ELI5: What is Remediation vs. Mitigation?
Remediation fixes the actual problem, like patching a hole in the roof. Mitigation reduces the damage without fully fixing it, like putting a bucket under the leak until you can patch it.
Definition
In vulnerability management, remediation completely eliminates a vulnerability by fixing the root cause (typically by applying a patch or reconfiguring the system), while mitigation reduces the likelihood of exploitation or the impact of a successful attack without fully eliminating the vulnerability. Organizations use mitigation when full remediation is not immediately possible.
Key Details
- Remediation: applying the vendor patch, removing the vulnerable software, replacing the affected component
- Mitigation: disabling the affected feature, adding compensating controls (WAF rules, network restrictions), reducing exposure
- Compensating controls: alternative security measures that reduce risk when direct remediation is not feasible
- Risk acceptance: formally documenting the decision not to remediate and accepting the residual risk
- Mitigation is temporary — remediation should be planned and implemented as soon as possible
Connections
- Parent: vulnerability-management — understanding remediation vs. mitigation options is core to vulnerability management
- See also: patch-management