* [Blog](https://www.paloaltonetworks.com/blog)
* [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/)
* Best Practices for Managi...

# Best Practices for Managing Vulnerabilities in the Cloud

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fmanaging-vulnerabilities-part-one%2F)  
[](https://twitter.com/share?text=Best+Practices+for+Managing+Vulnerabilities+in+the+Cloud&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fmanaging-vulnerabilities-part-one%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fmanaging-vulnerabilities-part-one%2F&title=Best+Practices+for+Managing+Vulnerabilities+in+the+Cloud&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/managing-vulnerabilities-part-one/&ts=markdown)  
\[\](mailto:?subject=Best Practices for Managing Vulnerabilities in the Cloud)  
Link copied  
By [Mohit Bhasin](https://www.paloaltonetworks.com/blog/author/mohit-bhasin/?ts=markdown "Posts by Mohit Bhasin") and [Alexandre Cezar](https://www.paloaltonetworks.com/blog/author/alexandre-cezar/?ts=markdown "Posts by Alexandre Cezar")  
May 02, 2024  
6 minutes  
[Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown)  
[Code to Cloud](https://www.paloaltonetworks.com/blog/cloud-security/category/code-to-cloud/?ts=markdown)  
[Vulnerability Management](https://www.paloaltonetworks.com/blog/tag/vulnerability-management/?ts=markdown)

If you've ever questioned the importance of vulnerability management, consider these facts:

* [26,447 vulnerabilities](https://www.cvedetails.com/browse-by-date.php) were disclosed in 2023---1,500 more than in 2022.
* Three new vulnerabilities are discovered every 3 hours.
* 7,000 vulnerabilities had proof of concept exploit code

To make matters worse, attackers are wasting no time in taking advantage of this wave, exploiting vulnerabilities [within 15 minutes](https://start.paloaltonetworks.com/asm-report) of publication.

Does your team have a plan to effectively manage vulnerabilities in the cloud?

## Challenges of Vulnerability Management in the Cloud

Coordinating [vulnerability management](https://www.paloaltonetworks.ca/cyberpedia/vulnerability-management) across diverse systems and applications, including cloud-based infrastructure and third-party software, is inherently complex and time-consuming. Traditional vulnerability management tools struggle to keep pace with the dynamic and ephemeral nature of cloud environments, leading to gaps in visibility and coverage. This is especially true when you consider the lack of integration between security tools and development pipelines, which often result in delays in [patch management](https://www.paloaltonetworks.com/cyberpedia/patch-management?ts=markdown) and an increased window of exposure.

These challenges can be overcome with four simple best practices:

1. Gain visibility across the application lifecycle
2. Identify the most impactful vulnerabilities
3. Take action and remediate vulnerabilities
4. Monitor and report risk burndown

This post will focus on the first two best practices. Let's get started...

## Vulnerability Best Practice \#1: Gain Visibility Across the Application Lifecycle

Visibility is the most logical first step for most cybersecurity practices because it provides essential insights into an organization's digital environment. Understanding what assets exist and related vulnerabilities across the application's lifecycle serves as the foundation for informed decision-making and proactive security measures.

Additionally, visibility into cloud vulnerabilities fosters transparency and accountability, enabling stakeholders to make informed decisions about risk management and mitigation strategies. It also enhances collaboration between security, development and other stakeholders by providing a common understanding of the vulnerability landscape.

By implementing robust scanning and assessment mechanisms, users can systematically identify vulnerabilities within their systems, ensuring that no workload is invisible or hidden from the program. This can be achieved with a myriad of techniques, such as agentless and agent-based scanning and ingesting data from 3rd party platforms.

An ideal solution should support both scanning methods, especially if you have cloud applications and workloads hosted on public and private cloud environments. Each approach offers benefits that, when combined, provide the most complete levels of security.

[**Agentless vulnerability management**](https://www.paloaltonetworks.com/blog/prisma-cloud/agent-vs-agentless-cwp/?ts=markdown) reduces the operational overhead associated with deploying and managing agents on numerous workloads, simplifying the management process. It also enables organizations to assess and monitor assets that cannot support traditional agents, such as legacy systems or network devices.

[**Agent-based scanning solutions**](https://www.paloaltonetworks.com/cyberpedia/what-is-the-difference-between-agent-based-and-agentless-security?ts=markdown) provide continuous monitoring and real-time visibility into vulnerabilities and threats. They can also collect additional data and metrics from applications, enabling more accurate risk assessment and prioritization of vulnerabilities.

## Prisma Cloud's Approach to Identifying Vulnerabilities

The Prisma Cloud Code to Cloud^TM^ platform enables users to gain visibility into how a vulnerability is affecting their entire application lifecycle. This view gives visibility into [vulnerabilities from code to cloud](https://www.paloaltonetworks.com/blog/prisma-cloud/vulnerability-management-innovation/?ts=markdown).

In the code stage the system identifies all packages, dockerfiles and IaC templates. In the deploy stage it scans VM images and container images in registries. Then in runtime it identifies vulnerabilities in VM instances, deployed container images and serverless functions, giving organizations a complete picture of all vulnerabilities as well as how they're connected.

Users have the flexibility to choose from both agentless and agent-based scanning methods, so they can customize their protection based on their specific needs.
![Figure 1: Visibility in Vulnerabilities Across the Application Lifecycle](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/05/word-image-319752-1-1.png)
Figure 1: Visibility in Vulnerabilities Across the Application Lifecycle

## Best Practice \#2: Identify the Most Impactful Vulnerabilities

With comprehensive visibility across the application lifecycle established, it's time to prioritize the issues that pose the biggest threat.

The reality is, not all vulnerabilities are created equal---some pose a significantly higher risk to our applications, systems and data than others. That being said, there's no single and absolute truth to vulnerability prioritization, since it's affected by specific vulnerability, risk, business and environmental factors. This makes it imperative to prioritize remediation efforts based on the potential impact of a vulnerability on your unique environment.

Here are some key considerations:

1. \*\*Severity:\*\*Critical and High Severity vulnerabilities should be prioritized over low severity vulnerabilities.
2. \*\*Exploitability:\*\*Consider the likelihood that a vulnerability will be exploited. Vulnerabilities with known exploits readily available in the wild should be prioritized with urgency.
3. **Potential Damage:** Workloads exposed to the Internet have a higher likelihood of being targeted for an attack and should be prioritized accordingly.
4. **Affected Assets:** Assess the number of workloads affected by the vulnerability. Focus on fixing vulnerabilities that will have the greatest impact.

By focusing their attention where it matters the most, organizations can enhance their security posture and reduce the risk of cyber incidents.

But how can we implement this practice effectively within the context of our newfound visibility across the application lifecycle?

## Prisma Cloud's Approach to Prioritizing Vulnerabilities

Prisma Cloud makes it easy to identify and prioritize the most critical vulnerabilities so that you can address the highest risks to your environment first.

The Code to Cloud platform provides a funnel view to help filter vulnerabilities into only the most critical CVEs. It then narrows it even further to only those that are exploitable. With insight into which ones can be exploited, it's possible to identify those that can be patched or fixed by your team. The system also highlights the details of vulnerabilities that are actively being used by packages in your environment, including threat intelligence and known exploits, so you can start taking action.
![Figure 2: How Prisma Cloud determines which vulnerabilities are the most impactful](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/05/word-image-319752-2-1.png)
Figure 2: How Prisma Cloud determines which vulnerabilities are the most impactful

Utilize the insights gained from comprehensive visibility to prioritize vulnerabilities based on their potential impact. It's also important to collaborate closely with stakeholders, including security and development teams and business leaders, to align on prioritization criteria and ensure that remediation efforts are focused on addressing the most critical vulnerabilities first.

## Learn More

Achieving comprehensive visibility and prioritization are just the first steps in building an [effective foundation for vulnerability management](https://www.paloaltonetworks.com/prisma/cloud/vulnerability-management?ts=markdown).

To learn more about how Prisma Cloud can help your organization manage vulnerabilities from code to cloud, see how we can [help you find and fix the XZ Utils vulnerability](https://www.paloaltonetworks.com/blog/prisma-cloud/find-fix-zero-day-cves/?ts=markdown).

*** ** * ** ***

## Related Blogs

### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Code to Cloud](https://www.paloaltonetworks.com/blog/cloud-security/category/code-to-cloud/?ts=markdown)

[#### Best Practices for Managing Vulnerabilities in the Cloud--Part 2](https://www.paloaltonetworks.com/blog/cloud-security/managing-vulnerabilities-part-two/)

### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Code to Cloud](https://www.paloaltonetworks.com/blog/cloud-security/category/code-to-cloud/?ts=markdown)

[#### Overcoming Cloud Security Consolidation Challenges](https://www.paloaltonetworks.com/blog/cloud-security/cloud-security-consolidation-challenges/)

### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Code to Cloud](https://www.paloaltonetworks.com/blog/cloud-security/category/code-to-cloud/?ts=markdown), [Digital Transformation](https://www.paloaltonetworks.com/blog/cloud-security/category/digital-transformation/?ts=markdown)

[#### Secure State and Local Cloud Modernization Efforts](https://www.paloaltonetworks.com/blog/cloud-security/stateramp/)

### [API Security](https://www.paloaltonetworks.com/blog/cloud-security/category/api-security/?ts=markdown), [Application Security](https://www.paloaltonetworks.com/blog/cloud-security/category/application-security/?ts=markdown), [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/category/cloud-workload-protection/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [Code to Cloud](https://www.paloaltonetworks.com/blog/cloud-security/category/code-to-cloud/?ts=markdown)

[#### API Security and Threat Intelligence Reduce Attack Surface in Prisma Cloud Workload Protection Release](https://www.paloaltonetworks.com/blog/cloud-security/api-security-threat-intel-reduce-attack-surface/)

### [Announcement](https://www.paloaltonetworks.com/blog/cloud-security/category/announcement/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Security Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-platform/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown)

[#### Closing the Gap Between Cloud Visibility and Network Security](https://www.paloaltonetworks.com/blog/cloud-security/cloud-visibility-network-security-context-exposure-management/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Stop Chasing Ghosts: The Strategic Case for Compensating Controls](https://www.paloaltonetworks.com/blog/security-operations/stop-chasing-ghosts-the-strategic-case-for-compensating-controls/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language