Vulnerability management is a critical, albeit tedious, aspect of maintaining security compliance in modern technical stacks, involving the continuous process of scanning, prioritizing, and patching software vulnerabilities. CircleCI's journey through FedRAMP certification and SOC 2 Type II compliance revealed the necessity of automating vulnerability management, particularly with their Docker-based infrastructure, where patching entails deploying new images rather than traditional server patches. This shift in responsibility from SREs to development teams necessitated educating both internal teams and auditors unfamiliar with Docker's implications on security practices. Initial steps involved manually assessing vulnerabilities using spreadsheets, which later evolved into an automated ticketing system integrated with CI/CD pipelines, enabling seamless vulnerability patching as part of regular workflows. CircleCI's strategy emphasized feedback loops, collaboration with engineering teams, and automation to streamline processes, despite initial resistance and challenges, ultimately leading to a system where vulnerability management is an ongoing, integrated part of software deployment rather than a disruptive event.