ai · security · skills
← Assessments

Quick scan · vulnerability management

Is your vulnerability management ready for AI-era threats?

Forty questions across five domains — about ten minutes. A fast, indicative read that flags where a foundation is missing. Not the per-function deep-dive, and nothing here is measured, but it tells you where to dig first.

Answer below

indicative quick read · self-assessed · 0/40

A fast read across the five vulnerability-management domains. The per-function deep-dive is where the full surface and higher tiers are earned.

Infrastructure & application security0/11
Can your scanners find novel weaknesses beyond known-signature lists, including in your custom and legacy apps?

verify · Ask what share of detections come from behavioural/AI analysis vs signatures, and whether legacy apps appear in recent scans.

Do you continuously simulate attacks year-round, and have you run an AI-assisted penetration test on critical systems?

verify · Check the testing calendar: last pentest date/method, and whether breach-and-attack simulation runs continuously or on request.

How much of your fix backlog remediates automatically, and can you deploy a compensating control within hours of a critical exploit going public?

verify · From the patch platform, compute % of patches auto-deployed last quarter; ask for a tested virtual-patching playbook.

Do you scan code with AI assistance at commit time, blocking critical findings before they reach production?

verify · Ask which AI scanning tools sit in the dev workflow and whether critical findings block a merge or deploy.

Is your network blast radius documented and within policy, and does outbound filtering block command-and-control and data exfiltration?

verify · Run a lateral-movement simulation from a standard workstation and count reachable production systems; review egress/DNS/TLS filtering.

Are systems hardened to a defined baseline, with compliance continuously monitored and enforced?

verify · Ask for the hardening standard (e.g. CIS benchmark) and whether deviations trigger a remediation workflow, not just a report.

Are containers and their orchestration scanned before deployment and watched at runtime as part of your program?

verify · Ask whether images are scanned pre-deploy with blocking, and whether clusters appear in the asset inventory.

Are all your interfaces — internal, external, and partner — inventoried and in scope for scanning, with controls for interface-specific attacks?

verify · Compare the published interface list against scanning scope; ask about monitoring for abuse patterns like excessive data exposure.

Are infrastructure-as-code templates scanned for misconfiguration before deployment, so flaws are not provisioned into your environment?

verify · Ask whether infrastructure-as-code scanners run in the deploy pipeline and whether critical findings block or only warn.

Is there a tested process to deploy critical patches fast and roll them back safely without service disruption?

verify · Walk the steps from approval to production for a critical patch and check the rollback was tested in the last 12 months.

Do you keep a bill of materials for critical apps and continuously watch third-party components for new vulnerabilities, with automatic alerts?

verify · Ask whether a component bill of materials exists and is current, and whether a newly-vulnerable production component auto-creates a ticket.

Data sovereignty0/6
Can you produce a complete, business-context inventory of every internet-facing asset — including anything stood up in the last day — within minutes?

verify · Ask the team to produce the list now and time it; check it includes owner, criticality, data classification, dependencies.

Does your program watch the exposure and security posture of your key suppliers and partners, not just your own systems?

verify · Check whether the program scope names third parties and whether supplier contracts carry security requirements.

Does your program have formal executive ownership with defined accountability and regular board-level reporting on maturity?

verify · Ask for the program charter and check the last board report included maturity metrics with a named accountable owner.

Is there a governance framework covering where your AI models come from, how identity data is protected, hardened run environments, and full auditability for AI making security decisions?

verify · Ask for the AI governance policy and confirm it covers model provenance, identity-data protection, hardened execution, and decision logging.

Are your most critical data assets formally identified and classified, with tighter fix timelines and continuous monitoring?

verify · Ask for the classification register and whether top-tier assets carry a tighter patch timeline than standard ones.

Are cloud data stores — buckets, databases, data lakes — continuously scanned for misconfiguration and exposure?

verify · Check the cloud posture dashboard for how many stores are in scope and whether misconfiguration alerts are automatic.

Threat intelligence0/7
How fast do you detect a newly-exploitable vulnerability across every asset tier, including cloud and third-party?

verify · Ask for detection-time data by asset tier from last quarter; if it is not tracked, that itself is the weakest answer.

Does your prioritisation go beyond severity scores to use real-time exploit intelligence like exploit-prediction scores and the known-exploited catalogue?

verify · Check whether exploit-prediction scores and known-exploited status show on findings and actually change work order.

Do you analyse how several smaller weaknesses could be chained together to reach critical access?

verify · Ask whether any attack-path analysis ran in the last 12 months and whether findings feed the program or sit in a separate report.

How much of your backlog is over 90 days old, and is each aged item formally risk-accepted with a documented approver and expiry?

verify · Pull a backlog age report over 90 days; sample 10 and check each has an approver and expiry date.

When new exploit intelligence emerges for a risk you previously accepted, does something automatically trigger a re-look?

verify · Ask what happens when an accepted vulnerability lands on the known-exploited catalogue; look for automated matching.

Do all your security tools feed one program view, with exploit intelligence and vendor advisories processed promptly into tracked findings?

verify · Map which tools need manual export; check enrichment latency and how vendor advisories become tracked findings.

Are identity risk signals — odd logins, privilege abuse, impossible travel — correlated with your vulnerability findings to re-rank fixes in near real time?

verify · Ask whether a confirmed identity attack alert automatically escalates the priority of related open findings.

Identity & access0/8
Is privileged access managed for the service accounts your security tools use, and do identity risks become prioritised findings automatically?

verify · Check privileged-access coverage against the tool service-account list; ask whether over-privileged/stale accounts create tickets.

Do you catch joiner-mover-leaver risks, conflicting access combinations, and multi-step privilege-escalation paths?

verify · Ask how role changes and departures trigger reviews and whether the governance tool flags separation-of-duties conflicts.

Are orphaned and service accounts and credential hygiene issues caught as findings with timelines, and are secrets centrally managed and rotated?

verify · Check whether orphaned-account findings flow into ticketing and whether secrets live in a vault with automated rotation.

Does every finding, including identity issues, have a named owner and arrive in a form the owner can act on without security hand-holding?

verify · Check for unassigned critical findings; ask an app owner to show a recent finding and whether they could act on it alone.

If you run defensive AI agents, is there a documented decision-authority matrix that includes identity context for what they may do on their own?

verify · Ask for the documented decision-authority matrix and whether it specifies identity context in the logic for autonomous actions.

Is there a formal framework deciding which automated identity actions can run on their own and which need a human to approve?

verify · Ask for the list of automated identity actions and whether each is classified autonomous or human-approved, formally signed off.

Are your defensive AI tools themselves patched and tested against adversarial manipulation and prompt injection?

verify · Check whether AI security tools appear in the asset inventory and patch schedule, and whether injection testing has been done.

Is strong authentication enforced on every privileged and high-risk path, with sign-in logs watched for anomalies?

verify · Try to reach a privileged console and confirm strong auth is enforced; check sign-in logs are ingested with anomaly rules.

Operational resilience0/8
How well-defined and measured is your service-level target for assigning and tracking critical findings from detection to fix?

verify · Ask for the target policy, then pull last quarter and check what share of critical findings were assigned within it.

Does your critical patch target aim for within a day, with a tested emergency fast-track for zero-days and a mandatory re-scan before closing the ticket?

verify · Ask the critical patch target, the Friday-night zero-day process, and whether post-patch re-scan is mandatory before closure.

Do leadership and the board see near-real-time metrics, including how many open findings could be weaponised by AI today?

verify · Check the last board report date/freshness and whether any metric counts findings with public exploits or high exploit-prediction scores.

Is vulnerability management a dedicated function with named people, runbooks, escalation procedures, and active training on AI-era threats?

verify · Ask for the team org chart, the runbook library, and when AI-era threat training was last delivered.

Are findings from identity, infrastructure, and applications all integrated into your operations and detection tooling with consistent risk scoring?

verify · Ask whether identity, infrastructure, and application findings appear in one operations view with comparable risk scores.

Is your mean time to detect critical incidents under a few hours, with automated playbooks containing and preserving evidence before an analyst is free?

verify · Pull last quarter mean-time-to-detect for critical incidents; ask how many incident types have automated containment playbooks.

Do you have tested procedures and behavioural analytics for AI-powered attacks that leave no traditional malware signature?

verify · Ask for detection rules targeting AI-powered attack patterns and when they were last exercised in a simulation.

Is there a tracked AI-readiness improvement program with regular leadership reporting and a business case quantifying the cost of not being ready?

verify · Ask whether a named AI-readiness workstream exists and whether the business case quantifies breach probability and regulatory exposure.