Case Study

Toward Programmatic Management of Vulnerability Risk

  • Implement a consolidated risk-driven model
  • Minimize detection tool noise
  • Improve findings fidelity
  • Automate ticket assignment
  • Standardize reporting of remediation activity
  • Track and measure impact
  • Freed security team from manual processes
  • Improved focus on highest risk findings
  • Reversed alert backlog
  • Enhanced collaboration with engineering, product teams
  • Alignment across stakeholders on risk management


As the security team for a technology solutions provider dealing with the energy data of millions of customers, the team’s focus is on two primary objectives: build more security into the Uplight platforms and applications, and meet the responsibility of keeping customer data secure.

Uplight’s security team recognized that the vulnerability management lifecycle is key to achieve these platform and application integrity objectives - but to be more effective, would need to:

  • Implement a consolidated, risk-driven model across Uplight technology operations
  • Improve security efficiency by minimizing detection tool noise, and improving findings fidelity
  • Incorporate business context for focused risk identification and prioritization
  • Automate ticket assignment to risk finding owners in relevant downstream systems
  • Standardize reporting of remediation activity for dev, engineering, and product teams
  • Track and measure impact of security team for managing risk for key stakeholders


The Uplight team deployed the Silk platform, with integrations for: ingestion of data from vulnerability, cloud, and AppSec security tools; mapping of asset ownership via code repo integration, consumed asset tags, and custom asset labels; and, automation of ticketing workflows based on asset ownership.

With Silk in place, the security team set out to achieve:

  • Holistic, application-tier insight into security findings, asset linkings, and asset owner
  • Streamlined risk assessment with findings consolidation, asset context, and severity scoring
  • Automated ownership assignment via asset-based rules, and ongoing asset coverage tracking
  • Focus on high-impact fixes via root cause analysis and application-tier context
  • Automated ticket assignment using organizational, asset ownership rules
  • Shift to programmatic and formalized security strategy across the business


Consolidated visibility across products and infrastructure, with root cause analysis for risk prioritization and ownership assignment for efficiency

Cut time spent on identifying owners and assigning tickets by 90%, with custom ticketing rules

Increased the number of closed findings by 7x over three months, reducing overall threat debt

Halved the time for resolution of critical findings, with ongoing improvements in reduction of response times anticipated

Halved the time for resolution of critical findings, with ongoing improvements in reduction of response times anticipated

Want to read the full case study?