Find out where your network, applications, and cloud environment are exposed, before a known, already-patchable flaw becomes the headline. Our vulnerability assessments combine automated scanning with manual validation to give you a clear, ranked, and actionable picture of risk, without the cost or downtime of a full penetration test.
Get a free quote → | Typical turnaround: 3–7 working days | CVSS-scored, compliance-mapped reporting
What Is a Vulnerability Assessment?
A vulnerability assessment is a systematic process of identifying, classifying, and ranking the security weaknesses present across your IT environment , outdated software, missing patches, misconfigured services, weak encryption, and exposed ports are the usual suspects. Specialised tools scan your network, web applications, and cloud infrastructure against a continuously updated database of known vulnerabilities (CVEs), and our team manually reviews the results to strip out false positives and add the context that automated tools miss.
The output is a prioritised inventory of risk, scored using the Common Vulnerability Scoring System (CVSS), so your IT team knows exactly what to patch first and why. Think of it as a thorough health check for your digital environment: broad, regular, and designed to catch problems early, rather than the deep, narrow, attacker’s-eye investigation a penetration test provides.
Vulnerability Assessment vs. Penetration Testing: Which Do You Need?
This is the question we’re asked most often, and the honest answer is that most organisations eventually need both, just for different purposes. A vulnerability assessment is the right starting point if you need broad, frequent visibility across many assets, you’re building a routine patch management process, or your budget doesn’t yet stretch to manual exploitation testing. It tells you what might be wrong, at scale, on a schedule you can sustain.
A penetration test is the better fit once you need to prove whether those weaknesses are actually exploitable in your specific environment, satisfy a compliance requirement that explicitly demands manual testing (such as PCI DSS Requirement 11.4), or validate that existing security controls hold up against a determined, creative attacker rather than a scripted scan. If you’re not sure which applies to you, tell us what’s driving the need , a renewal, a new client requirement, an incident, a tender , and we’ll recommend the right starting point honestly, even if that means recommending the cheaper option.
Our Vulnerability Assessment Process
1. Scoping. We define exactly what’s in scope , external IPs, internal subnets, specific applications, or cloud accounts, and agree the objectives upfront.
2. Scanning & discovery. Automated tools scan systems and networks for known vulnerabilities, misconfigurations, and outdated components, supplemented by manual review of configurations our tools can’t fully interpret on their own.
3. Validation. We manually verify findings to eliminate false positives, since an unvalidated scanner report is often more noise than signal.
4. Risk scoring. Every finding is ranked using CVSS, factoring in severity, exploitability, and prevalence, so remediation effort goes where it matters most first.
5. Reporting. You receive a clear breakdown of every vulnerability found, its risk score, where it lives, and exactly how to fix it.
6. Re-scan. Once remediation is complete, a follow-up scan confirms the issues are actually closed, not just patched on paper.
What We Assess
Network Vulnerability Scanning
External and internal scanning to uncover exposed services, weak configurations, outdated firmware, and unpatched systems across your infrastructure.
Web Application Vulnerability Scanning
Automated and manually-reviewed scanning against the OWASP Top 10 categories, covering injection flaws, outdated components, and insecure configurations in your websites and web apps.
Cloud Configuration Assessment
Review of AWS, Azure, and Google Cloud environments for the misconfigurations, open storage, excessive permissions, weak identity controls, that account for the majority of cloud security incidents.
Internal Host & Endpoint Scanning
Assessment of workstations, servers, and internal systems to identify the weaknesses that matter most if an attacker, or a compromised employee account, ever gets inside your perimeter.
Why This Matters for Compliance
Regular vulnerability assessments are one of the most commonly accepted forms of evidence that an organisation is taking “appropriate technical and organisational measures” under POPIA. They also form a foundational control under ISO 27001 and are frequently a baseline requirement in PCI DSS environments alongside annual penetration testing. If you’re working toward a compliance deadline or renewing a cyber insurance policy, a current, well-documented vulnerability assessment is often the fastest, most cost-effective evidence you can produce.
Frequently Asked Questions
What is the difference between a vulnerability assessment and a penetration test?
A vulnerability assessment finds and ranks known weaknesses using automated tools plus manual review, scored with CVSS. A penetration test manually exploits a subset of those weaknesses to prove real business impact. Most mature security programmes use both.
How often should we run a vulnerability assessment?
Quarterly is a common baseline, with extra scans after major changes. Businesses handling card data or regulated personal data often run monthly internal scans alongside quarterly external ones.
How much does a vulnerability assessment cost in South Africa?
Pricing typically starts around R15,000 for a single external assessment and scales with the number of IPs, applications, or hosts in scope, considerably less than a full penetration test.
Will a vulnerability assessment disrupt our systems?
Standard scanning is low-impact and rarely disruptive. We schedule scans during agreed windows and can test staging environments first if needed.
Get Started
Tell us what’s in scope and we’ll recommend the right assessment approach on a free call.
