Vulnerability Assessment: Scanning and Prioritization
A vulnerability assessment is the process of identifying, classifying, and prioritizing security weaknesses in systems, networks, and applications. Unlike penetration testing, which attempts to exploit vulnerabilities, a vulnerability assessment focuses on discovery and cataloging — answering “what is broken?” rather than “what can we break?”
The Assessment Process
A mature vulnerability assessment program follows six phases:
- Scope definition — what systems, networks, and applications are in scope
- Discovery scanning — identifying live hosts, open ports, and running services
- Vulnerability scanning — probing for known vulnerabilities using signature databases
- Validation — confirming findings are not false positives
- Risk classification — assigning severity scores (CVSS) and business impact
- Remediation tracking — assigning owners, tracking fix progress, and rescanning
The cycle repeats on a regular cadence — weekly for critical systems, monthly for internal infrastructure, quarterly for low-risk assets.
Vulnerability Scanners
Nessus
Tenable’s Nessus is the industry-standard vulnerability scanner. It combines:
- A comprehensive plugin database — 150,000+ plugins covering CVEs, configuration issues, and compliance checks
- Credentialed scanning — authenticates to targets for deeper inspection (patch levels, registry settings, file versions)
- Policy compliance — CIS benchmarks, DISA STIGs, PCI DSS, HIPAA
- Agent-based scanning — Nessus Agents for intermittently connected systems
# Command-line Nessus scan using the API
curl -k -H "X-ApiKeys: accessKey=$ACCESS_KEY; secretKey=$SECRET_KEY" \
https://nessus-server:8834/scans \
-d '{"uuid": "ad629e16-03b6-8c1d-cef6-ef8c9dd3c658",
"settings": {"name": "Weekly Internal Scan",
"text_targets": "10.0.0.0/24",
"launch": "WEEKLY"}}'OpenVAS
OpenVAS (now part of Greenbone) is the leading open-source alternative. It uses the Greenbone Vulnerability Management (GVM) framework with 100,000+ Network Vulnerability Tests (NVTs).
# OpenVAS CLI scan
gvm-cli --gmp-username admin --gmp-password $PASSWORD \
socket --socketpath /var/run/gvmd.sock \
--create-target '{"name": "DMZ Scan", "hosts": ["192.168.1.0/24"]}'| Feature | Nessus | OpenVAS |
|---|---|---|
| Cost | Commercial (limited free tier) | Open source |
| Plugins | 150,000+ | 100,000+ (NVTs) |
| Credentialed scans | Excellent | Good |
| Reporting | Built-in, customizable | Greenbone Security Assistant |
| API | REST API | GMP (Greenbone Management Protocol) |
| Compliance templates | Broad (CIS, STIG, PCI) | Growing library |
Both tools detect the same classes of vulnerabilities, but Nessus tends to have fresher coverage for zero-days and proprietary software. OpenVAS is a strong choice for budgets that cannot justify commercial licensing.
CVSS Scoring
The Common Vulnerability Scoring System (CVSS v3.1) provides a standardized severity score from 0.0 to 10.0.
| Severity | Score Range |
|---|---|
| None | 0.0 |
| Low | 0.1–3.9 |
| Medium | 4.0–6.9 |
| High | 7.0–8.9 |
| Critical | 9.0–10.0 |
CVSS scores are composed of three metric groups:
Base Metrics
| Metric | Values | Description |
|---|---|---|
| AV (Attack Vector) | Network, Adjacent, Local, Physical | How the attacker reaches the vulnerability |
| AC (Attack Complexity) | Low, High | Conditions required for exploitation |
| PR (Privileges Required) | None, Low, High | Authentication level needed |
| UI (User Interaction) | None, Required | Whether another user must act |
| S (Scope) | Unchanged, Changed | Whether the vulnerability affects a different security scope |
| C (Confidentiality) | High, Low, None | Impact on data confidentiality |
| I (Integrity) | High, Low, None | Impact on data integrity |
| A (Availability) | High, Low, None | Impact on system availability |
Temporal Metrics
Adjust the base score based on factors that change over time:
- E (Exploit Code Maturity) — from “Unproven” to “High”
- RL (Remediation Level) — from “Official Fix” to “Unavailable”
- RC (Report Confidence) — from “Unknown” to “Confirmed”
Environmental Metrics
Customize the score for your specific environment:
- Modified Base Metrics — override base values for your context
- Confidentiality/Integrity/Availability Requirements — adjust impact weights based on data sensitivity
Calculating CVSS
base_score = cvss_calculator(
av="NETWORK", # Attack Vector
ac="LOW", # Attack Complexity
pr="NONE", # Privileges Required
ui="NONE", # User Interaction
s="UNCHANGED", # Scope
c="HIGH", # Confidentiality
i="HIGH", # Integrity
a="HIGH", # Availability
)
# Result: CVSS 9.8 — CriticalPrioritization Frameworks
CVSS alone is insufficient for prioritization — it measures severity, not risk. A CVSS 10.0 vulnerability on an isolated internal server is less urgent than a CVSS 7.5 vulnerability exposed to the internet.
Risk-Based Prioritization
Risk = Likelihood × Business Impact- Likelihood = CVSS Base Score × Exploitability (EPSS, exploit availability) × Exposure (internet-facing, authentication required)
- Business Impact = Asset criticality × Data sensitivity × Regulatory compliance
EPSS (Exploit Prediction Scoring System)
EPSS predicts the probability that a CVE will be exploited in the wild within 30 days. Scores range from 0 to 1 (0% to 100%). A CVE with EPSS > 0.9 (90th percentile) is likely to be exploited soon and should be patched immediately.
priority_score = cvss_base * 0.4 + (epss_percentile * 10) * 0.3 + asset_criticality * 0.3Stake-Specific Prioritization
| Stakeholder | Priority Factor | Metric | |
Vulnerability Assessment Methodology
Vulnerability assessment identifies, classifies, and prioritizes security weaknesses. Unlike penetration testing, vulnerability assessment does not attempt to exploit findings — it catalogs potential vulnerabilities for remediation.
Discovery Phase
Inventory all assets in scope — servers, workstations, network devices, cloud resources, containers, and applications. An incomplete inventory means unassessed vulnerabilities. Use network scanners (Nmap), cloud APIs (AWS Config, Azure Resource Graph), and agent-based discovery for comprehensive asset coverage.
Scanning
Automated scanners compare system configurations and software versions against vulnerability databases. Authenticated scans (with credentials) provide more accurate results than unauthenticated scans by accessing detailed system information:
# Authenticated scan with OpenVAS
openvas -u admin -w password -X "<start_task>task_id</start_task>"
# Using Nessus CLI
nessuscli scan --target 192.168.1.0/24 --creds ssh:user:passwordVulnerability Scoring with CVSS
The Common Vulnerability Scoring System provides standardized severity ratings:
- CVSS v3.1 Base Score 0.0-3.9 — Low: Minimal impact, unlikely to be exploited
- 4.0-6.9 — Medium: Moderate impact, exploit may exist
- 7.0-8.9 — High: Significant impact, exploit likely exists
- 9.0-10.0 — Critical: Severe impact, active exploitation expected
CVSS considers attack vector (network vs local), attack complexity, privileges required, user interaction, and impact dimensions (confidentiality, integrity, availability).
Risk-Based Prioritization
Not all vulnerabilities should be fixed immediately — prioritize based on:
- CVSS score — Technical severity
- Exploit availability — Is exploit code public?
- Asset criticality — What is the business value of the affected system?
- Exposure — Is the vulnerable system internet-facing?
Remediation and Verification
Establish SLA-based remediation timelines: Critical (24-48 hours), High (7-14 days), Medium (30 days), Low (90 days). Re-scan after remediation to verify fixes. Track vulnerability aging and remediation rates as key metrics.
FAQ
What is the CIA triad? Confidentiality (data accessible only to authorized parties), Integrity (data not tampered with), Availability (systems accessible when needed). These three principles form the foundation of all cybersecurity practices.
How do I start a career in cybersecurity? Learn networking, operating systems, and basic security concepts. Set up a home lab. Earn entry-level certifications like CompTIA Security+. Build hands-on skills through CTF challenges and bug bounty programs.
What is the difference between a vulnerability and an exploit? A vulnerability is a weakness in a system that could be exploited. An exploit is code or technique that takes advantage of a vulnerability to cause unintended behavior.
How often should I change my passwords? Current guidance recommends strong, unique passwords for each account and a password manager. Change passwords immediately if you suspect compromise rather than on a fixed schedule.
What is multi-factor authentication? MFA requires two or more verification factors — typically something you know (password), something you have (phone), and something you are (fingerprint). It dramatically reduces account takeover risk.
Vulnerability Assessment Methodology
Vulnerability assessment identifies, classifies, and prioritizes security weaknesses. Unlike penetration testing, vulnerability assessment does not attempt to exploit findings — it catalogs potential vulnerabilities for remediation.
Discovery Phase
Inventory all assets in scope — servers, workstations, network devices, cloud resources, containers, and applications. An incomplete inventory means unassessed vulnerabilities. Use network scanners (Nmap), cloud APIs (AWS Config, Azure Resource Graph), and agent-based discovery for comprehensive asset coverage.
Scanning
Automated scanners compare system configurations and software versions against vulnerability databases. Authenticated scans (with credentials) provide more accurate results than unauthenticated scans by accessing detailed system information:
# Authenticated scan with OpenVAS
openvas -u admin -w password -X "<start_task>task_id</start_task>"
# Using Nessus CLI
nessuscli scan --target 192.168.1.0/24 --creds ssh:user:passwordVulnerability Scoring with CVSS
The Common Vulnerability Scoring System provides standardized severity ratings:
- CVSS v3.1 Base Score 0.0-3.9 — Low: Minimal impact, unlikely to be exploited
- 4.0-6.9 — Medium: Moderate impact, exploit may exist
- 7.0-8.9 — High: Significant impact, exploit likely exists
- 9.0-10.0 — Critical: Severe impact, active exploitation expected
CVSS considers attack vector (network vs local), attack complexity, privileges required, user interaction, and impact dimensions (confidentiality, integrity, availability).
Risk-Based Prioritization
Not all vulnerabilities should be fixed immediately — prioritize based on:
- CVSS score — Technical severity
- Exploit availability — Is exploit code public?
- Asset criticality — What is the business value of the affected system?
- Exposure — Is the vulnerable system internet-facing?
Remediation and Verification
Establish SLA-based remediation timelines: Critical (24-48 hours), High (7-14 days), Medium (30 days), Low (90 days). Re-scan after remediation to verify fixes. Track vulnerability aging and remediation rates as key metrics.
—|—|—| | Security team | Exploitability | CVSS + EPSS | | IT operations | Impact on operations | System criticality + patch difficulty | | Business owners | Regulatory risk | Compliance requirements + data sensitivity | | Executives | Business risk | Breach cost + reputational damage |
Remediation Workflow
- Triage — validate findings, eliminate false positives, assign severity
- Categorize — patch available / configuration change / compensating control / accept risk
- Assign — assign findings to system owners with SLA based on severity
- Track — monitor remediation progress, escalate overdue items
- Verify — rescan to confirm fixes, update ticket status
Typical SLAs:
| Severity | Remediation SLA | Notification |
|---|---|---|
| Critical | 48 hours | CISO |
| High | 7 days | Security team lead |
| Medium | 30 days | System owner |
| Low | 90 days | Ticket log |
Common remediation actions include patching, configuration hardening, network segmentation, WAF rules, and vulnerability acceptance with documented compensating controls.
For a comprehensive overview, read our article on Cloud Security Architecture.
For a comprehensive overview, read our article on Cloud Security Guide.