Proprietary Framework · Optecz Core

The VM3 Score
for Your
Vulnerability Program

The only scored vulnerability management maturity assessment built for board reporting. 83 controls. 8 domains. One number your board can actually use.

Book a Demo Download Whitepaper

Included in every Core subscription • No add-on required • Universal · All industries

0/ 100

Asset Discovery72%

Scanning85%

Prioritization68%

Remediation78%

Exceptions62%

Supply Chain70%

Metrics75%

OT & Legacy88%

83Controls across 8 domains

0→100Scored maturity scale

8Domains including OT/Legacy

CoreIncluded in every plan

THE PROBLEM

Why This Exists

Scanners don't equal programs.
Frameworks don't score VM maturity.

Every major security framework touches vulnerability management. None of them produce a scored assessment of your VM program maturity. That gap costs CISOs credibility in the boardroom and costs organizations real money at insurance renewal.

“No existing framework produces a VM program score”

NIST CSF covers VM at a function level. PCI-DSS prescribes scanning requirements. ISO 27001 asks if a process exists. None score your program's operational maturity against a 0–100 scale your board can evaluate.

“Boards are asking questions security teams can't answer cleanly”

SEC disclosure rules, cyber insurance underwriting, and post-breach litigation all now require evidence of a mature vulnerability program. Most security teams spend weeks assembling data that still doesn't answer the question.

“OT environments are ignored by every VM standard”

Active scanning breaks OT equipment. Patch availability is nearly nonexistent. Risk models are inverted. Every VM standard ignores this reality. VM3 doesn't — it scores OT program maturity on what's actually achievable.

THE FRAMEWORK

Eight Domains · 83 Controls

Complete VM program coverage,
end to end.

VM3 organizes vulnerability management program maturity into eight operational domains. Each domain produces its own maturity score. All eight roll up to your composite VM3 score.

Asset Discovery & Inventory

Authoritative asset truth across IT, cloud, and hybrid estates — the foundation of every VM program.

10 controls

Vulnerability Scanning & Detection

Authenticated coverage, external surface, agents, cloud, and containers — normalized into one backlog.

12 controls

Risk Prioritization & Classification

CVSS, EPSS, KEV, asset criticality, and threat intel — so teams fix what actually matters first.

11 controls

Remediation & Patching

SLAs, ownership, emergency change, and verification — closing the loop from finding to fix.

13 controls

Exception & Acceptance Management

Time-bound risk acceptance with compensating controls and executive visibility — no silent debt.

8 controls

Third-Party & Supply Chain

SBOM, SCA, vendor disclosure, and cloud shared responsibility — vulnerabilities do not stop at the perimeter.

9 controls

Metrics & Reporting

MTTR, backlog age, SLA compliance, and board KPIs — prove improvement, not just activity.

10 controls

OT & Legacy Systems

Passive discovery, vendor advisories, safety-aware risk treatment — the gap every enterprise VM program ignores.

10 controls

OT Exclusive

Why OT gets its own domain

Active scanning crashes OT equipment. Patches don't exist for most PLCs and HMIs. The CIA triad is inverted — availability comes before confidentiality. VM3-OT scores maturity on what's actually achievable: passive monitoring, ICS-CERT advisory tracking, segmentation as documented compensating controls, and formal legacy risk treatment plans.

HOW IT COMPARES

Framework Comparison

What every other framework misses.

Every major security framework touches vulnerability management. None of them produce a scored VM program maturity assessment.

Framework	VM Coverage	Program Score	OT Domain	Board Report	Dedicated VM Assessment
NIST CSF 2.0	Functional level only	✕	✕	✕	✕
NIST 800-53	SI-2, RA-5 only	✕	✕	✕	✕
PCI-DSS	Req. 11 scanning	✕	✕	✕	✕
ISO 27001	A.12.6 process check	✕	✕	✕	✕
IEC 62443	OT architecture only	✕	Partial	✕	✕
VM3 by OpteczProprietary	8 domains · 83 controls	✓ 0–100 score	✓ Dedicated	✓ One-click	✓ Purpose-built

YOUR SCORE

VM3 Maturity Scale

Where does your program stand?

VM3 produces a composite score from 0–100 plus per-domain breakdowns. Every score maps to a maturity level with board-ready language built in.

0-34

Initial

Ad hoc. Reactive. Board and exec visibility minimal.

35-49

Developing

Processes exist but inconsistently applied. Significant gaps.

50-64

Defined

Core processes documented. Measurement gaps present.

65-79

Managed

Program measured. Most controls consistently applied.

80-100

Optimizing

Continuously improved. Board reporting is data-driven.

WHO NEEDS THIS

Every Organization With a Board

If someone asks about your VM program,
you need a score.

CISO preparing for board presentation

“I need to show the board our vulnerability program maturity — not just that we're running scans, but how mature our entire program is and where we're investing to improve.”

Board prep

GRC lead facing cyber insurance renewal

“Our underwriter is asking specific questions about patch SLAs, MTTR by severity, and exception management processes. I need documented evidence of a mature VM program or our premium goes up 40%.”

GRC / renewal

Security team post-breach remediation

“We need to demonstrate to regulators, legal counsel, and the board that we have materially improved our vulnerability management program since the incident. We need a score to show before and after.”

Post-incident

Manufacturing CISO with OT environment

“Half our environment is OT — PLCs, SCADA, legacy field devices. Standard VM frameworks completely ignore this. I need an assessment that scores our OT program on what's actually possible, not what's theoretically required.”

OT / manufacturing

vCISO managing multiple client programs

“I need a consistent, repeatable methodology to assess VM program maturity across all my clients, benchmark them against each other, and show each client a clear improvement roadmap tied to a score.”

vCISO

CFO or audit committee member

“I'm not a security expert, but I'm being asked to sign off on the cybersecurity program. I need one number that tells me how mature our vulnerability management program is and whether we're moving in the right direction.”

Audit / finance

GET YOUR SCORE TODAY.

Run your first VM3 assessment
in under 60 minutes.

Included in every Optecz Core subscription. No add-on required. Score all 83 controls, generate board-ready findings, and get your composite VM3 maturity score the same day.

Book a Demo Download Whitepaper

The VM3 Scorefor YourVulnerability Program

Scanners don't equal programs.Frameworks don't score VM maturity.

“No existing framework produces a VM program score”

“Boards are asking questions security teams can't answer cleanly”

“OT environments are ignored by every VM standard”

Complete VM program coverage,end to end.

Asset Discovery & Inventory

Vulnerability Scanning & Detection

Risk Prioritization & Classification

Remediation & Patching

Exception & Acceptance Management

Third-Party & Supply Chain

Metrics & Reporting

OT & Legacy Systems

Why OT gets its own domain

What every other framework misses.

Where does your program stand?

Initial

Developing

Defined

Managed

Optimizing

If someone asks about your VM program,you need a score.

CISO preparing for board presentation

GRC lead facing cyber insurance renewal

Security team post-breach remediation

Manufacturing CISO with OT environment

vCISO managing multiple client programs

CFO or audit committee member

The VM3 Score
for Your
Vulnerability Program

Scanners don't equal programs.
Frameworks don't score VM maturity.

Complete VM program coverage,
end to end.

If someone asks about your VM program,
you need a score.