Compensating controls are the measures taken to reduce the risk posed by vulnerabilities that can't be patched immediately. They can be used to mitigate the likelihood or impact of a successful exploit.

Note: The compensating controls feature is available for host vulnerabilities only.

Applying compensating controls can help in reducing the risk of a vulnerability.

The following table shows the use cases for compensating controls:

Table 1. Use cases for compensating controls
Use case Compensating control
A vulnerability in a web server that enables attackers to execute arbitrary code. Implement a Web application firewall (WAF) to block malicious requests to the web server.
A vulnerability in an operating system that enables attackers to escalate privileges to root. Implement an application control to restrict the execution of applications on the host system.
A vulnerability in a database server that enables attackers to access sensitive data. Implement network segmentation to isolate the database server from other hosts and critical systems.

For more information on the impact of compensating controls on the risk score of a vulnerable item and remediation task, see Impact of the compensating controls on risk score and expiration date.