operational dashboards for the team, executive dashboards for the CIO and CISO, board-level KPIs, compliance evidence packages, and the trend lines that prove the program is closing risk faster than the environment is producing it.

Risk-based deadlines. Documented exceptions. CISO-approved acceptances.

The remediation schedule is set at scoping and operated as policy. Critical lands inside 72 hours or it lands inside a formal exception, signed by the CISO, with compensating controls declared. The schedule is the contract between the security team and the rest of the technology organization, and it's the document the auditor reads first.

The SLA Model the Program Operates On

Critical

24–72 hours

Active exploitation, imminent risk to confidentiality, integrity, or availability. Extension to 14 days only with a documented exception, compensating controls, and CISO approval on file.

High

30 days

Severe vulnerability, no active exploitation observed. Assignment, change window, and validation tracked in ITSM end to end.

Medium

90 days

Material risk, scoped against asset criticality and exposure. Grouped where appropriate, sequenced behind Critical and High in the operating cadence.

Low

365 days

Hygiene-level findings. Tracked, batched, and remediated against the normal patch window. Aged-out exceptions reviewed annually.

An automated, risk-based remediation engine.

What's Included

After this engagement, you will have:

A vulnerability program gap report

Six-domain gap analysis with the findings, the evidence, and the per-domain rating behind each one. Written so the auditor and the regulator can read it, not just the security team.

After this engagement, you will have:

A risk-based prioritization framework

Severity plus business context. Asset criticality, exposure, exploitability, and compensating-control logic, codified into a scoring model the team can run by hand and the platform can run automatically.

After this engagement, you will have:

A configured ITSM and scanner stack

ServiceNow VR (or equivalent) integrated with Tenable, Prisma Cloud, and any third-party penetration testing intake. Assignment rules, deferral workflow, exception process, and notification escalation wired end to end.

After this engagement, you will have:

A CMDB and asset-inventory reconciliation

Asset data certified against the CMDB. Owners assigned. Scan-target coverage validated. The single source of truth that prioritization and assignment depend on, made trustworthy.

After this engagement, you will have:

A backlog reduction sprint

Critical and High findings remediated within the agreed window. Medium and Low handed off with sequencing. The proof point that the new program runs at scale, not just on paper.

After this engagement, you will have:

Operational and executive dashboards

Real-time dashboards for the team. KPIs for the CISO, the CIO, and the audit committee. Trend lines, response times, compliance status, and the metrics behind the next board readout.

How program uplift differs from the scan-and-report engagement you've seen before.

"Vulnerability assessment" is one of the most overloaded terms in security. These are the specific patterns we don't ship, and the patterns we don't substitute for the real work.

What This Isn't

A scan-and-report engagement

An external scan, a PDF, a list of CVEs by host, and an invoice. Useful only as a snapshot. We don't substitute a finding list for a program. The findings are the input; the operating model is the deliverable.

A tool implementation project

Implementing ServiceNow VR or Tenable without the governance, prioritization, and ownership underneath produces a more expensive backlog. The platform configuration is part of the work; it isn't the whole work.

A penetration test

Pen testing is a defined, scoped, adversarial engagement that produces a different artifact for a different question. It's a separate Fortellar service. The two are designed to complement each other, not substitute.

Ongoing managed scanning

Running the scanner every week on the client's behalf, without the program scaffolding, drops the same backlog into the same spreadsheet faster. If managed run-state is the right next step, it picks up after this engagement, not in place of it.

A one-time backlog cleanup

Burning the backlog down without changing the inflow guarantees the next quarter looks like the last one. The reduction sprint runs alongside the program build, so the new inflow is governed by the new model.

An open-ended consulting engagement

No discovery sprint that meters into a six-month bill. The engagement is time-boxed and fixed against milestone deliverables. The closing date and the handover artifacts are agreed in writing at kickoff.

Four phases. Milestone-billed. The handover artifact is on the contract before kickoff.

How It Works

Phase 1

Gap analysis & program design

Documentation review, interviews, and platform walkthroughs across the six program domains. Findings consolidated into a gap register tied to evidence. The risk-based prioritization framework and the SLA schedule are drafted, reviewed, and approved before any platform work begins.

Phase 2

Asset & data foundation

CMDB and asset inventory reconciled against scanner output. Owners assigned at the service tier, not the host. Scan-target coverage validated for endpoints, servers, network devices, cloud workloads, and containers. The inventory that prioritization and assignment depend on is made trustworthy before automation is layered on top.

Phase 3

Platform configuration & automation

Scanner integrations wired into the ITSM. Assignment rules, severity-tied SLAs, deferral and exception workflow, notifications, and escalations configured. CVSS plus business-context scoring applied per finding. Container and cloud-native paths wired alongside infrastructure findings, so the program is unified, not siloed by tool.

Phase 4

Backlog reduction & handover

Reduction sprint targets Critical and High findings under the new model. Medium and Low handed off with sequencing. Post-event retrospectives codify the lessons. The program is operated by the client team with Fortellar shadowing, then handed over with the option to roll directly into Managed Security.

You Walk Away With:

• Six-domain gap register with per-domain rating.

• Risk-based prioritization framework and SLA schedule.

• A scoping memo and closing-date schedule, in writing.

You Walk Away With:

• Reconciled asset inventory with declared owners.

• Validated scan-target coverage by environment.

• A data-quality dashboard for ongoing certification.

You Walk Away With:

• ServiceNow VR (or equivalent) configured end to end.

• Integrations to Tenable, Prisma Cloud, and pen test intake.

• Operational and executive dashboards published.

You Walk Away With:

• Critical and High backlog cleared in the agreed window.

• A run-state operations cadence the client team owns.

• A defined next step: Managed Security or self-run.

Expertise This Work Draws On

The components behind a Vulnerability Assessment & Program Uplift engagement.

Cybersecurity & Compliance

Vulnerability & Patch Management

The governance backbone behind the program: the published Vulnerability and Patch Management Policy, the severity-tied SLA schedule, the risk acceptance and exception workflow, and the post-event retrospective cadence that keeps the program improving instead of drifting.

Technology & Security Operations

Tabletop & Exercise Design

Hands-on configuration of ServiceNow Vulnerability Response and Data Certification — scanner integrations, assignment rules, CVSS-plus-business-context scoring, deferral and exception workflow, change management hooks, and the dashboards the operations team runs the program from.

Cybersecurity & Compliance

GRC Program Design

The control mapping that makes the program defensible: cross-mapped to HIPAA, SOC 2, NIST, PCI DSS, and the state and sectoral rules that reach the mid-market, with the evidence trail wired to satisfy them at audit time, not at scramble time.

Cloud & Technology Infrastructure

Cloud Security & Governance

Container and cloud-native vulnerability paths unified with the infrastructure findings: Prisma Cloud, AWS Inspector, Azure Defender for Cloud — wired into the same intake, the same prioritization, the same SLAs.

A vulnerability program the team can run, an SLA schedule the auditor can read, and a backlog cleared at scale.

Thirty minutes with a senior partner. Bring the most recent audit finding, the scanner stack on contract today, and the backlog count by severity, and we'll scope the uplift on the call.

Strategic technology partners
combining deep industry expertise with innovative solutions for regulated industries.

Services

Company

Strategic

Deployment

Managed

Cybersecurity & Compliance

Cloud & Technology Infrastructure

Technology & Security Operations

Expertise

About Us

Resources

Contact

© 2025 Fortellar. All rights reserved.

Careers