Description
Key Focus Areas:
Hybrid Vulnerability Management
Automated Patch & Remediation Workflows
SOC & SIEM Security Integration
Cloud-Native Security Operations
Azure Arc
Microsoft Sentinel
Executive Summary
Architected a cloud-native vulnerability management platform for hybrid infrastructure environments, integrating continuous vulnerability assessment, centralised visibility, automated remediation workflows, and SOC-driven threat monitoring into a unified operational security lifecycle.
The architecture replaces legacy WSUS-based patch management with a scalable, automation-first security operations model leveraging Microsoft Azure, Azure Arc, Nessus, Microsoft Defender for Cloud, Azure Update Manager, and Microsoft Sentinel.
The design establishes a closed-loop vulnerability management lifecycle — from asset discovery and continuous assessment through automated remediation and SOC-integrated threat correlation — demonstrating how vulnerability management can evolve from periodic scanning into a continuous enterprise security operations capability.
Business Drivers
Organisations operating hybrid infrastructure environments frequently struggle with fragmented vulnerability management processes distributed across multiple disconnected operational and security platforms. Legacy approaches relying on isolated vulnerability scanners, disconnected patching systems, and inconsistent reporting create significant operational and security gaps.
This architecture was designed to address the vulnerability management requirements of organisations where existing approaches result in:
Delayed vulnerability remediation cycles and extended exposure windows for known CVEs
Limited or fragmented visibility across hybrid cloud and on-premises assets
Difficulty correlating vulnerability data with active threat intelligence in SOC operations
High dependency on manual remediation workflows reducing operational scalability
Inconsistent audit and compliance reporting across distributed infrastructure
Legacy WSUS-based patch management unable to scale effectively across hybrid environments
Operational Constraints
The architecture was designed to operate within the following constraints typical of hybrid enterprise environments:
Existing infrastructure spans both Azure cloud and on-premises assets requiring unified management
Legacy WSUS-based patching cannot scale effectively or integrate with modern security operations platforms
Patch deployment workflows must preserve operational stability through controlled maintenance windows
Security teams require centralised vulnerability visibility without managing multiple disconnected consoles
Vulnerability data must be correlated with broader SOC threat intelligence in near real-time
Automation workflows must reduce operational overhead without introducing uncontrolled change risk
Reporting capabilities must support audit and compliance requirements with minimal manual effort
Objectives
Replace legacy WSUS infrastructure with a cloud-native, scalable patching and update management model
Establish a continuous vulnerability management lifecycle replacing periodic point-in-time scanning
Provide unified visibility across all hybrid assets through a single operational control plane
Automate remediation and patch deployment workflows with controlled governance and maintenance scheduling
Integrate vulnerability intelligence directly into SOC operations through Microsoft Sentinel
Define and enforce remediation SLAs by vulnerability severity across the environment
Enable audit-ready compliance reporting and security posture tracking
Reduce manual remediation overhead while improving remediation consistency and speed
Create a reusable hybrid vulnerability management framework applicable across enterprise environments
Remediation SLA Targets
Vulnerability Severity | Target Remediation Window | Escalation Trigger |
|---|---|---|
Critical (CVSS 9.0–10.0) | 24 hours | Immediate SOC alert + change request |
High (CVSS 7.0–8.9) | 7 days | Automated ticket creation + weekly review |
Medium (CVSS 4.0–6.9) | 30 days | Scheduled maintenance window |
Low (CVSS 0.1–3.9) | 90 days | Standard patch cycle |
These SLA targets represent design objectives for the architecture scenario. Production remediation windows would be defined in alignment with organisational risk appetite, change management processes, and regulatory requirements.
Architecture Principles
Continuous vulnerability assessment replacing periodic point-in-time scanning
Unified hybrid asset visibility through a single operational control plane
Automation-first remediation workflows reducing manual operational overhead
Centralised operational telemetry enabling cross-domain security correlation
Security operations integration elevating vulnerability data into active SOC workflows
Policy-driven patch governance preserving operational stability during remediation
Data-driven remediation prioritisation based on severity, exposure, and asset criticality
Continuous security posture improvement measured through Secure Score and compliance tracking
Architecture Overview
The solution is structured as a six-layer closed-loop vulnerability management platform integrating asset discovery, continuous assessment, centralised analytics, automated remediation, SOC detection, and operational reporting.
1. Asset & Visibility Layer
The visibility layer leverages Azure Arc to onboard on-premises systems into Azure management services, establishing a unified hybrid asset inventory across cloud and on-premises infrastructure.
Capabilities:
Azure Arc agent deployment across on-premises Windows and Linux servers, extending Azure management capabilities to non-Azure infrastructure
Unified hybrid asset inventory providing consistent visibility across cloud and on-premises resources in a single Azure portal view
Azure-native management integration enabling consistent policy application, tagging, and governance across all onboarded assets
Foundation for centralised vulnerability assessment, update management, and compliance monitoring across the full hybrid estate
Azure Arc is the architectural keystone of this design — without unified asset visibility, vulnerability management across hybrid environments degenerates into fragmented, tool-specific reporting with significant coverage gaps.
2. Vulnerability Assessment Layer
The assessment layer combines third-party scanning depth with Azure-native security intelligence through a dual-scanner model.
Nessus Professional / Nessus Manager
Agent-based and agentless scanning across onboarded hybrid assets
Deep network and host-based CVE detection with comprehensive plugin coverage
Vulnerability severity analysis mapped to CVSS scoring
Credentialed scanning for in-depth configuration and patch state assessment
Scheduled and on-demand scan orchestration across the hybrid estate
Microsoft Defender for Cloud
Native Azure vulnerability assessments integrated with Azure resource management
Secure Score recommendations providing continuous security posture evaluation
Cloud workload protection coverage across Azure VMs, containers, and PaaS services
Integration with Azure Arc-managed on-premises assets for unified Defender coverage
The dual-scanning model addresses a genuine coverage gap — Nessus provides deep, credentialed vulnerability assessment depth while Defender for Cloud provides native Azure integration and continuous posture monitoring that Nessus alone cannot replicate.
3. Data & Analytics Layer
Centralised analytics and telemetry ingestion are implemented through Azure Log Analytics, creating a unified data platform for vulnerability, compliance, and remediation correlation.
Capabilities:
Aggregation of Nessus scan results through API export and Log Analytics ingestion
Defender for Cloud recommendations and alert data centralised within Log Analytics
Azure Update Manager patch compliance data consolidated for cross-domain correlation
Unified vulnerability dataset enabling reporting, trend analysis, and remediation tracking
Foundation for Sentinel-based threat correlation and SOC integration
4. Remediation Layer
Automated remediation workflows are implemented through Azure-native automation services with controlled governance and maintenance window scheduling.
Azure Update Manager
Policy-driven patch deployment replacing legacy WSUS infrastructure
Scheduled maintenance windows defining controlled update deployment periods
Patch compliance reporting across hybrid assets through Azure Arc integration
Deferred and emergency patching workflows supporting both planned and critical remediation scenarios
Azure Automation
Custom PowerShell-based remediation scripting for configuration drift correction
Advanced patch orchestration for complex multi-system update dependencies
Automated corrective actions triggered by Defender for Cloud recommendations
Runbook-based remediation workflows reducing manual intervention requirements
5. Detection & Alerting Layer
Security operations integration is implemented through Microsoft Sentinel, elevating vulnerability management from isolated scanning into active SOC workflow participation.
Capabilities:
Correlation of vulnerability scan data, Defender for Cloud alerts, and threat intelligence within Sentinel analytics rules
Alert generation for critical vulnerability discovery, non-compliant systems, and high-risk exposure conditions exceeding SLA thresholds
SOC-driven operational visibility enabling analyst triage of vulnerability-related security events
Custom Sentinel workbooks for vulnerability exposure dashboards aligned to SOC operational requirements
Automated playbook triggering for critical CVE alerts requiring immediate escalation
6. Visualisation & Reporting Layer
Operational dashboards and compliance reporting are implemented through Azure Workbooks and Defender for Cloud reporting capabilities.
Capabilities:
Custom Azure Workbooks dashboards providing real-time vulnerability exposure visibility by asset, severity, and remediation status
Compliance tracking dashboards monitoring remediation SLA adherence across vulnerability severity tiers
Defender Secure Score monitoring providing continuous security posture measurement and improvement tracking
Operational KPI reporting covering mean time to remediate (MTTR), patch compliance rates, and open vulnerability trends
Audit-ready reporting exports supporting compliance review and governance reporting requirements
Architecture Diagram
Technologies Used
Category | Technologies |
|---|---|
Hybrid Asset Management | Azure Arc |
Vulnerability Assessment | Nessus Professional / Nessus Manager, Microsoft Defender for Cloud |
Patch & Update Management | Azure Update Manager |
Automation & Orchestration | Azure Automation, PowerShell |
SIEM & Threat Monitoring | Microsoft Sentinel |
Data & Analytics Platform | Azure Log Analytics |
Visualisation & Reporting | Azure Workbooks, Defender Secure Score |
Compliance Frameworks | CIS Controls v8, NIST SP 800-40, ISO 27001 |
Key Challenges Addressed
Replacing legacy WSUS infrastructure without losing governance control — addressed through Azure Update Manager's policy-driven maintenance window configuration, preserving controlled patch deployment governance while eliminating on-premises WSUS infrastructure dependencies.
Achieving unified visibility across hybrid environments — addressed through Azure Arc onboarding, which extends Azure management and monitoring capabilities to on-premises systems without requiring full cloud migration.
Correlating third-party scanner data with cloud-native security telemetry — addressed through Log Analytics as a centralised data platform, ingesting Nessus scan results alongside Defender for Cloud data and enabling cross-domain correlation within Sentinel.
Automating remediation while preserving operational stability — addressed through Azure Update Manager maintenance window scheduling and Azure Automation runbook governance, ensuring automated patch deployment operates within defined change control boundaries.
Integrating vulnerability intelligence into SOC workflows — addressed through Sentinel analytics rules correlating vulnerability data with threat intelligence, generating actionable SOC alerts for high-risk exposure conditions rather than leaving vulnerability data isolated in a separate scanning platform.
Providing centralised audit and compliance reporting — addressed through Azure Workbooks custom dashboards and Defender for Cloud compliance reporting, producing audit-ready visibility without manual report compilation.
Design Decisions & Rationale
Azure Update Manager over WSUS : Legacy WSUS infrastructure requires on-premises server management, manual configuration, and cannot natively extend to Azure-hosted or Arc-managed cloud workloads. Azure Update Manager provides cloud-native patch governance with native Arc integration, eliminating on-premises dependency while improving scalability and operational flexibility across hybrid environments.
Dual Vulnerability Assessment — Nessus and Defender for Cloud : Neither tool alone provides complete coverage for hybrid environments. Nessus delivers deep credentialed scanning, comprehensive CVE coverage, and network-level vulnerability detection beyond Azure's native scope. Defender for Cloud provides continuous cloud-native posture assessment, Azure resource integration, and Secure Score tracking that Nessus cannot replicate. The combination addresses coverage gaps that a single-tool approach would leave open.
Azure Arc as the Unified Hybrid Control Plane : Without Arc, on-premises assets require separate management tooling, creating operational silos and reporting gaps between cloud and on-premises vulnerability data. Azure Arc extends the Azure management plane to on-premises infrastructure, enabling consistent policy enforcement, update management, and security monitoring across the full hybrid estate through a single operational interface.
Centralised Security Telemetry Through Log Analytics : Vulnerability data isolated within individual scanning tools cannot be correlated with broader security telemetry. Log Analytics provides a unified data platform where Nessus results, Defender recommendations, and patch compliance data can be correlated, queried, and fed into Sentinel for SOC-level analysis.
SOC Integration Through Microsoft Sentinel : Vulnerability management platforms that operate independently of SOC workflows create an operational disconnect between known exposure and active threat response. Sentinel integration transforms vulnerability data into SOC-actionable intelligence — generating alerts when critical CVEs are discovered, when systems exceed remediation SLA windows, or when vulnerability exposure correlates with active threat indicators.
Automation-First Remediation Strategy : Manual patch deployment at enterprise scale is operationally unsustainable and introduces inconsistency. Azure Automation and Update Manager enable policy-governed, scheduled remediation that reduces manual effort, improves deployment consistency, and accelerates vulnerability response timelines while preserving change control governance through maintenance window enforcement.
Trade-offs & Design Constraints
Nessus Licensing Cost at Hybrid Scale : Nessus Professional or Nessus Manager licensing at enterprise scale introduces significant cost, particularly when combined with Defender for Cloud plan costs. In a production deployment, the dual-scanner model must be cost-justified against the coverage improvement achieved. Organisations with primarily Azure workloads may find Defender for Cloud sufficient without Nessus; hybrid-heavy environments with complex on-premises infrastructure benefit most from the combined approach.
Azure Arc Agent Deployment Complexity : Onboarding large numbers of on-premises servers through Azure Arc requires coordinated agent deployment across potentially heterogeneous infrastructure. In complex environments with legacy operating systems, strict network segmentation, or limited outbound connectivity, Arc agent deployment may require significant pre-work before unified visibility is achieved.
Sentinel Cost at High Telemetry Volume : Microsoft Sentinel pricing is ingestion-based. Centralising Nessus scan results, Defender alerts, and Update Manager compliance data at enterprise scale can generate significant Log Analytics ingestion volumes. Data collection rules and ingestion filtering should be designed to prioritise security-relevant telemetry while managing cost — retaining full fidelity for vulnerability alerts and compliance events while applying sampling or filtering to routine scan telemetry.
Maintenance Window Constraints for Critical Patching : Policy-driven maintenance window scheduling improves operational governance but creates tension with critical vulnerability remediation SLAs. A Critical CVE requiring 24-hour remediation cannot wait for the next scheduled maintenance window. The architecture must include an emergency patching workflow — outside standard maintenance windows with appropriate change control approval — to meet critical remediation SLA targets without compromising operational governance.
Nessus to Log Analytics Integration Complexity : Nessus does not natively export scan results to Azure Log Analytics. Integration requires custom PowerShell or API-based export pipelines to transform and ingest Nessus scan data into Log Analytics. This integration adds architectural complexity and requires ongoing maintenance to handle Nessus API changes or Log Analytics schema updates.
Projected Outcomes
The architecture is designed to deliver the following operational and security outcomes in a production hybrid enterprise environment:
Elimination of legacy WSUS infrastructure dependencies through cloud-native Azure Update Manager adoption
Significant reduction in patch deployment timelines through automation-first remediation workflows and defined SLA governance
Unified visibility across all hybrid infrastructure vulnerabilities through a single Azure-native operational control plane
Continuous vulnerability monitoring replacing periodic point-in-time scanning cycles
Improved correlation between vulnerability exposure and active threat intelligence through Sentinel SOC integration
Reduced manual remediation overhead through Azure Automation policy-driven patch orchestration
Centralised audit-ready compliance reporting and security posture visibility through Azure Workbooks and Defender Secure Score
Enhanced SOC operational awareness of high-risk vulnerability exposure conditions
Future Evolution
Risk-based vulnerability prioritisation integrating threat intelligence feeds for exposure-weighted remediation sequencing
Automated remediation approval workflows through ITSM integration (ServiceNow, Jira Service Management)
SOAR playbook integration for automated response to critical CVE discovery and SLA breach events
AI-assisted vulnerability analytics and remediation prioritisation using Microsoft Security Copilot
Infrastructure as Code remediation orchestration through Terraform and Bicep for consistent environment baseline enforcement
Advanced exposure management dashboards incorporating asset criticality weighting in vulnerability risk scoring
Cross-cloud vulnerability management expansion to AWS and GCP environments through multi-cloud Arc integration
External threat intelligence feed integration for proactive CVE prioritisation ahead of active exploitation
Key Takeaways
Vulnerability management must evolve into a continuous operational security lifecycle — periodic scanning is insufficient for modern hybrid environments
Unified hybrid asset visibility through Azure Arc is the architectural prerequisite for effective cross-environment vulnerability governance
Dual-scanner models combining deep third-party scanning with cloud-native assessment provide coverage that neither tool achieves independently
SOC integration transforms vulnerability data from isolated reports into actionable security intelligence — a critical operational maturity step
Automation-first remediation significantly improves speed and consistency but requires carefully governed maintenance windows to preserve operational stability
Defined remediation SLAs by severity tier are essential — vulnerability management without SLA governance produces inconsistent prioritisation and extended exposure windows
Legacy WSUS infrastructure creates scalability and integration constraints that cloud-native update management resolves effectively