Intake to verified closure, run as a program: how findings are correlated, governed through a state machine, tracked against SLA, and closed under a four-eyes audit trail.
Most security teams own more scanners than they own outcomes. Tools find vulnerabilities by the hundred thousand, yet the work that actually reduces risk happens after the scan: deciding what is real, who owns it, how long it may stay open, and who signs off on closing it. This ebook treats the vulnerability management lifecycle as that program of work. It follows a single finding from scanner intake through correlation, governed triage, SLA enforcement, and verified closure, and it shows how PMAP makes each stage fast for the analyst yet fully reconstructable for an auditor.
What you will learn
- Why the finding, not the scan, is the true unit of vulnerability work.
- How the correlation engine deduplicates scanner results through a four-case pipeline so you triage each real issue once.
- How severity governance preserves the scanner value while letting analysts and rules set an effective value.
- How the status state machine turns triage into a set of legal, audit-logged transitions rather than free text.
- How SLA deadlines resolve through a project, company, and global precedence chain, with pause, resume, and escalation.
- How verified closure works through re-test and a four-eyes approval gate that prevents unilateral risk acceptance.
Inside this ebook
- Chapter 1. The Finding Is the Unit of Work. Scanners produce results. Programs produce closed findings. The distance between those two sentences is the whole discipline of vulnerability management, and it is where PMAP lives.
- Chapter 2. Intake and Correlation. Before a human ever looks at a result, the correlation engine has already answered one question for it: have we seen this before? That single decision, made well, is what keeps a queue honest.
- Chapter 3. Triage as a Governed State Machine. Triage is where judgment enters the lifecycle. PMAP constrains that judgment just enough to keep it legal, auditable, and fast, without getting in the analyst’s way.
- Chapter 4. Making Time a First-Class Citizen. A vulnerability without a deadline is a vulnerability without urgency. SLA is how a program turns severity into a clock, and PMAP resolves that clock through a clear chain of precedence.
- Chapter 5. Verified Closure. Anyone can mark a finding closed. A program proves it. Closure in PMAP runs through re-test and, for sensitive decisions, a four-eyes approval that no single person can shortcut.
- Chapter 6. Running It as a Program. A lifecycle that works for one finding has to work for a hundred thousand. Bulk operations, events, and a dual audit trail are what turn the per-finding mechanics into an operating model.
At enterprise scale, triage must be fast, governed, and auditable at the same time. Speed without governance creates risk. Governance without speed creates a backlog. The lifecycle has to deliver both.
PMAP design principle
At a glance
- Series: PMAP Ebook
- Discipline: Vulnerability Management
- Audience: CISO, VM lead, SOC lead
- Reading time: About 45 minutes
- Platform: PMAP by Privia Security
- Applies to: PMAP v2026.06
