Closed-loop Vulnerability Remediation_Final

BackBox is the first and only network automation platform to help network superheroes both track and remediate network and security device vulnerabilities (CVEs and more) in a way that especially designed for network teams.

NVM gives administrators the tools to protect their networks by tying together device inventory with a threat and vulnerability intelligence feed. Bringing threat and vulnerability intelligence to the exact network inventory allows for risk scoring — meaning administrators can know where they are most vulnerable. Gartner calls this “evidence-based security”.

Through 2026, more than 60% of threat detection, investigation, and response (TDIR) capabilities will leverage exposure management data to validate and prioritize detected threats, up from less than 5% today. (Gartner, December ’22)

Building NVM on top of a network automation platform means that we don’t just point out where you’re vulnerable, but we automate the fix to keep you protected.

Now administrators can step away from their email, put down their spreadsheet trackers, and trust that the CVE and vulnerability information they’re presented with in BackBox relates to their network.

Let’s get into how it works.

The Closed Loop

There are three key elements in the NVM closed-loop remediation of vulnerabilities:

  1. Dynamic device inventory – inventory that’s kept up to date automatically.
  2. Device modeling and risk scoring – a threat and vulnerability intelligence database that’s kept up to date automatically.
  3. Remediation – taking inventory together with vulnerabilities and automating vulnerability patches so that networks are kept secure.

Dynamic Device Inventory

There’s an automation job built-into BackBox to collect inventory. Each time this is run, the inventory in NVM is updated to reflect any adds, moves, and changes that occurred in the network since the last inventory.

This means that your actual network inventory is used and that the CVEs and other vulnerability risks presented relate exactly to your network. You’re not wasting time chasing down security alerts that aren’t relevant to your inventory.

Any remediation that’s been done is automatically reflected in the next inventory, and propagated to NVM as a result minimizing manual tracking (and the potential for manual errors).

Device Modeling and Risk Scoring

CVEs and other vulnerability intelligence is collected, normalized, and modeled so that it can be consistently applied against the inventory collected in the previous step.

Pause for a second. Often, I hear our teams talking about “CVEs” as a synonym for “threat intelligence”. Let’s be clear. Other solutions will use the NIST NVD to gather CVE information and bring it into their product. That can be useful, though, not necessarily complete. With BackBox, we’re bringing in the CVE information AND other critical information from CISA, vendor websites, trade publications, and more. All of this is ingested and scored to help you understand the true vulnerability state of your network.

Gartner suggests that security and risk management leaders responsible for vulnerability management apply quantification principles to allow for vulnerability management prioritization (Gartner subscription required). That’s what NVM does for network security administration.

Risk scoring provides a method for quantifying the vulnerability state, while modeling the information helps us understand when vulnerabilities apply to a specific configuration.


Most vulnerability management systems are informational only. They tell you where you might be exposed. They lack the ability to do anything with the information presented.

Until now.

Because NVM is built on our automation platform, we can remediate the fix as well as inform. And, with the BackBox approach to automation — where our Automation Library has over 3,000 automations built in — we have the breadth of expertise to automate the OS updates or configuration changes required to patch known vulnerabilities.


NVM has been designed to make it easier to tackle OS Updates and vulnerability patching. I’m personally amazed at how simple it is to get NVM setup and running. It’s shockingly easy.

Simple to Get Started

There’s a prebuilt automation job that collects all the information you need to pass to the NVM engine.

The NVM engine does all the “hard work” taking the dynamic inventory and mapping it against the vulnerability database to determine risk scoring and relevance. All of that mapping work is done behind the scenes and doesn’t require any manual intervention by the user.

The job is location in the Jobs menu, under the ‘vulnerability manager’ tab. Simply create a new Vulnerability Manager job by hitting the ‘+’, fill out the required fields, and when you hit save, you’ll be given the option of selecting what information to share.

Once the job is configured, run the job and see your vulnerability state. It’s that simple.

Simple to Use

Using NVM is simple too. Under the Devices menu item, you’ll see a new tab called “Vulnerability Management”. If you’ve already run the NVM job to collect inventory, your inventory will show up in this tab.

In this tab you’ll see your devices listed with risk scoring, CVE information, recommended updates, and product end-of-life information if available. Devices can be added to remediation jobs directly from this tab to mitigate vulnerabilities.

No Scripting Required

As with all the other automations in BackBox, there’s no scripting required. Meaning, if you have external scripts you want to leverage, you can, but you don’t have to script anything to take use BackBox.

If an automation you need is not available, it’s easy to modify an existing one or create what you need from scratch. All you need are the commands (API or CLI) that you’d want to run, BackBox does the rest.

Why does this matter? When it comes to upgrades, you may have custom test scripts that you want to run as pre- or post-checks. You can easily do this as part of the NVM remediation sequences.

Device Lifecycle Management

There’s one last thing I’d be remiss if I didn’t highlight.

NVM also includes end-of-life (EOL) data, where available, to help administrators manage the hardware replacement lifecycle.

This EOL information is important since vulnerabilities are present in devices that no longer receive OS updates. Meaning, devices that are vulnerable need configuration changes to patch them, if that’s even possible. And the only way to shut down vulnerabilities on these devices if their configurations can’t be patched is to replace the hardware.

Seeing is Believing

Customer or not, we’d love for you to try this new capability out so you can see how simple, yet powerful, a tool it can be to help keep your networks secure.

If you’re a customer, update to version 7.5, look for the Vulnerability Manager tab under devices, and hit contact support.


See for yourself how consistent and reliable your device backups and upgrades can be