There Are Many Reasons to Do This
- Correlate critical vulnerabilities with critical assets
- Generate a list of the patches or other remediation that need to be applied
- Identify (through the assessment process) false-positives and false-negatives that exist and exceptions
- Satisfy NIST, HIPAA, CMMC, PCI and other regulatory requirements
- Risk Mitigation prioritization and road mapping
