Skip to content
Home
Vulnerability Assessment: Scanning and Prioritization

Vulnerability Assessment: Scanning and Prioritization

Cybersecurity Cybersecurity 8 min read 1592 words Beginner ExcellentWiki Editorial Team

A vulnerability assessment is the process of identifying, classifying, and prioritizing security weaknesses in systems, networks, and applications. Unlike penetration testing, which attempts to exploit vulnerabilities, a vulnerability assessment focuses on discovery and cataloging — answering “what is broken?” rather than “what can we break?”

The Assessment Process

A mature vulnerability assessment program follows six phases:

  1. Scope definition — what systems, networks, and applications are in scope
  2. Discovery scanning — identifying live hosts, open ports, and running services
  3. Vulnerability scanning — probing for known vulnerabilities using signature databases
  4. Validation — confirming findings are not false positives
  5. Risk classification — assigning severity scores (CVSS) and business impact
  6. Remediation tracking — assigning owners, tracking fix progress, and rescanning

The cycle repeats on a regular cadence — weekly for critical systems, monthly for internal infrastructure, quarterly for low-risk assets.

Vulnerability Scanners

Nessus

Tenable’s Nessus is the industry-standard vulnerability scanner. It combines:

  • A comprehensive plugin database — 150,000+ plugins covering CVEs, configuration issues, and compliance checks
  • Credentialed scanning — authenticates to targets for deeper inspection (patch levels, registry settings, file versions)
  • Policy compliance — CIS benchmarks, DISA STIGs, PCI DSS, HIPAA
  • Agent-based scanning — Nessus Agents for intermittently connected systems
# Command-line Nessus scan using the API
curl -k -H "X-ApiKeys: accessKey=$ACCESS_KEY; secretKey=$SECRET_KEY" \
  https://nessus-server:8834/scans \
  -d '{"uuid": "ad629e16-03b6-8c1d-cef6-ef8c9dd3c658",
       "settings": {"name": "Weekly Internal Scan",
                    "text_targets": "10.0.0.0/24",
                    "launch": "WEEKLY"}}'

OpenVAS

OpenVAS (now part of Greenbone) is the leading open-source alternative. It uses the Greenbone Vulnerability Management (GVM) framework with 100,000+ Network Vulnerability Tests (NVTs).

# OpenVAS CLI scan
gvm-cli --gmp-username admin --gmp-password $PASSWORD \
  socket --socketpath /var/run/gvmd.sock \
  --create-target '{"name": "DMZ Scan", "hosts": ["192.168.1.0/24"]}'
FeatureNessusOpenVAS
CostCommercial (limited free tier)Open source
Plugins150,000+100,000+ (NVTs)
Credentialed scansExcellentGood
ReportingBuilt-in, customizableGreenbone Security Assistant
APIREST APIGMP (Greenbone Management Protocol)
Compliance templatesBroad (CIS, STIG, PCI)Growing library

Both tools detect the same classes of vulnerabilities, but Nessus tends to have fresher coverage for zero-days and proprietary software. OpenVAS is a strong choice for budgets that cannot justify commercial licensing.

CVSS Scoring

The Common Vulnerability Scoring System (CVSS v3.1) provides a standardized severity score from 0.0 to 10.0.

SeverityScore Range
None0.0
Low0.1–3.9
Medium4.0–6.9
High7.0–8.9
Critical9.0–10.0

CVSS scores are composed of three metric groups:

Base Metrics

MetricValuesDescription
AV (Attack Vector)Network, Adjacent, Local, PhysicalHow the attacker reaches the vulnerability
AC (Attack Complexity)Low, HighConditions required for exploitation
PR (Privileges Required)None, Low, HighAuthentication level needed
UI (User Interaction)None, RequiredWhether another user must act
S (Scope)Unchanged, ChangedWhether the vulnerability affects a different security scope
C (Confidentiality)High, Low, NoneImpact on data confidentiality
I (Integrity)High, Low, NoneImpact on data integrity
A (Availability)High, Low, NoneImpact on system availability

Temporal Metrics

Adjust the base score based on factors that change over time:

  • E (Exploit Code Maturity) — from “Unproven” to “High”
  • RL (Remediation Level) — from “Official Fix” to “Unavailable”
  • RC (Report Confidence) — from “Unknown” to “Confirmed”

Environmental Metrics

Customize the score for your specific environment:

  • Modified Base Metrics — override base values for your context
  • Confidentiality/Integrity/Availability Requirements — adjust impact weights based on data sensitivity

Calculating CVSS

base_score = cvss_calculator(
    av="NETWORK",      # Attack Vector
    ac="LOW",          # Attack Complexity
    pr="NONE",         # Privileges Required
    ui="NONE",         # User Interaction
    s="UNCHANGED",     # Scope
    c="HIGH",          # Confidentiality
    i="HIGH",          # Integrity
    a="HIGH",          # Availability
)
# Result: CVSS 9.8 — Critical

Prioritization Frameworks

CVSS alone is insufficient for prioritization — it measures severity, not risk. A CVSS 10.0 vulnerability on an isolated internal server is less urgent than a CVSS 7.5 vulnerability exposed to the internet.

Risk-Based Prioritization

Risk = Likelihood × Business Impact
  • Likelihood = CVSS Base Score × Exploitability (EPSS, exploit availability) × Exposure (internet-facing, authentication required)
  • Business Impact = Asset criticality × Data sensitivity × Regulatory compliance

EPSS (Exploit Prediction Scoring System)

EPSS predicts the probability that a CVE will be exploited in the wild within 30 days. Scores range from 0 to 1 (0% to 100%). A CVE with EPSS > 0.9 (90th percentile) is likely to be exploited soon and should be patched immediately.

priority_score = cvss_base * 0.4 + (epss_percentile * 10) * 0.3 + asset_criticality * 0.3

Stake-Specific Prioritization

| Stakeholder | Priority Factor | Metric | |

Vulnerability Assessment Methodology

Vulnerability assessment identifies, classifies, and prioritizes security weaknesses. Unlike penetration testing, vulnerability assessment does not attempt to exploit findings — it catalogs potential vulnerabilities for remediation.

Discovery Phase

Inventory all assets in scope — servers, workstations, network devices, cloud resources, containers, and applications. An incomplete inventory means unassessed vulnerabilities. Use network scanners (Nmap), cloud APIs (AWS Config, Azure Resource Graph), and agent-based discovery for comprehensive asset coverage.

Scanning

Automated scanners compare system configurations and software versions against vulnerability databases. Authenticated scans (with credentials) provide more accurate results than unauthenticated scans by accessing detailed system information:

# Authenticated scan with OpenVAS
openvas -u admin -w password -X "<start_task>task_id</start_task>"

# Using Nessus CLI
nessuscli scan --target 192.168.1.0/24 --creds ssh:user:password

Vulnerability Scoring with CVSS

The Common Vulnerability Scoring System provides standardized severity ratings:

  • CVSS v3.1 Base Score 0.0-3.9 — Low: Minimal impact, unlikely to be exploited
  • 4.0-6.9 — Medium: Moderate impact, exploit may exist
  • 7.0-8.9 — High: Significant impact, exploit likely exists
  • 9.0-10.0 — Critical: Severe impact, active exploitation expected

CVSS considers attack vector (network vs local), attack complexity, privileges required, user interaction, and impact dimensions (confidentiality, integrity, availability).

Risk-Based Prioritization

Not all vulnerabilities should be fixed immediately — prioritize based on:

  • CVSS score — Technical severity
  • Exploit availability — Is exploit code public?
  • Asset criticality — What is the business value of the affected system?
  • Exposure — Is the vulnerable system internet-facing?

Remediation and Verification

Establish SLA-based remediation timelines: Critical (24-48 hours), High (7-14 days), Medium (30 days), Low (90 days). Re-scan after remediation to verify fixes. Track vulnerability aging and remediation rates as key metrics.

FAQ

What is the CIA triad? Confidentiality (data accessible only to authorized parties), Integrity (data not tampered with), Availability (systems accessible when needed). These three principles form the foundation of all cybersecurity practices.

How do I start a career in cybersecurity? Learn networking, operating systems, and basic security concepts. Set up a home lab. Earn entry-level certifications like CompTIA Security+. Build hands-on skills through CTF challenges and bug bounty programs.

What is the difference between a vulnerability and an exploit? A vulnerability is a weakness in a system that could be exploited. An exploit is code or technique that takes advantage of a vulnerability to cause unintended behavior.

How often should I change my passwords? Current guidance recommends strong, unique passwords for each account and a password manager. Change passwords immediately if you suspect compromise rather than on a fixed schedule.

What is multi-factor authentication? MFA requires two or more verification factors — typically something you know (password), something you have (phone), and something you are (fingerprint). It dramatically reduces account takeover risk.

Vulnerability Assessment Methodology

Vulnerability assessment identifies, classifies, and prioritizes security weaknesses. Unlike penetration testing, vulnerability assessment does not attempt to exploit findings — it catalogs potential vulnerabilities for remediation.

Discovery Phase

Inventory all assets in scope — servers, workstations, network devices, cloud resources, containers, and applications. An incomplete inventory means unassessed vulnerabilities. Use network scanners (Nmap), cloud APIs (AWS Config, Azure Resource Graph), and agent-based discovery for comprehensive asset coverage.

Scanning

Automated scanners compare system configurations and software versions against vulnerability databases. Authenticated scans (with credentials) provide more accurate results than unauthenticated scans by accessing detailed system information:

# Authenticated scan with OpenVAS
openvas -u admin -w password -X "<start_task>task_id</start_task>"

# Using Nessus CLI
nessuscli scan --target 192.168.1.0/24 --creds ssh:user:password

Vulnerability Scoring with CVSS

The Common Vulnerability Scoring System provides standardized severity ratings:

  • CVSS v3.1 Base Score 0.0-3.9 — Low: Minimal impact, unlikely to be exploited
  • 4.0-6.9 — Medium: Moderate impact, exploit may exist
  • 7.0-8.9 — High: Significant impact, exploit likely exists
  • 9.0-10.0 — Critical: Severe impact, active exploitation expected

CVSS considers attack vector (network vs local), attack complexity, privileges required, user interaction, and impact dimensions (confidentiality, integrity, availability).

Risk-Based Prioritization

Not all vulnerabilities should be fixed immediately — prioritize based on:

  • CVSS score — Technical severity
  • Exploit availability — Is exploit code public?
  • Asset criticality — What is the business value of the affected system?
  • Exposure — Is the vulnerable system internet-facing?

Remediation and Verification

Establish SLA-based remediation timelines: Critical (24-48 hours), High (7-14 days), Medium (30 days), Low (90 days). Re-scan after remediation to verify fixes. Track vulnerability aging and remediation rates as key metrics.

—|—|—| | Security team | Exploitability | CVSS + EPSS | | IT operations | Impact on operations | System criticality + patch difficulty | | Business owners | Regulatory risk | Compliance requirements + data sensitivity | | Executives | Business risk | Breach cost + reputational damage |

Remediation Workflow

  1. Triage — validate findings, eliminate false positives, assign severity
  2. Categorize — patch available / configuration change / compensating control / accept risk
  3. Assign — assign findings to system owners with SLA based on severity
  4. Track — monitor remediation progress, escalate overdue items
  5. Verify — rescan to confirm fixes, update ticket status

Typical SLAs:

SeverityRemediation SLANotification
Critical48 hoursCISO
High7 daysSecurity team lead
Medium30 daysSystem owner
Low90 daysTicket log

Common remediation actions include patching, configuration hardening, network segmentation, WAF rules, and vulnerability acceptance with documented compensating controls.

For a comprehensive overview, read our article on Cloud Security Architecture.

For a comprehensive overview, read our article on Cloud Security Guide.

Section: Cybersecurity 1592 words 8 min read Beginner 756 articles in section Report inaccuracy Back to top