Skip to main content

Managing Vulnerabilities

Track, triage, and remediate security vulnerabilities — before they turn into risks.

Upendra Varma avatar
Written by Upendra Varma
Updated over a week ago

Why Vulnerability Management Matters

Frameworks like SOC 2, ISO 27001, and others require that your company has a formal vulnerability management program in place. You’re expected to:

  • Continuously track vulnerabilities across code, infrastructure, and endpoints

  • Define and follow remediation SLAs

  • Document fixes or risk acceptances

  • Stay ahead of threats before auditors catch up

ComplyJet helps you automate this by integrating with your existing vulnerability scanners and providing a central place to monitor and manage them.

Step 1: Enable Scanning at the Source

Start by identifying where you want to track vulnerabilities:

  • Code-level: Enable tools like GitHub Dependabot or Snyk

  • Infrastructure: Use AWS Inspector, Microsoft Defender, or GCP Security Command Center

  • Container/Images: Integrate relevant tools

Make sure these tools are active and scanning regularly. Then, go to the Integrations page in ComplyJet and connect them.

Once integrated, ComplyJet will begin pulling in vulnerability data automatically.

Step 2: Set SLA Policies

Before diving into specific issues, define your Vulnerability Remediation SLAs — timelines based on severity (e.g., Critical = 7 days, High = 14 days).

These SLAs will be used to calculate due dates for each vulnerability. That way, you always know what needs to be fixed by when — and you can demonstrate this discipline during an audit.

Step 3: Review and Remediate Vulnerabilities

Head over to the Vulnerability Management page. Here, you’ll see:

  • All pulled vulnerabilities

  • Their severity, discovery date, and SLA due date

  • Whether they’re open, fixed, or overdue

For each open issue, your goal is simple: fix it before the SLA deadline.

Click on any vulnerability to see more details — including links to the affected resource, suggested fixes (if available), and the original detection source.

Step 4: Dismiss or Accept Risk (If Needed)

Sometimes, a vulnerability can’t be fixed — either because there’s no patch available, or the risk is acceptable in your context.

In these cases, you can:

  1. Open the vulnerability

  2. Click “Dismiss”

  3. Provide a reason (e.g., “no known exploit,” “low impact,” or “fix scheduled post-deployment”)

This action is tracked and visible to auditors, so it’s important to keep the notes accurate and thoughtful.

Final Goal

To stay secure and compliant:

  • Integrate with your scanners

  • Set SLAs and monitor due dates

  • Fix vulnerabilities before they expire

  • Dismiss responsibly, with clear justification

  • Keep your list clean and in a closed or reviewed state

ComplyJet also sends alerts when vulnerabilities are approaching SLA deadlines — helping you stay ahead of risks, and ahead of your audit.

Related Articles
Managing Employee Devices with MDM
Managing Vendors & Conducting Vendor Reviews
Creating and Managing Your Risk Register
Did this answer your question?