Consolidate scanner output, prioritise by exploit likelihood, and track remediation.
The challenge
Multiple scanners produce conflicting data. Severity-only prioritisation misses actively exploited CVEs. Manual remediation tracking breaks under scale.
How Fig helps
Vulnerabilities scored using Exploit Prediction Scoring System (EPSS) and CISA Known Exploited Vulnerabilities (KEV) data, not just CVSS severity. All decisions remain auditable.
Normalise output from multiple scanner sources into one consolidated portfolio view.
Fig includes a built-in vulnerability scanner for external-facing assets. Each scan generates a structured report suitable for client delivery, audit submissions, or stakeholder review.
Every accepted risk records who approved it, why, what conditions apply, the scheduled review date, and links to the risk register. Revocation tracked automatically.
Structured packs linking findings, remediation actions, ownership chains, and verification outcomes.
Audit-ready workflow
Vulnerability Scanning should not be treated as a standalone tool surface. In Fig it is part of a governed workflow: a signal is captured, an owner is assigned, a control or risk is updated, and evidence is retained so the organisation can prove what happened later.
Lifecycle
The Protect phase is where this capability sits in the wider Fig operating model. Multiple scanners produce conflicting data. Severity-only prioritisation misses actively exploited CVEs. Manual remediation tracking breaks under scale. Fig turns that problem into a repeatable lifecycle so MSPs, risk teams, and auditors are not relying on static spreadsheets or ad hoc screenshots when a buyer asks for proof.
Evidence captured
For vulnerability scanning, useful evidence normally includes the triggering record, the affected asset or supplier, the control requirement, the assigned owner, the decision made, the timestamp, and the outcome. That evidence is mapped back to frameworks such as Cyber Essentials, ISO 27001, NIS2, DORA, GDPR, CMMC, and internal policy requirements where relevant.
Implementation checks
Useful references
The exact evidence required still depends on your scope, risk profile, sector, and framework obligations.
Built for you
Multi-client, multi-scanner management with consistent workflows across CMMC, Cyber Essentials, and CS&R frameworks.
Learn moreOperational vulnerability work converts directly into compliance outputs. No duplicate effort.
Learn moreProgramme effectiveness reporting linked to controls and risk registers.
Learn moreProtect
Common questions
Fig normalises data from Tenable, Qualys, Rapid7, Nessus, Microsoft Defender, and others. New scanner integrations are added monthly.
Fig overlays exploit intelligence and asset context on top of CVSS scores to prioritise vulnerabilities that are actively being exploited in the wild.
Fig correlates scanner output with asset context, exploit intelligence, and configuration data to reduce false positives. Findings can be marked as accepted risk with documented justification, approval chains, and scheduled review dates.
Yes. Remediation SLAs are configurable per client, asset criticality, and vulnerability severity. Fig tracks SLA compliance and escalates overdue items automatically to the assigned owner and their manager.
No. Fig sits on top of your current scanners and normalises their output into one view. You keep running the scanners you already have, and Fig handles consolidation, prioritisation, and evidence packaging.
Fig manages vulnerabilities through a 9-state lifecycle: Reported, Triaged, Remediation, Remediated, Verified, Disclosed, and Closed. Each state transition is logged with a tamper-evident audit trail. This separates Fig from tools that just show scan results.
Next step
Book a walkthrough tailored to your frameworks and tooling.
We only load non-essential analytics and advertising tags after explicit consent. You can review our cookie register in the cookie policy section and update your choice at any time via “Cookie settings” in the footer.