What is a vulnerability assessment?
A vulnerability assessment identifies known weaknesses in systems, software, or configurations, often using scanning and review methods.
Simple example
A business scans its external services and internal network to find missing patches and risky configurations.
Why it matters
It helps prioritise fixes, but it is not the same as proving exploitability through a penetration test.
Common warning signs
- The activity is unexpected or unusual for the business context.
- The request or system behaviour creates pressure to act quickly.
- Normal approval, verification, or security processes are bypassed.
- There are signs of unauthorised access, data exposure, or system change.
- Staff are unsure whether the request, message, or system behaviour is legitimate.
Cyber Doc view
This term should be understood in business context, not only as a technical issue. Good protection usually combines clear processes, appropriate technical controls, staff awareness, and a calm response plan.
What to do
Proactive steps
- Run assessments regularly.
- Prioritise internet-facing and critical systems.
- Track findings to closure.
- Combine scans with configuration review.
- Validate important fixes.
Reactive steps
- Address critical exposed weaknesses quickly.
- Check whether vulnerable systems were accessed.
- Document exceptions and compensating controls.
- Retest after remediation.
- Use findings to update risk priorities.
Related terms
- Penetration testing
- Vulnerability
- Patch management