Vulnerability Management - Risk Registry? - How to stop repeating resolution and repetitive work related to mitigated vulnerabilities that appear on every scan run?

Hi,


What do folks use to track external vulnerabilities through to resolution? Our SOC2 Auditing partner suggests using a "risk registry" which can be created in Jira or something similar. This seems like a very manual process to me as some vulnerabilities will continue to appear by scans even though they have been mitigated.


We are currently using Alert Logic's PCI scanning functionality to scan our Internet facing surface but I don't see a way to track vulnerabilities in their …

auditing cybersecurity external jira management partner registry resolution risk run scan soc2 vulnerabilities vulnerability vulnerability management work