Vulnerability Scanning 101 Checklist

Download PDF

Service Area: Technical Assurance

Vulnerability scanning is your baseline control for continuously finding exploitable weaknesses across internet-facing and internal assets.

• Define scope: inventory domains/IPs/cloud assets; include subsidiaries, staging, and remote access paths.

• Set cadence: external weekly (or more), internal monthly (or more), plus after major changes and patch cycles.

• Automate discovery: detect and onboard new/changed assets (cloud, containers, ephemeral hosts).

• Run both scan modes:uncredentialed for outside-in exposure; credentialed for OS/app/misconfiguration depth.

• Harden scanner access: least-privilege credentials, secrets management, MFA/service accounts where supported, logging enabled.

• Tune for signal: reduce false positives with safe checks, version detection, authenticated plugins, and change control.

• Normalize severity: use CVSS plus asset criticality, internet exposure, and known exploitation (e.g., KEV).

• Set SLAs: Critical 48–72h, High 1–2 weeks, Medium 30 days (adjust to your risk appetite).

• Assign owners: route findings to the right system/app teams with clear accountability.

• Remediate or mitigate: patch, reconfigure, upgrade, segment, or add compensating controls where patching isn’t feasible.

• Verify closure: rescan to confirm fixes and prevent regressions.

• Track trends: measure open vs. closed findings, aging, repeat offenders, and coverage gaps; report to leadership.

If you want a defensible vulnerability scanning program (tools, cadence, prioritization, and reporting), contact Red Spider Security for a vulnerability scanning assessment and remediation roadmap.