Skip to content
BastionSec
Contact us
Offensive Security · Vulnerability Assessment

Vulnerability assessment: the broad, recurring picture of your vulnerabilities.

Systematic identification of vulnerabilities with automated scanning and manual verification. CVSS severity, false positives filtered, prioritised inventory. No active exploitation: it's for when you want to see the surface, not break it.

  • Automated scanning + manual verification: we filter out the false positives.
  • Vulnerability inventory with CVSS severity and prioritised remediation.
  • No active exploitation: it's a broad picture, ideal as a recurring check.
Request a vulnerability assessmentSee a sample report

When you need a VA

Quick self-qualification: do you recognise yourself in one of these?

You want a surface baseline

You've never mapped what's exposed: you need a broad picture of vulnerabilities before deciding where to dig deeper.

Talk to us

A recurring, low-friction check

You want a periodic check that feeds your Trust Center and tells you if new known vulnerabilities appeared.

See the retainer

Preparing for a pentest

You want to clean up the 'easy' flaws before the penetration test, so the test digs where it really matters.

See the pentest

What a vulnerability assessment is (and isn't)

A vulnerability assessment is the systematic identification of vulnerabilities: automated scanning of the surface plus manual verification to filter out false positives. The output is an inventory of weaknesses with CVSS severity: a broad, repeatable, low-friction picture.

It isn't a penetration test: a VA doesn't actively exploit flaws to prove their impact, it detects and rates them. And it isn't a red team: no adversary simulation, no testing of detection and response. If you need to prove real impact or see how far an attacker could get, you need a pentest, and we say so plainly.

VA ≠ pentest ≠ red team. A VA identifies and rates; a pentest exploits to prove impact; a red team simulates a real adversary. You often start from the VA.

What we cover

External surface (Internet-exposed hosts and services), internal network, web applications and APIs, and cloud configurations. We define the scope together based on what's genuinely relevant to your risk.

Every detected vulnerability is manually verified to rule out false positives and put in context: a high-scoring CVE on an unreachable system weighs differently from one on an exposed service. This human work is what separates a useful report from a scanner dump.

What you get: the report

  • Inventory of vulnerabilities with an identifier (CVE where applicable) and a clear description.
  • Severity scored in CVSS (v3.1 / v4.0), with context: exposure, reachability, affected asset.
  • False positives filtered through manual verification: no raw-scanner noise.
  • Remediation prioritised by risk: what to fix first, and why.
  • Executive summary readable by non-technical stakeholders.
  • Comparison with the previous assessment (for recurring checks), to see what improved.

How it works, step by step

A transparent process. Automation does the scanning at scale; verification and prioritisation are done by a person: that's where a VA becomes useful instead of noisy.

  1. 1

    Scoping

    We define perimeter, assets, scan windows and authorisation.

  2. 2

    Discovery

    Mapping the surface: hosts, services, applications and exposed configurations.

  3. 3

    Scanning

    Automated vulnerability scanning across the whole agreed perimeter.

  4. 4

    Manual verification

    We filter false positives and contextualise each finding against your environment.

  5. 5

    Reporting

    Inventory with CVSS severity, context and prioritised remediation.

Stack & methodologies

Recognised references: NIST SP 800-115 for the security testing methodology, OWASP (Top 10 and WSTG) for the web portion, OSSTMM as a testing framework. Severity follows CVSS (v3.1 / v4.0) and known-vulnerability identifiers follow the CVE scheme.

The goal is a shared, defensible scale: a serious vulnerability assessment isn't 'the output of a scanner', it's a verified, contextualised evaluation that a technical buyer can take seriously.

Model and timing

  1. 1

    Project model : 'from' price + range

    A VA is a project with a defined perimeter; it typically costs less than a pentest because it doesn't include exploitation. Price after scoping. See the pricing page.

  2. 2

    Execution : typically a few days

    Depends on the breadth of the perimeter. Defined during scoping, no sight-unseen promises.

  3. 3

    Recurring (optional) : at a defined cadence

    In the continuous-security retainer the VA becomes periodic and feeds your Trust Center.

Many clients combine a recurring VA + periodic pentest: continuous breadth plus depth where it matters.

A VA tells you what's vulnerable, not how far an attacker could get: for that you need a penetration test. And 'no findings' doesn't mean 'zero risk': it means that within scope and at the time of the test, no known vulnerabilities surfaced.

Frequently asked

Vulnerability assessment or penetration test: which do I need?

A VA gives you the broad picture of known vulnerabilities, with CVSS severity and no exploitation: ideal as a baseline or recurring check. A pentest exploits flaws to demonstrate their real impact: you need it when you must prove what an attacker could do, or when clients, ISO or SOC 2 ask for it. Often it makes sense to do both.

Is a VA just the output of an automated scanner?

No. Automated scanning finds the candidates, but the value is in the manual verification: we filter false positives and contextualise each finding against your environment. A report that's just a scanner dump won't hold up in front of a technical buyer.

How often should I repeat it?

It depends on your rate of change. The surface shifts and new CVEs come out constantly: a recurring VA (monthly or quarterly) keeps the picture alive. We structure it in the continuous-security retainer.

What do I get at the end?

A report with a vulnerability inventory, CVSS severity, context, false positives already filtered and prioritised remediation, plus an executive summary. For recurring checks we add the comparison with the previous assessment.

Is a VA enough for ISO 27001 or SOC 2?

Vulnerability management is a required control and a recurring VA is great evidence. For enterprise security questionnaires, however, a penetration test is often specifically requested: write to us and we'll figure out what you need.

Go deeper

Penetration Testing

When you need to exploit flaws to demonstrate their real impact, not just identify them.

Learn more

Audit & Pentest (hub)

Our testing line: VA, penetration testing and red team explained together, with the delivery model.

Go to the hub

Sample report

An anonymised report: how we present CVSS severity, context and evidence. Decide before you decide.

See the report

Want to know what's exposed, for real?

Tell us the perimeter: we'll give you a verified picture of your vulnerabilities and a 'from' price.

Request a vulnerability assessment