Skip to content

How to conduct a vulnerability assessment

Rachel Bishop
Rachel Bishop|September 23, 2024
Security grey
Security grey

Vulnerability assessments, which live within an organization’s vulnerability management program, inform you about your organization’s standing from a security perspective. You'll need to do some homework before diving in — for example, you need to inventory your assets and choose a vulnerability scanning tool before jumping into assessing the vulnerabilities in your environment.

Don’t fret: We’re here to guide you through the entire vulnerability assessment process from start to finish. Let’s get started, shall we?

What is a vulnerability assessment?

A vulnerability assessment entails finding potential security weaknesses, or vulnerabilities, in your environment. It helps you find and analyze the risks lurking in your hardware and software — which is part of the vulnerability management process. Once you complete your vulnerability assessment, you can choose to mitigate high-risk vulnerabilities, or you may decide that some vulnerabilities are okay to leave alone. (That’s called risk acceptance.)

Ultimately, a vulnerability assessment arms you with the information you need to handle the vulnerabilities in your infrastructure.

Conducting a vulnerability assessment

Ultimately, you can break down the vulnerability assessment process into six main steps:

  1. Inventory the assets in your environment

  2. Conduct a vulnerability scan

  3. Assess vulnerabilities across monitored devices

  4. Prioritize vulnerabilities by severity and potential impact

  5. Remediate vulnerabilities

  6. Monitor vulnerabilities

 Let’s dig right into what these steps entail.

1. Inventory the assets in your environment

The first step in conducting a vulnerability assessment is to inventory your environment. Discovering what software, hardware, and other assets live in your environment helps you determine which vulnerabilities (and patches!) are relevant.

Examine your environment's assets, and note software and hardware version numbers. Some of those numbers looking familiar when you read Microsoft’s Patch Tuesday update? Take note!

2. Conduct a vulnerability scan

Next, it’s time to find the vulnerabilities already lurking in your environment. And unless you have an endless supply of free time on your hands (you don’t), you likely want to automate vulnerability scanning as much as possible.

Many folks turn to a vulnerability scanner to do the scanning for them. A vulnerability scanner is a tool that searches for and flags vulnerabilities. Once the scanner does its job, you’ll usually have a vulnerability scan report to read. This report shows you the vulnerabilities the scanner finds as well as remediation or mitigation steps you can take.

3. Assess vulnerabilities across monitored devices

Now that you know which vulnerabilities are relevant to you, you can assess them further. Which known vulnerabilities put your organization at the highest risk of downtime? For example, you might tend to a remote code execution vulnerability or a zero day faster than you remedy a less severe vulnerability — for example, where threat actors could merely gain host information and not much else.

The National Institute of Standards and Technology (NIST) can help you assess known vulnerabilities through its Common Vulnerability Scoring System (CVSS). This number-based severity rating tells you at a glance which vulnerabilities are the most dangerous. If a vulnerability is ranked 1, a threat actor would likely need physical access to your systems to wreak havoc. If a vulnerability is ranked 9, stop reading and go patch — especially if the affected machines are public facing.

4. Prioritize vulnerabilities by severity and potential impact

Once you’ve assessed known vulnerabilities, you can move on to prioritizing which ones to remedy first. This process is unique to your environment — but we can offer a few best practices to get you started.

First, you’ll want to prioritize any machines that cybercriminals might target first — for example, machines with elevated privileges. If a threat actor hacks into one of these machines, they can carry out attacks much more quickly because they don’t have to fight as much for privileges. You’ll also want to prioritize any machines with more critical vulnerabilities first.

During an active exploit, time is precious. Setting these priorities will help you properly disperse your team members where they’re most needed to minimize downtime.

5. Remediate vulnerabilities

With your priorities set, it’s time to remediate existing vulnerabilities. To be frank, vulnerability remediation is not a process you want to tackle manually. It’s a tedious, time-consuming task that just doesn’t end. Once you remediate a vulnerability, five more pop up to take its place.

That’s why we recommend adopting a vulnerability management platform. These platforms help find and remediate vulnerabilities for you so you can focus on other tasks.

6. Monitor vulnerabilities

Time for a quick progress check. Did your latest patches go through? Are your targeted vulnerabilities gone from your environment? If so, you can relax on this front for at least two whole seconds before new vulnerabilities spring up! 😅 

In all seriousness, monitoring vulnerabilities is a never-ending job. It’s a full-time job. It will never disappear from your to-do list. But you can get help to make things a little easier. 

If you need some help — and believe you us, you don’t want to manage vulnerabilities by yourself — consider selecting a high-quality vulnerability management tool.

And while you're at it, maybe partner with an endpoint detection and response (EDR) or extended detection and response (XDR) provider for threat protection. The fine folks who work at EDR and XDR companies can weed out the false positives and threats that don’t really impact you. That’s time back in your day to take a long lunch — or, let’s be real, to reset Jerry’s password for the millionth time.

Automate the tedious steps of vulnerability management with PDQ Connect: our end-to-end patch management solution.

Let PDQ Connect inventory your software and flag vulnerabilities that you can patch in just one click. And should something go wrong with a patch (which would totally not be Microsoft’s fault, of course), use PDQ Connect’s built-in remote desktop control and access feature to get things back up and running again.

How to conduct a vulnerability assessment FAQs

What is a security vulnerability?

A security vulnerability is a weakness or error in software, hardware, a network, or a system. Vulnerabilities threaten businesses because cybercriminals often leverage them to launch cyberattacks.

What’s the difference between vulnerability assessment and penetration testing?

Vulnerability assessments help you flag the vulnerabilities that could impact your business. At the surface, penetration testing, or pentesting, assists with identifying vulnerabilities as well — but on a much deeper, more comprehensive level.

Trained security teams perform a penetration test to thoroughly examine the security measures you have in place in your environment. Not only do pentesters find and flag vulnerabilities, but they also use their knowledge of threat intelligence to test out your security controls, weed out false positives from automated tools, and conduct simulated attacks on your environment — all while thinking like a hacker.

What’s the difference between a vulnerability assessment and a risk assessment?

A vulnerability assessment focuses on finding the vulnerabilities that exist in your environment while a risk assessment gives context to those vulnerabilities. 

During a vulnerability assessment, you may find that a few applications aren’t up to date, leaving them vulnerable to security threats. During a risk assessment, you’ll contextualize what that actually means. For example, if you don’t patch your dated applications and they’re exploited, what would that mean for your business? What’s the likelihood that they’ll be exploited?

Vulnerability assessments are a bit more technical, while risk assessments tend to focus more on the potential business impact.

How do you read a vulnerability assessment report?

Vulnerability assessment reports differ depending on the vulnerability assessment tool you use, but it’s likely your report has four main sections: an executive summary, scan overview, identified vulnerabilities and security insights, and mitigation and remediation recommendations.

To get the most out of your vulnerability assessment report, you should complete these steps:

  1. Review summary findings

  2. Look at the discovered vulnerabilities

  3. Understand vulnerability details

  4. Prioritize remediation

  5. Validate findings

  6. Develop and implement a remediation plan

  7. Verify remediation

  8. Document findings and actions


Automate the tedious steps of vulnerability management with PDQ Connect: our end-to-end patch management solution. Let PDQ Connect inventory your software and flag vulnerabilities that you can patch in just one click. And should something go wrong with a patch (which would totally not be Microsoft’s fault, of course), use PDQ Connect’s built-in remote desktop control and access feature to get things back up and running again. Try PDQ Connect free for 14 days.

Rachel Bishop
Rachel Bishop

A professional writer turned cybersecurity nerd, Rachel enjoys making technical concepts accessible through writing. At this very moment, she’s likely playing a video game or getting lost in a good psychological thriller. She enjoys spending time with her husband (a former sysadmin now in cybersecurity) as well as her two cats and three birds.

Related articles