Book assessment
07 · Assessment

Vulnerability Assessments

Vulnerability scanners produce alerts. Vulnerability assessments produce decisions. We combine continuous automated scanning with manual validation and prioritization, so your team works on what actually matters — not on the scanner's noise.

Request a proposal All services
  • Scan
  • Triage
  • Action
Typical duration
2–3 weeks (or continuous)
Team
1 senior analyst + tooling
Prerequisites
Asset inventory + scanner access
Deliverable
Prioritized action list + closure tracker

Vulnerability scanners produce alerts. Vulnerability assessments produce decisions. We combine continuous automated scanning with manual validation and prioritization, so your team works on what actually matters — not on the scanner's noise.

What is a Vulnerability Assessment?

A vulnerability assessment is the systematic identification, validation, and prioritization of security weaknesses across your infrastructure, applications, and cloud workloads. It’s the foundation of any security program — you can’t fix what you can’t see.

Done well, an assessment is more than running a scanner. It’s the work of separating real exploitable issues from false positives, prioritizing them based on actual exploitability in your specific environment, and producing a remediation plan your team can execute.

Why scanner output is not an assessment

Most organizations run vulnerability scanners — Nessus, Qualys, Tenable, Rapid7. The scanner generates a report with thousands of findings. The report goes to a security analyst who triages a fraction of them. Most findings get ignored.

This isn’t a process failure. It’s mathematically impossible for a small team to act on raw scanner output. The scanner doesn’t know:

  • Which findings are exploitable in your network architecture
  • Which “critical” CVEs are actually noise (false positives or unreachable code)
  • Which “medium” findings chain together into a critical risk
  • What remediation effort each finding requires
  • Which fixes would close multiple findings at once

A real assessment closes that gap. We do the validation, prioritization, and remediation planning work — so your team gets a focused list of what to fix this quarter, not a flood of CVEs.

CyberBullet’s methodology

1. Scope & Asset Discovery

We start by mapping what’s actually in scope — your asset inventory is almost always incomplete. We combine your CMDB with active discovery (network scanning, cloud API queries) to surface shadow IT and forgotten infrastructure.

2. Multi-Layer Scanning

We run scans appropriate to each asset class: network/infrastructure (Nessus, OpenVAS), web applications (Burp Suite Pro, custom), cloud configuration (Prowler, ScoutSuite, native cloud tools), containers (Trivy, Grype), and code-level (where applicable).

3. Manual Validation

This is the work scanners can’t do. Every reported finding gets a manual review — is it real, is it exploitable in this environment, is it a false positive, is the severity rating accurate for the actual context. Typical findings reduction post-validation: 30-50%.

4. Risk-Based Prioritization

We rank findings based on a combination of factors: exploitability in your specific environment, presence of public exploit code, attacker value (data sensitivity), and remediation cost. The output is a prioritized list — what to fix first, second, and third.

5. Remediation Roadmap

For each prioritized finding, we provide: specific remediation steps, estimated effort, dependencies (what else needs to happen first), and acceptance criteria (how you’ll know it’s actually fixed).

6. Reporting & Trend Analysis

The deliverable is a report your team can act on and a trend view that shows whether your security posture is improving over time. For ongoing engagements, the trend line becomes the metric we manage to.

Frameworks we map findings to

  • CIS Critical Security Controls v8 — Control 7 (Continuous Vulnerability Management)
  • NIST CSF 2.0 — Identify (ID.RA) and Respond (RS.MI) functions
  • PCI DSS 4.0 Requirement 11.2 — vulnerability scanning
  • HIPAA Security Rule §164.308(a)(1) — risk analysis
  • SOC 2 CC7.1 and CC7.2 — system monitoring and vulnerability management

Who this is for

  • Organizations with compliance-driven scanning requirements (PCI 11.2, HIPAA, SOC 2)
  • Mid-market security teams drowning in scanner alerts
  • Companies in M&A needing a defensible view of security posture pre/post-deal
  • Cloud-heavy organizations where the attack surface changes daily
  • Anyone whose vulnerability scanner has been generating “the same 500 findings” for months with no remediation movement

Our methodology

Every engagement runs through the same six phases. Manual validation isn't a finishing step — it's the product.

01 · SCOPE

Scope & Authorize

We define the engagement boundary precisely before testing starts — in-scope assets, out-of-bounds targets, testing windows, and emergency-stop procedures.

  • Written authorization letters exchanged before any packet leaves our infrastructure
  • Signal / Slack channel established for real-time findings during the engagement
  • Explicit rules of engagement reviewed with legal, IT, and business stakeholders
02 · PASSIVE

Passive Reconnaissance

Before a single packet touches your infrastructure, we map your external footprint using public sources only — DNS, CT logs, code repos, internet-wide scan data.

  • Typically discovers 15-30% more attack surface than the client originally provided
  • Certificate transparency, BGP, and GitHub exposure reporting
  • OSINT profile for social engineering vectors if in scope
03 · ACTIVE

Active Discovery

We enumerate live services across in-scope assets — ports, software versions, auth mechanisms, and protocol configurations — correlated against current vuln data.

  • Hand-tuned scanning profiles — not the default Nessus run
  • Protocol-level inspection for TLS, SSH, SMB, Kerberos, LDAP
  • Service fingerprinting to ground truth before any exploitation
04 · MANUAL

Manual Validation

Every potential issue is validated by hand before it makes the report. No CVE-dumping. No false positives. This is what separates the engagement from a scan.

  • Manual exploitation attempts for any finding of High severity or above
  • Business-logic testing on top of the technical layer
  • Chained vulnerabilities analyzed as a single attack path
05 · EXPLOITATION

Exploitation & Impact

For confirmed vulnerabilities with attacker value, we attempt exploitation to prove impact — not just that a CVE applies, but what it gets you.

  • Proof-of-exploit captured for every confirmed critical finding
  • Pivot paths mapped to the actual crown-jewel data
  • Interim notification inside 24 hours for anything critical
06 · REPORT

Report & Remediate

Every finding is paired with severity rated on real exploitability, reproducible proof-of-exploit, and remediation guidance your team can ship this sprint.

  • Executive summary and technical deep-dive in a single report
  • Findings mapped to CIS, NIST CSF, and relevant compliance families
  • Retest included — we confirm the fix before we close the finding

What you walk away with

Frameworks we map to

Findings ship mapped to the control families your regulators and auditors actually check. Governance clients use these crosswalks directly in their program documentation.

  • CIS Controls v8
  • NIST CSF 2.0 / 800-53
  • PCI DSS 4.0
  • HIPAA Security Rule
  • SOC 2 Type II
  • OWASP ASVS

Questions we get asked

We already run Nessus / Qualys / Tenable. What does your assessment add?

Three things: (1) we validate every finding manually, so your team doesn't waste time on false positives — typical scanner output is 30-50% noise. (2) We prioritize based on real exploitability in your environment, not just generic CVSS. (3) We turn the scanner output into a remediation plan with effort estimates and dependencies, not just a list of CVEs.

How is this different from a penetration test?

A pentest is depth: a focused attack simulation against a specific scope, finding the chains an attacker would use. An assessment is breadth: comprehensive identification of all known weaknesses across your environment, prioritized for remediation. Most mature security programs do both — assessments quarterly or continuously for hygiene, pentests annually for depth.

Do you do one-time assessments or continuous?

Both. One-time assessments are typical for compliance milestones (annual PCI, SOC 2 Type II prep) or pre-deal due diligence. Continuous monthly assessments are typical for organizations that want ongoing visibility — we run scans, validate findings, and track remediation throughout the quarter, with a quarterly review and adjusted strategy.

What about cloud environments?

Yes, cloud is included by default in modern assessments — AWS, Azure, GCP. We use a combination of native cloud security tools (AWS Inspector, Azure Defender) and third-party scanners, plus configuration audits against CIS benchmarks. Container and Kubernetes scanning is included for containerized workloads.

How do you handle remediation that takes longer than a quarter?

We track every finding with a status (open, in-progress, accepted-risk, remediated) and the rationale per status. For accepted risks, we document the compensating controls and re-evaluate quarterly. The goal is a clean trend line on real risk reduction, not arbitrary check-box closure.

Next step

Tell us what's on your radar — we'll tell you where to start.

A 30-minute scoping call. You talk to the senior operator who would actually run the engagement. Scoping notes back inside 24 hours.

  • No high-pressure follow-up
  • Scoping notes delivered within 24 hours
  • NDA available before the call
Book a scoping call Browse services