More assets, more vulnerabilities, but no more headcount. As founding engineers (now leaders) of our org’s vulnerability management (Cloud Security, Infrastructure Security and Application Security) program, we share the mistakes we made, the lessons that we learned, and how we scaled to meet modern risks without extra headcount but replacing noisy “triage everything” with targeted risk-based triage, embedded remediation, and automation that actually works.