Is your vulnerability management ready for AI-era threats?
Forty questions across five domains — about ten minutes. A fast, indicative read that flags where a foundation is missing. Not the per-function deep-dive, and nothing here is measured, but it tells you where to dig first.
—
Answer below
indicative quick read · self-assessed · 0/40
A fast read across the five vulnerability-management domains. The per-function deep-dive is where the full surface and higher tiers are earned.
Infrastructure & application security0/11
Can your scanners find novel weaknesses beyond known-signature lists, including in your custom and legacy apps?
verify · Ask what share of detections come from behavioural/AI analysis vs signatures, and whether legacy apps appear in recent scans.
Do you continuously simulate attacks year-round, and have you run an AI-assisted penetration test on critical systems?
verify · Check the testing calendar: last pentest date/method, and whether breach-and-attack simulation runs continuously or on request.
How much of your fix backlog remediates automatically, and can you deploy a compensating control within hours of a critical exploit going public?
verify · From the patch platform, compute % of patches auto-deployed last quarter; ask for a tested virtual-patching playbook.
Do you scan code with AI assistance at commit time, blocking critical findings before they reach production?
verify · Ask which AI scanning tools sit in the dev workflow and whether critical findings block a merge or deploy.
Is your network blast radius documented and within policy, and does outbound filtering block command-and-control and data exfiltration?
verify · Run a lateral-movement simulation from a standard workstation and count reachable production systems; review egress/DNS/TLS filtering.
Are systems hardened to a defined baseline, with compliance continuously monitored and enforced?
verify · Ask for the hardening standard (e.g. CIS benchmark) and whether deviations trigger a remediation workflow, not just a report.
Are containers and their orchestration scanned before deployment and watched at runtime as part of your program?
verify · Ask whether images are scanned pre-deploy with blocking, and whether clusters appear in the asset inventory.
Are all your interfaces — internal, external, and partner — inventoried and in scope for scanning, with controls for interface-specific attacks?
verify · Compare the published interface list against scanning scope; ask about monitoring for abuse patterns like excessive data exposure.
Are infrastructure-as-code templates scanned for misconfiguration before deployment, so flaws are not provisioned into your environment?
verify · Ask whether infrastructure-as-code scanners run in the deploy pipeline and whether critical findings block or only warn.
Is there a tested process to deploy critical patches fast and roll them back safely without service disruption?
verify · Walk the steps from approval to production for a critical patch and check the rollback was tested in the last 12 months.
Do you keep a bill of materials for critical apps and continuously watch third-party components for new vulnerabilities, with automatic alerts?
verify · Ask whether a component bill of materials exists and is current, and whether a newly-vulnerable production component auto-creates a ticket.
Data sovereignty0/6
Can you produce a complete, business-context inventory of every internet-facing asset — including anything stood up in the last day — within minutes?
verify · Ask the team to produce the list now and time it; check it includes owner, criticality, data classification, dependencies.
Does your program watch the exposure and security posture of your key suppliers and partners, not just your own systems?
verify · Check whether the program scope names third parties and whether supplier contracts carry security requirements.
Does your program have formal executive ownership with defined accountability and regular board-level reporting on maturity?
verify · Ask for the program charter and check the last board report included maturity metrics with a named accountable owner.
Is there a governance framework covering where your AI models come from, how identity data is protected, hardened run environments, and full auditability for AI making security decisions?
verify · Ask for the AI governance policy and confirm it covers model provenance, identity-data protection, hardened execution, and decision logging.
Are your most critical data assets formally identified and classified, with tighter fix timelines and continuous monitoring?
verify · Ask for the classification register and whether top-tier assets carry a tighter patch timeline than standard ones.
Are cloud data stores — buckets, databases, data lakes — continuously scanned for misconfiguration and exposure?
verify · Check the cloud posture dashboard for how many stores are in scope and whether misconfiguration alerts are automatic.
Threat intelligence0/7
How fast do you detect a newly-exploitable vulnerability across every asset tier, including cloud and third-party?
verify · Ask for detection-time data by asset tier from last quarter; if it is not tracked, that itself is the weakest answer.
Does your prioritisation go beyond severity scores to use real-time exploit intelligence like exploit-prediction scores and the known-exploited catalogue?
verify · Check whether exploit-prediction scores and known-exploited status show on findings and actually change work order.
Do you analyse how several smaller weaknesses could be chained together to reach critical access?
verify · Ask whether any attack-path analysis ran in the last 12 months and whether findings feed the program or sit in a separate report.
How much of your backlog is over 90 days old, and is each aged item formally risk-accepted with a documented approver and expiry?
verify · Pull a backlog age report over 90 days; sample 10 and check each has an approver and expiry date.
When new exploit intelligence emerges for a risk you previously accepted, does something automatically trigger a re-look?
verify · Ask what happens when an accepted vulnerability lands on the known-exploited catalogue; look for automated matching.
Do all your security tools feed one program view, with exploit intelligence and vendor advisories processed promptly into tracked findings?
verify · Map which tools need manual export; check enrichment latency and how vendor advisories become tracked findings.
Are identity risk signals — odd logins, privilege abuse, impossible travel — correlated with your vulnerability findings to re-rank fixes in near real time?
verify · Ask whether a confirmed identity attack alert automatically escalates the priority of related open findings.
Identity & access0/8
Is privileged access managed for the service accounts your security tools use, and do identity risks become prioritised findings automatically?
verify · Check privileged-access coverage against the tool service-account list; ask whether over-privileged/stale accounts create tickets.
Do you catch joiner-mover-leaver risks, conflicting access combinations, and multi-step privilege-escalation paths?
verify · Ask how role changes and departures trigger reviews and whether the governance tool flags separation-of-duties conflicts.
Are orphaned and service accounts and credential hygiene issues caught as findings with timelines, and are secrets centrally managed and rotated?
verify · Check whether orphaned-account findings flow into ticketing and whether secrets live in a vault with automated rotation.
Does every finding, including identity issues, have a named owner and arrive in a form the owner can act on without security hand-holding?
verify · Check for unassigned critical findings; ask an app owner to show a recent finding and whether they could act on it alone.
If you run defensive AI agents, is there a documented decision-authority matrix that includes identity context for what they may do on their own?
verify · Ask for the documented decision-authority matrix and whether it specifies identity context in the logic for autonomous actions.
Is there a formal framework deciding which automated identity actions can run on their own and which need a human to approve?
verify · Ask for the list of automated identity actions and whether each is classified autonomous or human-approved, formally signed off.
Are your defensive AI tools themselves patched and tested against adversarial manipulation and prompt injection?
verify · Check whether AI security tools appear in the asset inventory and patch schedule, and whether injection testing has been done.
Is strong authentication enforced on every privileged and high-risk path, with sign-in logs watched for anomalies?
verify · Try to reach a privileged console and confirm strong auth is enforced; check sign-in logs are ingested with anomaly rules.
Operational resilience0/8
How well-defined and measured is your service-level target for assigning and tracking critical findings from detection to fix?
verify · Ask for the target policy, then pull last quarter and check what share of critical findings were assigned within it.
Does your critical patch target aim for within a day, with a tested emergency fast-track for zero-days and a mandatory re-scan before closing the ticket?
verify · Ask the critical patch target, the Friday-night zero-day process, and whether post-patch re-scan is mandatory before closure.
Do leadership and the board see near-real-time metrics, including how many open findings could be weaponised by AI today?
verify · Check the last board report date/freshness and whether any metric counts findings with public exploits or high exploit-prediction scores.
Is vulnerability management a dedicated function with named people, runbooks, escalation procedures, and active training on AI-era threats?
verify · Ask for the team org chart, the runbook library, and when AI-era threat training was last delivered.
Are findings from identity, infrastructure, and applications all integrated into your operations and detection tooling with consistent risk scoring?
verify · Ask whether identity, infrastructure, and application findings appear in one operations view with comparable risk scores.
Is your mean time to detect critical incidents under a few hours, with automated playbooks containing and preserving evidence before an analyst is free?
verify · Pull last quarter mean-time-to-detect for critical incidents; ask how many incident types have automated containment playbooks.
Do you have tested procedures and behavioural analytics for AI-powered attacks that leave no traditional malware signature?
verify · Ask for detection rules targeting AI-powered attack patterns and when they were last exercised in a simulation.
Is there a tracked AI-readiness improvement program with regular leadership reporting and a business case quantifying the cost of not being ready?
verify · Ask whether a named AI-readiness workstream exists and whether the business case quantifies breach probability and regulatory exposure.