Home > Federal > STMS > Internal Vulnerability Assessments

Security Threat Modeling & Simulation

Internal Vulnerability Assessment


Vulnerability Scans are security assessments that identify known network, operating system, web application and web server exploits/vulnerabilities with the use of automated tools. Internal vulnerability scans can give you an overall picture of the vulnerabilities present on your internal network and assist in vulnerability risk management. SecureState offers two types of Vulnerability Scans; one scans with validation of the findings, and the other scans without validation of the findings. SecureState recommends all vulnerability scans include validation of the vulnerabilities. Read the benefits section to learn the difference between the two and why we always recommend validation.

  • Internal vulnerability scans find an organization’s vulnerabilities
  • Internal vulnerability scans identify the type and severity of the vulnerabilities


Many organizations do not know the vulnerabilities present on their internal network. Without knowing what vulnerabilities are present, it is impossible to mitigate those vulnerabilities and generate a baseline of internal systems. To prevent a data breach, the organization must verify that they are not exposed to security vulnerabilities which may aid an attacker in compromising the organization’s data. Additionally, the type and severity of the vulnerabilities are identified to help prioritize remediation efforts and strengthen the organization's risk management program.

Vulnerability scans can include validation of the vulnerabilities or exclude validation of the vulnerabilities. Many times vulnerability scanners report a large number of false positives. Determining what vulnerabilities are false positives and what vulnerabilities actually pose a threat to the organization can take a substantial amount of time and resources. When validating the vulnerabilities discovered, SecureState manually checks to make sure all of the discovered vulnerabilities are truly present. This eliminates false positives and gives you an actionable list of vulnerabilities to remediate. SecureState highly recommends all vulnerability scans be validated.


SecureState’s consultants are experts in vulnerability scanning; currently certified as a PCI ASV scan vendor. The same level of rigor required of an ASV scan is applied to all vulnerability scans SecureState performs. Additionally, SecureState uses only the best commercial security assessment tools available, constantly tested by our team, to give you the best vulnerability scanning service available. Finally, recommendations for fixing vulnerabilities found during the scan are reviewed by SecureState’s penetration testing team and remediation experts to ensure you get expert advice that takes into account, the attacker’s and defender’s point of view.

Did You Know?

  • Remove validation of vulnerabilities may save money in the cost of the scan, but will cost more over time as your IT continues to track down false positives
  • The needed frequency of a vulnerability scan may vary based on your environment. In general, SecureState recommends performing monthly external vulnerability scans
  • Even the best commercial vulnerability scanners can have a 40% false positive rate which is why SecureState recommends validating the results of all vulnerability scans
  • SecureState will not perform denial of service attacks while performing a vulnerability scan
  • Internal vulnerability scans can be used to determine how well MSBs are being applied to internal systems
  • When done properly, creating and applying MSBs to internal systems can increase the value of internal vulnerability scans by providing a baseline to measure scan results against

Our Approach and Methodology

SecureState performs the following steps while performing an internal vulnerability scan. SecureState scans the organization's internal presence using an industry leading vulnerability scanner. This scan reveals Operating System, Network, Web Server, and Web Application vulnerabilities. Next, SecureState validates all vulnerabilities that the scanner identified and removes all false positives. Finally, the SecureState consultant provides recommendations regarding how to remediate vulnerabilities that were identified during the scanning process.

What Makes Us Different

  • SecureState offers PCI ASV approved vulnerability scanning processes and resources
  • The top vulnerability scanning tools are evaluated annually to ensure the best tool is used when delivering such service.


We Can Help You