VULNERABILITY ASSESSMENT

Most organisations do not know what is actually running on their own estate — which hosts are exposed, which services are unpatched, which known vulnerabilities have quietly accumulated across hundreds of IP addresses since the last time anyone looked. A vulnerability assessment answers exactly that question: it sweeps your network, web, and mobile surface for known weaknesses, wide and repeatable, so the answer is a current inventory rather than a guess. But a scanner alone does not deliver that answer — a raw scanner export is noise wearing a report's clothes, full of false positives your team will waste days chasing. Our vulnerability assessment pairs authenticated and unauthenticated scanning with manual validation by an analyst, so every finding in the report is a real issue, rated by severity, with guidance on how to fix it. For a longer discussion of when a VA is the right tool, our team wrote one here: VA and pentest — which service do you need?

Vulnerability assessment vs penetration testing

This is the question most buyers arrive with, so it belongs at the top. The two services answer different questions, and neither substitutes for the other.

A vulnerability assessment answers: what vulnerabilities exist across my estate? It is breadth-first — coverage across many hosts, applications, and services, catching the known-CVE surface systematically and repeatably. It is the right tool for maintaining an ongoing picture of exposure: after a patching cycle, after infrastructure changes, or on a regular cadence so drift does not accumulate unseen.

A penetration test answers a different question: what could actually happen if someone tries to break in? It is depth-first — a tester takes the most promising weaknesses and chains them into real impact, proving through exploitation what an attacker could reach. A VA will tell you a host is running a vulnerable service; a pentest will show you that the vulnerable service leads to your database.

A VA does not prove impact, and a pentest does not give you coverage across every host. Most organisations need both, at different cadences — assessment frequently for coverage, testing periodically for depth. If you already know you need proof of exploitation, start at our penetration test page instead; if you are still weighing the two, the VA and pentest FAQ covers the questions we hear most often.

What we assess

Scope is agreed along two dimensions before any scanning starts, so the proposal is precise and the coverage is explicit.

Location — where we assess from:

  • External — assessed from the Internet, the way an outside attacker sees you: your public-facing hosts, exposed services, and everything reachable without credentials to your network.
  • Internal — assessed from inside your intranet, the view an attacker gains after a foothold, or that a malicious insider already has.

Type — what we assess:

  • Network VA — servers, network devices, and infrastructure services, scoped by the number of IP addresses. This is where the bulk of the known-CVE surface usually lives: unpatched services, insecure configurations, deprecated protocols.
  • Web application VA — your web applications, scoped by the number of applications. A scanner covers the technical surface — known component vulnerabilities, misconfigurations, common injection points — though it has hard limits our team has written about candidly: an untold story about web application vulnerability assessment.
  • Mobile application VA — your mobile applications, scoped by the number of apps: known-vulnerable components, insecure configurations, and weaknesses detectable through assessment tooling.

We also agree up front whether a revisit is included — a retest after your team has remediated, so the final report reflects what is actually closed rather than what was promised.

How we work

Every engagement runs through the same phases, so you always know where the project stands and what arrives next.

  1. Scoping — We agree location (external, internal, or both), type (network, web, mobile), the counts that size the work (IP addresses, applications, apps), and whether a revisit is included. Untested surface is agreed here, not discovered at the end.
  2. Scanning — We run both unauthenticated scans (the exposure any outsider can probe) and authenticated scans (credentialed access that sees patch levels, local configurations, and weaknesses invisible from outside), using well-known, trusted commercial and open-source tools. The two views together give a far more complete picture than either alone.
  3. Manual validation — An analyst reviews the raw results by hand: confirming that reported issues are real, discarding false positives, and merging duplicates. This is the step that separates an assessment from a scan — a raw scanner dump is not a deliverable, and it never reaches your report.
  4. Risk rating — Each confirmed finding is rated Critical, High, Medium, or Low, so your team can prioritise remediation objectively instead of triaging a flat list.
  5. Reporting — Findings are written up with reproduction detail and remediation guidance, alongside an executive summary for management.
  6. Retest (when included) — After your team has remediated, we re-verify the findings and update the report to reflect what has been closed.

What you get

Every report contains, at minimum:

  • Executive summary — the business-level risk picture, suitable for management and auditors.
  • Findings by Risk Level — each confirmed issue rated Critical, High, Medium, or Low, so remediation can be prioritised objectively.
  • Reproduction detail for every finding — what we found, where, and how to see it yourself; your engineers should never have to guess.
  • Remediation guidance — practical fixes tied to your environment, not a copy-paste of scanner boilerplate.
  • Retest verification — when a revisit is in scope, findings are re-checked after your fixes and the report is updated to reflect closed items.

Team credentials

Assessment and validation are performed by our in-house team holding industry certifications including OSCP, OSCE, CREST CRT, CREST CPSA, and GIAC GREM — credentials earned through rigorous, hands-on examination. The same offensive-security background that drives our penetration testing is what makes the manual validation step meaningful: the analyst confirming a finding knows what an exploitable issue actually looks like. See the full list of certifications the team holds.

Standards

Our methodology follows NIST SP800-115 (Technical Guide to Information Security Testing and Assessment), which defines vulnerability assessment as part of a structured security testing programme. Tell us during scoping what your audit or compliance needs are; aligning the report costs nothing at that stage.

A vulnerability assessment gives you coverage — a current, validated picture of the known weaknesses across your estate. When you need proof of what those weaknesses mean in practice, that is a penetration test.

Last reviewed: 11 Jul 2026

Book a scoping call

Frequently asked questions

What is a vulnerability assessment?

A vulnerability assessment sweeps your network, web, and mobile surface for known weaknesses — wide and repeatable — so you get a current inventory of what is exposed rather than a guess. But a scanner alone is not the answer: a raw scanner export is noise wearing a report's clothes. We pair authenticated and unauthenticated scanning with manual validation by an analyst, so every finding is a real issue, rated by severity, with guidance on how to fix it.

Vulnerability assessment or penetration test — which do I need?

A VA answers 'what vulnerabilities exist across my estate?' — breadth-first coverage across many hosts, ideal for an ongoing picture after patching or on a regular cadence. A pentest answers 'what could actually happen if someone tries to break in?' — depth-first, chaining weaknesses into proven impact. A VA tells you a host is running a vulnerable service; a pentest shows you that service leads to your database. Most organisations need both, at different cadences.

What do you assess, and how is it scoped?

Scope is agreed along two dimensions before scanning starts. Location: external (assessed from the Internet) or internal (from inside your intranet). Type: network VA (servers and infrastructure, scoped by IP count), web application VA (scoped by number of applications), and mobile application VA (scoped by number of apps). We also agree up front whether a revisit — a retest after remediation — is included.

What is the difference between authenticated and unauthenticated scanning?

Unauthenticated scans probe the exposure any outsider can see. Authenticated scans use credentialed access to see patch levels, local configurations, and weaknesses invisible from outside. We run both, because the two views together give a far more complete picture than either alone — then an analyst validates the results by hand, discarding false positives and merging duplicates.

Which standard do you follow?

Our methodology follows NIST SP800-115 (Technical Guide to Information Security Testing and Assessment), which defines vulnerability assessment as part of a structured security testing programme. Tell us during scoping what your audit or compliance needs are; aligning the report costs nothing at that stage.

logologo

INCOGNITO LAB CO., LTD.

38 Soi Petchakasem 30, Pak Khlong Phasi Charoen, Phasi Charoen, Bangkok 10160

©2026 Incognito Lab Co., Ltd. All rights reserved

Terms & ConditionsPrivacy Policy