Vulnerability Assessment

Vulnerability Assessments identify known network, operating system, web application and server exploits/vulnerabilities with the use of automated tools.

Vulnerability Assessments are security assessments that identify known network, operating system, web application and web server exploits/vulnerabilities with the use of automated tools.


Vulnerability assessments bring an organization's knowledge of its vulnerabilities from "known" to "unknown." Without knowing what vulnerabilities are present, it is impossible to mitigate them and generate a system baseline. Vulnerability Assessments will also identify the type and severity of vulnerabilities, allowing organizations to prioritize remediation efforts and strengthen its vulnerability management program.


SecureState, a certified as a PCI ASV scan vendor, applies the same level of rigor required of an ASV scan to all vulnerability assessments. Additionally, SecureState uses only the best commercial security assessment tools available,  continually tested by our team, to give you the best vulnerability scanning service available.

Approach and Methodology

Many organizations believe that they are secure because they have a patch management process or have policies that require the application of Minimum Security Baselines on all production servers. It is important to realize that having a process is in place does not mean that it is truly effective. Vulnerability Assessments will identify known network, operating system, web application, and web server exploits/vulnerabilities with the use of automated scanning tools. Scans can give you an overall picture of the vulnerabilities present on your network and assist in vulnerability risk management.

SecureState offers three types of Vulnerability Assessment: scans with validation of the findings, scans without validation of the findings, and PCI ASV scans. When validating the vulnerabilities discovered, SecureState manually checks to make sure all discovered vulnerabilities are truly present. This eliminates false positives and provides an actionable list of vulnerabilities to remediate. SecureState recommends all vulnerability scans include validation of the vulnerabilities, making it a true assessment of your network.

SecureState scans your organization’s IP address ranges to identify active devices. If a device is online, the scanner makes note of the IP address and continues to look for other active devices within range. We then perform a port scan to determine what services are running on each active device. This helps the scanner determine what types of vulnerability checks to run against a particular port.

Active IP addresses that were identified as part of the Device Discovery phase are scanned with an industry leading tool to identify vulnerabilities such as missing patches, server misconfigurations, and dangerous services. The tool performs some high level web application vulnerability scanning, but does not perform an extensive scan on the application layer of any discovered web applications.

If in scope, SecureState manually validates the vulnerabilities identified to remove false positives from the list. This helps the organization focus their efforts on vulnerabilities that are actually present in their environment, instead of wasting time trying to remediate vulnerabilities that do not exist.


Get Started!