Blog & Articles

What Is a Vulnerability Assessment? A Plain English Guide

by Rebecca Sutton
by Rebecca Sutton

A vulnerability assessment is a systematic scan of your IT systems, networks and applications to find known security weaknesses. It identifies what is exposed, scores each finding by severity, and produces a prioritised list of what to fix first. Most assessments rely on automated scanning tools. A qualified analyst then interprets the results, removes false positives, and turns the output into something actionable.

Unlike a penetration test, a vulnerability assessment does not try to exploit what it finds. Instead, think of it as a health check rather than a stress test: repeatable, affordable, and well-suited to keeping track of a changing attack surface.

How a Vulnerability Assessment Works

The process follows five stages. Most organisations run them on a rolling basis rather than as a one-off exercise.

1. Define the scope

First, decide which assets are in scope. Options include internal servers, cloud workloads, Wi-Fi infrastructure, web applications, or the full environment. A clear scope prevents gaps and keeps costs predictable.

2. Scan for vulnerabilities

Automated scanners probe each in-scope asset and compare findings against databases of known vulnerabilities. They check software versions, open ports, misconfigurations, and unpatched components. Scanning takes minutes to hours, depending on the size of the environment.

3. Analyse and prioritise

Raw scanner output typically contains thousands of findings. An analyst removes false positives and rates each genuine issue by severity, business impact, and exploitability. Most organisations use the Common Vulnerability Scoring System (CVSS) as a baseline. Scores run from 0 to 10, with anything 9.0 or above classified as critical.

4. Report

The output is a structured report listing each vulnerability, its severity score, the affected systems, and recommended fixes. A well-written report separates critical issues from background noise. It gives the team something actionable rather than a raw data export.

5. Remediate and rescan

Patching and configuration changes address the findings. A follow-up scan then confirms fixes worked and checks for newly discovered vulnerabilities. Many organisations skip this step and later wonder why the same findings reappear next quarter.

Types of Vulnerability Assessment

Assessments target different layers of an organisation’s environment. Most businesses need a combination, though the right mix depends on what they run and where those systems sit.

  • Network assessment: Scans wired and wireless networks for exposed services, weak protocols, and misconfigured devices.
  • Host-based assessment: Runs directly on servers and workstations, usually via a deployed agent, checking patch levels, user permissions, and service configurations.
  • Web application assessment: Tests sites and web apps for flaws such as injection vulnerabilities and broken authentication. This differs from a penetration test, which actively tries to exploit those flaws.
  • Database assessment: Checks for default credentials, excessive privileges, and unpatched database software.
  • Cloud configuration assessment: Reviews AWS, Azure, or GCP environments for exposed storage buckets, overly permissive access policies, and missing audit logging.

What Does a Vulnerability Assessment Find?

Common findings include software with known CVEs that have not been patched, services running on default credentials, and open ports with no business justification. Weak encryption configurations and accounts with excessive permissions are also frequent. Patching alone does not catch all of these, since misconfigurations and permission creep require a separate review pass.

The Cyber Essentials scheme sets a clear threshold. Vulnerabilities rated CVSS 7.0 or above must be patched within 14 days of a fix becoming available. Critical findings (9.0 and above) need immediate attention. Lower-severity issues can slot into normal change windows.

A good vulnerability assessment also surfaces problems that automated tools miss on their own: accounts that are technically valid but belong to staff who left months ago, backup systems excluded from patching cycles, and configuration drift that accumulates quietly between review cycles. So the scan is not just confirming what you know about, but revealing what you do not.

Vulnerability Assessment vs Penetration Testing

This is the question most IT managers ask first. The short answer is that they do different jobs. Most organisations need both.

A vulnerability assessment tells you what weaknesses exist. A penetration test tells you which weaknesses a real attacker could exploit, how far they could get, and what data or systems they could reach. We covered the distinction in our penetration testing vs vulnerability scanning guide.

The practical rule is this: run a vulnerability assessment regularly to keep your patch posture in check. When you need to validate that your defences hold under realistic attack conditions, commission a penetration test. Also, if an assessment turns up a cluster of critical findings, a scoped penetration test is often the right follow-up.

How Often Should You Run One?

The NCSC’s vulnerability management guidance sets monthly as a sensible minimum for most organisations. Businesses with frequent infrastructure changes or cloud environments should scan more often. Each change can introduce new exposure.

However, compliance frameworks vary in their specific requirements. Cyber Essentials requires high and critical vulnerabilities to be patched within 14 days. PCI DSS mandates quarterly internal and external scans by an approved vendor. GDPR requires appropriate technical measures to protect personal data. Regular assessments are the clearest evidence of meeting that requirement.

For most UK small and mid-sized businesses: monthly is good practice, quarterly is the floor, and after any significant infrastructure change is non-negotiable.

What Happens After the Assessment?

The report is only useful if someone acts on it. A workable remediation process has three parts: assign ownership for each finding, set a deadline based on severity, and verify fixes with a follow-up scan.

Senior leadership needs to be involved when a finding requires significant change. Taking a system offline or reworking a critical configuration needs an accountable decision-maker. The NCSC is clear on this point: decisions to defer updates should not be buried in a ticket queue.

Tracking progress over time also matters. Comparing this month’s results to last month’s shows whether your patch process is working or whether the same categories of finding keep recurring. That trend data is useful for board reporting, cyber insurance conversations, and demonstrating security maturity to prospective clients or auditors.

If you want professional help scoping and running a vulnerability assessment, our vulnerability scanning service can cover networks, hosts, and web applications with a clear remediation report.

Frequently Asked Questions

Do I need a vulnerability assessment if I already have antivirus and a firewall?

Yes. Antivirus detects known malicious code. A firewall controls traffic at the perimeter. Neither covers unpatched software, misconfigured services, or excessive internal permissions. A vulnerability assessment looks across all of these, including the parts perimeter tools cannot see.

Can we run a vulnerability assessment in-house?

Tools such as OpenVAS, Nessus Essentials, and Qualys are accessible to in-house teams. Running the scan is not technically demanding. However, interpreting the results, removing false positives, and turning findings into clear actions is harder. Many organisations run internal scans monthly and bring in a third party for an independent view once or twice a year.

How is a vulnerability assessment different from a security audit?

A security audit checks whether policies and controls exist and are documented. A vulnerability assessment, however, tests whether those controls actually work by looking for real weaknesses in your systems. Both are useful: audit for governance, assessment for technical assurance.

Is a vulnerability assessment required for Cyber Essentials?

Cyber Essentials does not formally require a vulnerability assessment. But its patching controls demand visibility into patch status across all devices in scope. Cyber Essentials Plus, the independently verified tier, includes a technical audit of patch levels and configuration. So the coverage overlaps significantly with what a host-based vulnerability scan provides.

How much does a vulnerability assessment cost?

Costs vary with scope and depth. A scoped assessment covering networks, hosts, and web applications at a UK SME typically runs from a few hundred to a few thousand pounds. If you want to discuss what is right for your environment, get in touch with our team.

Subscribe to our newsletter for a weekly round up of what's happening in the cyber security world

Rebecca is a dedicated cybersecurity writer who specialises in transforming complex technical concepts into clear, accessible content. With a strong background in IT and a passion for digital security, she produces insightful articles, guides, and thought-pieces that bridge the gap between technical experts and wider audiences.

You may also like

Penetration Testing vs Vulnerability Scanning: What’s the Difference?

Penetration Test Cost UK: Why the Cheapest Quote Usually Costs More

Which Type of Penetration Test Does Your Business Actually Need?

What to Budget for a Penetration Test in the UK: A Buyer’s Guide

What Is Penetration Testing? How It Works and Why It Matters

Claude Fable 5: Why Anthropic Put Its Most Powerful AI Behind Guardrails

Fast16 Malware: The Pre-Stuxnet Tool Built to Sabotage Nuclear Weapon Simulations

North Korea Laptop Farm Crackdown: What Two US Convictions Teach IT Teams

82 Browser Extensions Selling User Data Exposed

Microsoft Developer Account Lockout Leaves Millions of Windows Users Without Security Updates