How we run the vulnerability program for new customers in Tenable One
The weekly, monthly, and quarterly cadence FM CyberSecurity runs on Tenable One for Norwegian SMB customers, with the people, the meetings, and the evidence trail.
Here is the weekly, monthly, and quarterly cadence FM CyberSecurity runs on Tenable One for Norwegian SMB customers, with the people, the meetings, and the evidence trail your auditor will ask for.
This article is about what happens after the platform is live. The initial onboarding scan and asset discovery, the first two weeks of work, is covered in a separate piece on the first vulnerability assessment in Tenable One. The piece you are reading is the ongoing program: who looks at what, on which day, and what gets written down.
1. Weekly scan and triage
The weekly job is to scan, look at the new findings, and decide which ones break the queue.
FM CyberSecurity runs authenticated scans against the customer estate on a weekly schedule (daily for internet-facing assets). On Tuesday morning a named FM CyberSecurity analyst opens Tenable Vulnerability Management, filters by Vulnerability Priority Rating (VPR), and writes a one-page triage note: new criticals on tagged business-critical assets, exploited-in-the-wild items per CISA Known Exploited Vulnerabilities, and anything that crossed a board-agreed threshold. The customer’s IT lead gets the note by lunchtime. If nothing needs action, the note still goes out. The cadence is the evidence.
2. Business-context tagging review (monthly)
Every month we revisit the asset tags, because the business has moved since last time.
Tenable Vulnerability Management lets you tag assets with Category:Value pairs (Contract:LargestCustomer, System:Payroll, Owner:FinanceLead, SLA:Tight) and apply them manually or through dynamic tag rules. The tagging is what turns a generic CVE list into a list ranked by what your firm has contractually promised to protect. In one composite Tenable One engagement this quarter, the monthly tagging review picked up 14 newly-provisioned cloud assets that were not yet labelled against the contract they served. Without the review they would have sat in the long tail.
The monthly meeting is 45 minutes with the customer’s IT lead and, where the contract count is high, a representative from sales or legal. We do not tag in a vacuum.
3. Exception and escalation workflow
When a critical finding lands on a contract-bearing system, the workflow is documented, not improvised.
The route is short. FM CyberSecurity analyst opens a ticket in the customer’s existing ticketing system (Jira, ServiceNow, Halo, whatever is already there) via the Tenable connector, names the asset, names the contract tag, and assigns the customer’s IT lead as the owner. The customer fixes it or accepts the risk in writing. If the item is exploited-in-the-wild and the customer cannot patch within the agreed window, FM CyberSecurity escalates to a named board contact. Three people see every critical: the FM CyberSecurity analyst, the customer IT lead, the customer’s executive escalation contact. No fourth name is added without a reason.
4. Monthly exposure trend report
The monthly report is short on purpose. Two pages, sent on the first working day of the month.
It names four numbers: open critical findings on tagged business-critical assets, mean time to remediate critical findings closed that month, the count of new exploited-in-the-wild items that hit the estate, and the trend against the prior three months. No CVE list. No CVSS chart. The IT lead forwards the report to the CFO or the operations director with one line of context. If the trend is flat or improving, that is the message. If it is moving the wrong way, the report says why and what FM CyberSecurity proposes next.
5. Quarterly board-facing review
Every quarter FM CyberSecurity sits down with the customer for 60 to 90 minutes and writes the board paper.
The agenda is the same each time: what changed in the estate (new systems, new contracts, new suppliers); what changed in the threat picture (new exploited-in-the-wild items relevant to your stack); what the program shipped (findings closed, mean time to remediate, exception count); what we are recommending for next quarter. The output is a 10 to 12 page document the board can read on the way into the meeting. It is also the document Finanstilsynet or an ISO 27001 auditor will ask for if they ask anything.
6. Evidence pack for audits
The audit-ready pack is built throughout the year, not at audit time.
For ISO 27001 (Annex A.8.8 Management of technical vulnerabilities) and DORA Article 24 (testing) the auditor will ask: scope of the program, scan policy, asset inventory with tags, vulnerability register, mean time to remediate, exception register, board reporting trail. Every artefact lives in one shared workspace, time-stamped, version-controlled. FM CyberSecurity hands the customer an evidence index so the auditor can find each artefact in under two minutes. The technical work is usually fine. The paper trail is what gets queried.
7. Automation versus human review
We let Tenable One’s ExposureAI and VPR do what they are good at. We do not let them do the meeting.
ExposureAI summarises new findings, surfaces patterns across the exposure graph, and answers natural-language queries about asset risk. VPR ranks the list by predicted exploit likelihood, not raw CVSS. Both of those reduce the noise the analyst wades through on a Tuesday morning. Neither replaces the human call on whether a finding is genuinely on a contract-bearing system, whether the customer can patch this week or needs a compensating control, or whether the trend warrants a board escalation. The model ranks. The named FM CyberSecurity analyst decides. That split is written into the runbook.
If the customer’s stack includes hosted AI services, the Tenable One AI Exposure module (generally available since January 2026) extends the same program to SaaS AI tools and agents. It is the same cadence applied to a new asset class, not a separate program.
8. What changes year over year
The program is not a frozen runbook. We update it when the inputs change.
Each year the scope expands (new business systems, new cloud accounts, new acquisitions), the threshold tightens (the board agrees a lower critical-on-contract count as the program matures), and the report contracts (fewer pages, sharper numbers). Tenable’s product names and modules also move (Tenable.io became Tenable Vulnerability Management, AI Exposure went GA in 2026). FM CyberSecurity tracks the platform changes and updates the customer runbook in writing. We do not assume the program from year three works in year four without a review.
Next action
Talk to Anders in our exposure management practice for a 30-minute view on how the cadence above would fit your estate, your contracts, and your existing ticketing. We do not start with a scan. We start with the tags.
For background on why we chose Tenable, see why we picked Tenable for exposure management. For the boundary between vulnerability scanning and exposure management as concepts, see exposure management vs vulnerability management.
FAQ
How is this different from a one-off scan?
A one-off scan gives you a snapshot. A program gives you a trend, an owner, and an evidence trail. The auditor difference is direct: a single PDF dated last year does not satisfy ISO 27001 Annex A.8.8 or DORA Article 24, but a year of weekly triage notes, monthly reports, and a quarterly board paper does. The board difference is also direct: a snapshot raises the question “what did you do about it”; a program answers the question every month.
What happens when a critical CVE drops mid-week?
The weekly cadence is the floor, not the ceiling. When a high-VPR or exploited-in-the-wild item hits Tenable’s feed, the FM CyberSecurity analyst checks the customer estate the same day, opens a ticket if any tagged asset is affected, and flags the customer IT lead by message, not email. The runbook names the trigger thresholds in writing so the analyst does not have to invent the call.
How does it integrate with our existing ticketing?
Tenable One connectors push findings into the customer’s ticketing system (Jira, ServiceNow, Halo, and others through the API). The work item lives where the customer’s IT team already works. FM CyberSecurity does not ask the customer to log into a new console to fix tickets. We do ask the IT lead to have read access to Tenable One for the monthly review and the quarterly board paper.
What does the customer need to do?
Three things, week to week: keep the asset tags accurate as the business changes (we run the monthly review with you, you confirm the changes); close the tickets we open against your IT team, or write a one-line risk acceptance; turn up to the quarterly board paper review. Everything else, the scanning, the triage, the report writing, the audit pack, is on FM CyberSecurity.
Can we see what FM CyberSecurity does inside the platform?
Yes. The customer’s IT lead and a named executive have read access to Tenable One. The runbook, the scan policies, the tag taxonomy, the report templates, and the escalation thresholds are all in a shared workspace the customer owns. If you part ways with FM CyberSecurity, the program does not leave with us.
