Vulnerability management: not just for scanning known vulnerabilities