Vulnerability Exceptions, Risk Acceptance, and Compensating Controls
RCCE students will learn how organizations handle vulnerabilities that cannot be remediated immediately by using exception workflows, risk acceptance decisions, temporary safeguards, and governance oversight. RCCE students will learn to document justification, select compensating controls, set expiration criteria, involve the right approvers, and prevent exception processes from becoming permanent risk accumulation. The course covers practical scenarios ranging from exception requests to governance review, monitoring, and retirement. RCCE students will learn to analyze complex systems and think like an attacker to better defend the organization. This comprehensive course delivers practical knowledge applicable to real-world cybersecurity operations. Starting from foundational concepts, RCCE students will learn through a combination of concept explanation, practical demonstration, and hands-on exercises.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Vulnerability Exceptions, Risk Acceptance, and Compensating Controls
- Execute hands-on tasks for vulnerability exceptions, risk acceptance,
- Execute hands-on tasks for and compensating controls
- Explain Course Overview fundamentals
- Execute hands-on tasks for what you will learn — covering Exception workflow design.
- Execute hands-on tasks for course context — covering Maps to DCWF Vulnerability Management.
- Execute hands-on tasks for why vulnerability exceptions exist
- Execute hands-on tasks for legacy systems
- Execute hands-on tasks for business conflicts
- Execute hands-on tasks for technical barriers — covering Cannot be patched without, Patch window clashes with, No vendor patch available.
- Execute hands-on tasks for third-party sla constraints — covering No vendor patch available.
- Execute hands-on tasks for vulnerability exception
- Execute hands-on tasks for risk acceptance
| Module 01 | Vulnerability Exceptions, Risk Acceptance, |
| Module 02 | and Compensating Controls |
| Module 03 | Course Overview |
| Module 04 | What You Will Learn |
| Module 05 | Course Context |
| Module 06 | Why Vulnerability Exceptions Exist |
| Module 07 | Legacy Systems |
| Module 08 | Business Conflicts |
| Module 09 | Technical Barriers |
| Module 10 | Third-party SLA constraints |
| Module 11 | Vulnerability Exception |
| Module 12 | Risk Acceptance |
| Module 13 | Compensating Control |
| Module 14 | Exception Lifecycle Overview |
All hands-on labs run on Rocheston Rose X OS. Students practice vulnerability exceptions, risk acceptance, and compensating controls by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Execute hands-on tasks for vulnerability exceptions, risk acceptance,
- Lab 2: Execute hands-on tasks for and compensating controls
- Lab 3: Explain Course Overview fundamentals
- Lab 4: Execute hands-on tasks for what you will learn
- Lab 5: Execute hands-on tasks for course context
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Vulnerability Exceptions, Risk Acceptance, and Compensating Controls, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI