The term “vulnerability management” conjures images of scanning tools and penetration tests. To be effective at reducing and remediating flaws, organizations must implement an ongoing vulnerability remediation life cycle. It’s important to go beyond the initial scan into penetration analysis and attack path discovery to get a more complete picture of the possible exposures to business data. After performing scans, penetration-testing analysis, and validation, an organization should match exposures and vulnerabilities to the required compliance activities. After compliance, risk management often is the next step in the VRLC.”]