Vulnerability Management & Threat Intelligence

Part 1: Microsoft Defender Vulnerability Management

What is it?

Simple explanation

Think of Defender Vulnerability Management as a building inspector who constantly checks your property for weak spots.

The inspector walks through every room (every device), checks every lock (every piece of software), and writes a report: “The back door lock is broken (critical vulnerability), the kitchen window doesn’t close properly (misconfiguration), and the fire escape is blocked (outdated software).”

But this inspector is smart — they don’t just list everything alphabetically. They tell you: “Fix the back door FIRST because burglars are actively targeting that exact lock model in your neighbourhood.” That’s risk-based prioritisation.

Continuous vulnerability assessment

Unlike traditional vulnerability scanners that run periodic scans (weekly or monthly), Defender Vulnerability Management assesses devices continuously:

Uses data already collected by Defender for Endpoint sensors — no additional agents needed
Discovers new vulnerabilities as soon as they’re published
Updates risk scores in real time as the threat landscape changes

Risk-based prioritisation

This is the key differentiator you need to understand for the exam.

Traditional approach: Sort vulnerabilities by CVSS score (a severity rating from 0 to 10). Fix all the 10s first, then the 9s, then the 8s.

The problem: A vulnerability with a CVSS score of 7.5 that has a working exploit actively used by ransomware gangs is far more dangerous than a score-10 vulnerability that nobody knows how to exploit yet.

Defender’s approach: Risk-based prioritisation considers:

CVSS score — yes, severity still matters
Active exploitability — is there a working exploit in the wild?
Threat context — are threat actors actively using this vulnerability?
Business impact — is the vulnerable device a critical server or a test laptop?
Exposure level — is the device internet-facing or isolated?

This gives security teams a prioritised remediation list that reflects actual risk, not just theoretical severity.

Software inventory

Defender Vulnerability Management maintains a complete inventory of every piece of software installed across your organisation:

What software is installed and what version
Which installations are outdated or end-of-life
Which software has known vulnerabilities
Which devices are running that software

This inventory is invaluable when a new critical vulnerability is announced — Alex can instantly see how many SecureBank devices are affected.

Security baselines and configuration assessment

Beyond software vulnerabilities, Defender Vulnerability Management also checks for misconfigurations:

Is the firewall enabled on all devices?
Are unused services running?
Are security features like credential guard and BitLocker enabled?
Does the configuration match recommended security baselines (like CIS benchmarks)?

Remediation tracking

Finding vulnerabilities is only useful if you fix them. Defender Vulnerability Management provides:

Remediation requests — security teams can create tickets to track fixes
Integration with Intune — push configuration changes and software updates
Progress tracking — see how remediation is progressing over time
Exception handling — if a vulnerability can’t be fixed immediately (a legacy application requires the old version), it can be documented with a risk acceptance

Scenario: Alex handles a zero-day at SecureBank

A critical zero-day vulnerability in a popular PDF reader is announced. Ransomware gangs are already exploiting it.

Alex opens Defender Vulnerability Management and immediately sees:

342 devices at SecureBank have the vulnerable version installed
The vulnerability is flagged as top priority — active exploit + high business impact
83 of the 342 devices are in the mortgage department (handling sensitive financial data)

Alex’s response:

Creates a remediation request targeting all 342 devices
Prioritises the 83 mortgage department devices — pushes an emergency update through Intune
For 12 devices that can’t update immediately (running a legacy integration), creates a risk exception with compensating controls (restricted network access)
Reports to Director Reyes: “342 affected, 330 patched within 4 hours, 12 exceptions documented with mitigations”

Without Defender Vulnerability Management: Alex would need to manually check every device, cross-reference software inventory spreadsheets, and track fixes in a separate system. Hours of work compressed into minutes.

Part 2: Microsoft Defender Threat Intelligence (Defender TI)

What is it?

Simple explanation

Think of Defender TI as an intelligence briefing from a spy network.

Vulnerability Management tells you: “Your back door lock is broken.” Threat Intelligence tells you: “A gang called Midnight Blizzard is currently targeting banks in the Asia-Pacific region, and they specifically look for broken back door locks.”

It gives you the outside view — who’s attacking, what they’re after, how they operate, and what digital fingerprints (indicators of compromise) they leave behind.

What does Defender TI provide?

Threat articles: Written analysis of current threat campaigns, newly discovered vulnerabilities, and emerging attack techniques. Security teams read these to stay informed — think of them as intelligence briefings.

Intel profiles: Detailed profiles of known threat actors and threat groups. Each profile includes:

Who they are (nation-state, cybercrime group, hacktivist)
What industries and regions they target
What tools and techniques they use (mapped to the MITRE ATT&CK framework)
Recent activity and campaigns

Indicators of compromise (IoCs): The digital fingerprints of threats:

IP addresses used by attackers for command-and-control
Domain names used for phishing or malware delivery
File hashes of known malware samples
URLs associated with malicious activity

Security teams use these IoCs to check if any of these indicators appear in their own environment — a practice called threat hunting.

How TI enriches Defender XDR

Defender TI doesn’t just sit in a separate portal. It actively enriches the Defender XDR experience:

When an alert fires in Defender XDR, threat intelligence context is automatically attached — “This IP address is associated with the threat group Storm-0978”
Analysts can pivot from an alert directly into TI to understand the broader campaign
IoCs from Defender TI can be used to proactively search for threats before they trigger alerts
Vulnerability data in TI helps prioritise which vulnerabilities to fix first based on active threat actor targeting

Scenario: Alex uses Defender TI after an alert

Defender for Endpoint alerts Alex about a suspicious outbound connection from a SecureBank device to an unusual IP address.

Alex pivots to Defender TI and discovers:

The IP is flagged as a command-and-control server for a threat group called “Aqua Blizzard”
Aqua Blizzard has been targeting financial institutions in the Pacific region for the past 3 months
Their typical attack chain: spear-phishing email, credential harvesting, lateral movement, data exfiltration
TI provides a list of 47 additional IoCs associated with this group — IP addresses, domains, and file hashes

Alex’s response:

Searches Defender XDR for all 47 IoCs across SecureBank’s environment
Finds 2 more devices communicating with related domains
Isolates all 3 devices and begins a full investigation
Blocks all 47 IoCs at the firewall level
Briefs Director Reyes with the full TI profile of Aqua Blizzard

Defender TI turned a single alert into a comprehensive threat response — Alex didn’t just fix one device, he found and stopped the entire campaign.

Comparison: Inside vs outside

Vulnerability Management (inside) vs Threat Intelligence (outside)
Feature	Defender Vulnerability Management	Defender Threat Intelligence
Focus	What's wrong INSIDE your environment	What threats exist OUTSIDE your environment
Key question	What vulnerabilities do we have?	Who's attacking and how?
Data sources	Endpoint sensors, software inventory, configuration scans	Microsoft's global threat intelligence, dark web, open-source feeds
Output	Prioritised list of vulnerabilities and misconfigurations to fix	Threat articles, actor profiles, indicators of compromise (IoCs)
Action	Patch, update, reconfigure, accept risk	Hunt, block IoCs, proactively defend, inform strategy
Analogy	Building inspector — checks YOUR building for weaknesses	Intelligence agency — tells you who's planning to break in and how

Exam shortcut: If the question asks about finding and fixing weaknesses in your environment = Vulnerability Management. If the question asks about understanding threat actors, campaigns, or IoCs = Threat Intelligence.

🎬 Video walkthrough

🎬 Video coming soon

Vulnerability Management and Threat Intelligence — SC-900 Module 9

~8 min