I’ve been known to say that vulnerability detection is easy—it’s vulnerability management that’s hard. There are too many tools available today that can tell you everything that is wrong with your security posture. The real work comes in finding the root cause of the issue, permanently eradicating it from your environment (as in changing configuration servers, patching gold builds, dealing with sleeping physical or virtual instances), and validating to everyone who wants to know that you were successful in doing so.


Time and time again, my customers complain about the challenges associated with getting clean vulnerability scans. In fact, that might be one of the more challenging things to get right in PCI DSS. If you run a small, relatively static environment with only a few servers, you probably don’t understand the problem I’m discussing. For those of you who have to deal with larger environments with multiple teams and stakeholders, getting that scan to a clean state can be like the herding of cats. Especially since the majority of you are trying to manage this process in Microsoft Excel while sharing versions with your team via Sharepoint (or marking up long PDF reports or trying to dink around with CSV files). I know all of you don’t do it that way, but I guarantee there are quite a few of you out there with your lighters in the air right now.

Enter the new Merge.io platform. Offered either cloud-based or on-prem in a virtual appliance, Merge.io takes your vulnerability data and allows you to slice, dice, assign, and validate your scan data automatically. Instead of trying to deal with thousands of rows in a spreadsheet or hundreds of pages in a PDF, you drop your scan data into Merge and it drops all the data into a unified backend format that you can do tons of things with. You can assign vulnerabilities to individuals to resolve, filter in an almost infinite number of ways, and you get a great dashboard that shows you your progress to your goal. Your management reporting is now just a click away!

Now, getting those clean scans is really the problem we are trying to solve. Merge.io gives you the ability to continue to import scan data into the same project automatically validate the vulnerabilities that have been fully resolved. Now the vulnerability is closed and validated using this closed-loop approach.

Do you only care about PCI-related vulnerabilities, or only want to see things related to Apache? No problem! Merge.io can only display those for you to assign and handle through highly customizable filters. Have thousands of vulnerabilities to chase down and validate? DONE! Merge.io handles validation for you to confirm that you have closed out those vulnerabilities through its closed-loop approach. If you are the person managing vulnerabilities for a large infrastructure footprint, this is a tool you need to check out as a way to help automate and scale parts of your job.

Here’s the best part, it’s free to try! When you sign up for Merge.io, you get sixty days to try out the product. Today, they support Nessus and Nexpose engines (with Qualys supported soon), and they can add new ones relatively quickly. If you want to try the product but use a different scan engine (including Qualys so they can see the demand), ask them to support your vulnerability scanner!

At any rate, give it a shot and leave any comments you have about the tool below!

This post originally appeared on BrandenWilliams.com.