All Covered has introduced a managed Vulnerability Remediation service that turns vulnerability closure into an ongoing operational process instead of a periodic project. The service brings identification, prioritization, and hands-on fixes into one workflow, with the provider responsible for resolving issues rather than stopping at scan results or patch guidance. The move addresses a common problem: vulnerabilities are found in one system, assigned to another, and often left to separate IT processes to fix. That disconnect leads to delays, duplicated work, and no clear owner. By making remediation a managed, accountable function, the focus shifts from reporting risk to actually reducing it.
The operational gap between managed IT and managed security
In most organizations, vulnerability management falls between MSP and MSSP responsibilities. IT teams have control over systems and patching, while security teams see the risk. When different providers handle those roles, remediation turns into ticket-based project work that gets pushed behind daily operational tasks.
A unified service removes those handoffs. The same team that finds the risk also fixes it, which speeds up remediation and cuts the back-and-forth that usually causes delays.
Tara Swart, Director, Defensive Security & Compliance at All Covered, told MSSP Alert, “What we see in the market is that typically the MSP is providing patching and third-party patching, while the MSSP is providing vulnerability scanning and calling it vulnerability management. When customers realize there are vulnerabilities not being routinely patched - or after a third-party vulnerability assessment - an MSP will often do a one-time project to address the findings, revisit the following year, and in the interim take only sporadic, uncoordinated action on critical vulnerabilities.”
She added that this fragmented approach often leads to activity that does not materially reduce exposure. “In many cases, there is no prioritization beyond the CVSS score, and IT teams are simply trying to get to zero on remediation, an approach that rarely moves the needle on the actual attack surface.”
Measuring success through remediation outcomes
The company is framing the service around outcome-based metrics rather than scan coverage. The model starts with endpoint hardening and time-bound patch deployment, then ties those activities to risk-informed prioritization that reflects the customer’s environment and threat reality.
“Our unified team and end-to-end, outcome-driven approach delivers significant impact on customer attack surface exposure,” Swart said. “With most models we see in the market, a risk-based prioritization methodology with measurable outcomes is largely missing.”
The prioritization process combines multiple inputs instead of relying on severity scores alone. “We help them identify a strategic prioritization method that goes beyond the CVSS score alone - combining it with EPSS scoring, their specific assets, and the KEV catalog to identify the highest-priority items,” she said.
That workflow is tied to defined remediation targets. “From there, we provide a manageable list of remediation items aligned with the company's risk appetite. Our Vulnerability Remediation Engineers then quickly remediate those risks to ensure high efficacy in lowering overall exposure.”
According to Swart, the ability to define and operate against risk-aligned KPIs is a key part of the model. “Our consulting ability is a key differentiator, as we help companies determine the proper metrics and KPIs that align with their risk appetite.”
What is actually being remediated
The scope extends beyond routine operating system patching. The service targets the issues that commonly remain open because they fall outside standard update cycles or require cross-team coordination. These include hardening gaps, incomplete patch deployment, unsupported software, unmanaged internet-facing assets, expired certificates, firmware and BIOS updates, and shadow IT.
Treating these items as part of a managed workflow addresses a persistent blind spot. Many of the exposures most frequently used in attacks are not missing patches but misconfigurations, neglected assets or systems that are outside formal lifecycle management.
The company is aligning this approach with a continuous exposure management model. “Gartner's framework for Continuous Threat Exposure Management is what we strive for,” Swart said. “It is why we designed and are launching Vulnerability Remediation as a Service - so that it can be ongoing and risk-informed, operating continuously alongside the patching and scanning activities already in place.”
Delivery model built around accountability
Putting monitoring, prioritization, and remediation with one provider moves vulnerability management from reporting to fixing. Internal teams spend less time coordinating across different owners, and there is a clear point of accountability for reducing risk.
The structure is built to be repeatable rather than project-based. “We differentiate by treating the entire discipline as one workflow with one team across the full spectrum of activities,” Swart said. “We are time-bound and understand that this process must be repeated regularly to defend clients against real threats.”
She also pointed to the role of offensive testing in validating remediation impact. “We have an independently functioning Offensive Security Services division staffed with ethical hackers whose capabilities are aligned with advanced threat actors.”
Scalability across regulated and midmarket environments
The service is being delivered as a scoped, adjustable program so it can be aligned with both regulatory requirements and budget constraints. That allows remediation to be treated as a recurring operational cost instead of a periodic capital project.
“We've designed the Vulnerability Remediation Service to be scalable across midmarket and regulated customers,” Swart said. “The service is individually scoped based on an initial scan, and hours can be adjusted to fit any size environment - aligning the monetary implications with both regulatory requirements and budgetary considerations.”
The reporting model is also structured for audit use. “Our reporting and documentation standards are built to withstand regulatory scrutiny, as this service was first adopted within our Finance vertical.”
Where this fits in the broader security strategy
All Covered is placing the service as a core part of a prevention-first, defense-in-depth model that brings managed IT and managed security together. Continuous remediation lowers the number of exploitable weaknesses before they ever reach detection and response. This also changes how managed security is measured. The value is no longer just in monitoring and alerts, but in how consistently known risks are closed. As exposure management becomes a key resilience metric, the differentiator is execution, not visibility alone.
