For vulnerability management teams
who own the find-track-fix-verify loop

A vulnerability management platform built around the live finding record

In-house vulnerability management teams sit between the scanners that produce findings and the engineering teams that close them. The work spans scanner consolidation, severity calibration, SLA enforcement, exception management, retest verification, leadership reporting, and the audit support that GRC teams ask for every cycle. Most programmes run this work across a vulnerability scanner, a SAST tool, an SCA tool, a pentest report PDF, a spreadsheet for exceptions, a ticketing tool for engineering handoff, and a separate report deck for leadership, and pay the cost in reconciliation hours every cycle and in residual risk between cycles.

SecPortal gives in-house vulnerability management teams one workspace for findings management, scanner consolidation, severity calibration, SLA tracking, exception management, retest evidence, and AI-assisted reporting. Findings carry CVSS 3.1 scores from the moment they are opened, the SLA queue runs on the same record, and the leadership view regenerates from the same data the operators work against. Whether you run a one-person VM function inside a Series B SaaS company or a dedicated team supporting a regulated enterprise, the platform keeps the find-track-fix-verify loop on one record without adding administrative overhead.

Capabilities VM teams use day to day

How VM teams operate the programme inside SecPortal

The vulnerability programmes that hold up between assessments operate on a small set of disciplines. SecPortal supports each one rather than a single phase of it.

From open finding to verified close, on one record

Closing findings cleanly is the part of the VM programme that drives both risk reduction and audit acceptance. SecPortal runs a single workflow that VM, AppSec, GRC, and engineering can all work against without re-keying the finding into another tool.

1. 1Import scanner output (Nessus, Burp Suite, custom CSV) or log a manual finding from a third-party pentest report. The finding lands on the engagement record with the source tool, the original detection date, and the raw evidence captured.
2. 2Triage the finding: validate the detection, deduplicate against the existing backlog, attach environmental context (asset criticality, exposure, compensating controls), and recalibrate the CVSS 3.1 vector if the default does not reflect the real risk.
3. 3Assign the finding to a named owner with an SLA window driven by severity. The owner sees the finding in their queue ordered by time remaining, with remediation guidance from the 300+ template library and the compliance control mapping pre-populated.
4. 4Track remediation in real time as engineering teams update fix status. The activity log captures every state change by user and timestamp, so the change-event trail is available for the auditor without a multi-team excavation of chat history.
5. 5Capture exceptions, compensating controls, and risk acceptances on the same record with the structured eight-field decision chain. Expiry-driven re-review is built into the queue so exceptions do not silently outlive the rationale that opened them.
6. 6Retest verified items, attach the closure evidence (screenshot, repro steps, scan re-run) to the original finding, and move the finding to verified-closed in one place. The trail shows when the issue was first found, when remediation took effect, and which scan or pentest closed it.

Where the VM programme connects to the rest of the workspace

Most VM teams adopt the platform in three phases: bring the consolidated finding backlog into one workspace so scanner, pentest, and manual findings stop living in five tools, layer in SLA tracking and the exception register so aging findings and risk acceptances stop hiding in spreadsheets, then consolidate retest evidence and leadership reporting on the same record so the trail does not break between quarters. The relevant feature, workflow, and research pages explain each phase in detail.

• The findings repository, CVSS calibration, and the audit trail are covered on the findings management feature page, with scanner depth on the authenticated scanning feature page and external coverage on the external scanning feature page.
• The risk-ranking discipline lives on the vulnerability prioritisation use case, the SLA discipline on the vulnerability SLA management use case, the exception register on the vulnerability acceptance and exception management use case, and the closure flow on the remediation tracking use case.
• Scanner output triage and import workflows are covered on the scanner result triage use case and the bulk finding import use case, with annual programme orchestration across vendors and asset groups on the security testing programme management use case.
• The compliance mapping for ISO 27001, SOC 2, PCI DSS, and NIST is covered on the compliance tracking feature page, the activity trail on the activity log feature page, and the AI reporting flow on the AI reports feature page.
• The deeper analysis of why vulnerability findings age past their SLA and how risk debt builds up sits on the aging pentest findings research, and the connection between vulnerability remediation and audit evidence currency lives on the audit evidence half-life research.
• For a defensible read of where the VM programme sits across governance, asset coverage, detection, prioritisation, remediation, and verification, score the discipline on the vulnerability management programme scorecard and treat the lowest-scoring domain as the next quarter improvement target.
• Framework-specific control mappings the VM programme has to evidence live on the ISO 27001 framework page, the SOC 2 framework page, the PCI DSS framework page, and the NIST SP 800-53 framework page.

For VM teams evaluating against scanner-led platforms

VM teams evaluating consolidation tend to compare SecPortal against scanner-led platforms with a remediation tab bolted on, against ticketing-led platforms with a vulnerability view, and against general-purpose engagement records. The detailed side-by-side comparisons cover the operational footprint and the evidence model on each model.

• The SecPortal vs Tenable.io comparison covers the scanning-plus-remediation model versus a scanner with a remediation surface.
• The SecPortal vs Vulcan Cyber comparison covers the single-workspace model versus a multi-scanner orchestration layer above existing scanner contracts.
• The SecPortal vs Qualys comparison covers the consolidated-engagement model versus an asset-driven scanner suite.
• The SecPortal vs Rapid7 comparison covers a workflow-led VM programme alongside a detection-led platform.
• The SecPortal vs ServiceNow Vulnerability Response comparison covers the workspace model versus a ticketing platform with a vulnerability application.
• The SecPortal vs Microsoft Defender Vulnerability Management comparison covers the engagement-driven workspace model versus an endpoint-driven Defender module with remediation routed through Microsoft Intune.
• The SecPortal vs spreadsheets comparison covers the move from a tracker spreadsheet to a structured engagement record without jumping to an enterprise scanner suite first.

SecPortal is built for vulnerability management teams that want one platform for the full find-track-fix-verify loop: live findings, severity calibration, SLA tracking, exception management, retest evidence, and the reporting on top. Engineering gets a clearer signal, GRC gets reproducible evidence, leadership reads the same dashboard the operators run on, and the VM team gets back the hours that used to disappear into reconciliation between tools.

If your function spans broader internal security operations rather than a dedicated VM scope, the sister page SecPortal for internal security teams covers vulnerability assessments, incident response, and compliance tracking across business units inside the same workspace.

If the VM team is part of a wider GRC and audit-readiness function, the SecPortal for GRC and compliance teams page covers the exception register, evidence currency, and audit support workflow that sits on top of the VM finding record.

If the VM team co-owns application security with engineering, the SecPortal for application security teams page covers authenticated DAST, SAST, SCA, and the OWASP-tagged remediation flow inside the same platform.

If the VM team works alongside a dedicated product security organisation that runs security review intake and PSIRT-style disclosure on top of the find-track-fix-verify loop, the SecPortal for product security teams page covers the SDLC engagement record, security champion portal, and PSIRT lifecycle that sit alongside the VM finding record.

If the VM team is downstream of an internal security engineering function that builds and operates the scanner fleet, credential vault, schedules, and access model the backlog depends on, the SecPortal for security engineering teams page covers the platform-as-product layer that sits underneath the VM finding record.

If the VM team reports up to a security leader who needs the leadership view on the same record the operators run on, the SecPortal for CISOs and security leaders page covers the program-level reporting workflow that sits on top of the VM finding record without rebuilding a deck every quarter.

If the VM team is part of a wider security operations function led by a head of security operations who carries the recurring SecOps cadence between the operator queue and the leadership view, the SecPortal for security operations leaders page covers the operations-leadership tier that pairs scheduled scanning, severity-driven SLAs, exception governance, and the recurring reporting cadence on the same record the VM team operates against.

For the recurring cadence that turns the VM closure rate, breach rate, MTTR, and exception register into the weekly, monthly, quarterly, and board-cycle leadership view, the security leadership reporting workflow runs on the same engagement record and regenerates each audience view from one source.

For the slice of the find-track-fix-verify loop where remediation requires coordination with an IT or infrastructure team that does not work the security backlog directly, the patch management coordination workflow pairs patch decisions, maintenance windows, pre-patch baselines, and post-patch rescan evidence to the original finding so the security-to-IT handoff stays auditable on the engagement record rather than scattered across change-ticket systems.