Vulnerability assessment

What is a vulnerability assessment?

During a vulnerability assessment (occasionally also incorrectly equated with penetration tests), one or more IT systems, for example a web application or a web service, are examined for security vulnerabilities.

The goal is to identify vulnerabilities that an attacker could exploit as early as possible. To do this, we draw on our toolchain and experience from penetration tests and attack simulations.

In contrast to a penetration test, the target system is mainly examined automatically in order to uncover as many problem areas as possible. In addition, although vulnerabilities are identified, no attempt is usually made to exploit them further (so-called “escalation”), as this is often time-consuming and cost-intensive.

Besides the automated vulnerability scan, an additional manual analysis of the various scan results is performed, to clean up false positives and to allow an initial risk assessment.

What is a vulnerability assessment?
Why is a vulnerability assessment useful?

Vulnerability assessments are particularly suitable as a continuous investigation of a specific asset to regularly review and continuously develop your IT security.

If the systems to be tested are prioritized reasonably, this will not only harden the individual application, but also increase the security of your entire company in the long term.

Vulnerability assessments are an efficient tool to sustainably increase the security of assets, especially as an accompanying measure during the development process.

Why is a vulnerability assessment useful?

Course of a vulnerability assessment

  • Kickoff

    During the kickoff, we learn about the asset (e.g. a web application) and discuss together what information we need from you.

  • Setup

    Depending on the type and technology of the asset to be tested, we develop a comprehensive scan setup.

  • Automated scans

    We use automated scans to check the application for common problems and misconfigurations.

  • Manual evaluation

    The most complex part of the test is the evaluation. Our testers use their experience to clean up and prepare the results.

  • Analysis & reporting

    The weak points and identified misconfigurations are analyzed, documented and appropriate recommendations for action are created.

Follow-up and closure

Following the vulnerability assessment, you will receive a report with all the security risks found. Each finding is assigned a corresponding risk rating, so you can prioritize fixing the most important issues.

If you have any questions about the report or individual findings afterwards, we will be happy to have a remediation meeting to discuss results and possible solutions.

  • Predominantly automated security assessment of your application/IT system
  • Efficient and cost-effective, but lower test coverage
  • Particularly useful as a complementary measure

Vulnerability assessments, as they are less expensive than full penetration tests, are a useful addition to monitor the security level of your IT systems, even in the period between two pen tests.

The PCI Data Security Standard (PCI DSS), for example, requires penetration tests at least once a year and, in addition, a vulnerability scan at least quarterly.

In contrast to a penetration test, a vulnerability assessment is predominantly automated.

In this way, an overview of existing issues and the security level of the system in question can be obtained efficiently and cost-effectively.

However, some types of vulnerabilities can not be detected very well (if at all) by automated scanner solutions, which is why a full penetration test is recommended at regular intervals.

Get in touch

Curious? Any more questions? Call us, write a mail or book a meeting with one of our consultants right away!


Would you like to stay up to date? Sign up for our newsletter: