In this talk I will help you identify what a vulnerability management program is and what separates the good ones from the bad ones. I will go over how policies, procedures, culture, and even organizational structure plays a pivotal role in this. How this isn’t about any specific tool or periodic pen test, and how vulnerability scanning, and pen tests are actually the last thing you want to do. I will explain how asset and configuration management (CMDB) along with risk and threat modeling are way more important than any scanning tool. How you can have a way stronger security posture with a solid CMDB and no scanning tool, than you can with a scanning tool and a crappy or no CMDB. I will go over how to catalog your vulnerabilities with just a solid CMDB and some homegrown scripting. Most importantly I will discuss why the CVSS base numeric score isn’t always a good indicator of what is critical to your organization and how to figure out what is important to your org. I will also explain why doing a pen test when you are haven’t fully cataloged your vulnerabilities and remedied what is important to your organization is actually counterproductive.