Why do I need a Vulnerability Assessment?

Vulnerability scanning has become a cybersecurity staple. Utilizing one or more "scanning" tools, your entire infrastructure(s) can be scanned for technical vulnerabilities. There are many reasons to do this:

  1. To match up critical vulnerabilities with critical assets
  2. To generate a list of the patches or other remediation that need to be applied
  3. To identify (through the assessment process) all of the false-positives and false-negatives that exist
  4. To satisfy PCI, HIPAA and NERC-CEP regulatory requirements

What if I need more than scanning?

We at GreyCastle Security give you the option of taking several additional steps, including:

  • Assessing the risk of individual applications, servers and networks based on standards and recommended practices
  • Defining standard configurations, called "baselines", for applications, servers and networks
  • Comparing standard configurations to what exists today
  • Applying changes to applications, servers and networks

How is this different than a Penetration Test?

There are important differences between a Vulnerability Assessment and a Penetration Test. Put simply:

Vulnerability Assessment vs Penetration Test

Which one should you do? The answer is probably "both", depending on the problem you're trying to solve, the maturity of your cybersecurity controls and your regulatory requirements.