Menu
PricingHow We Work
Resources

020 7100 5284

Book a Consultation
Back to Resources

VULNERABILITY & TECHNICAL

We received a vulnerability scan report. What should we do with it?

A vulnerability scan produces a list of findings. Without a clear understanding of what they mean and a plan for what to fix, that list is a liability rather than an asset. Here is how to work through it.

What a vulnerability scan actually finds

A vulnerability scan is an automated assessment of your systems that identifies known weaknesses — missing patches, misconfigured services, outdated software, open ports, and other technical issues that could be exploited by an attacker.

The output is a report, typically categorised by severity: critical, high, medium, low, and informational. The volume of findings does not directly indicate how dangerous your environment is. What matters is the nature of the critical and high findings and how exploitable they are in practice.

How to read the severity ratings

Severity ratings are generated automatically based on known vulnerability databases — primarily the Common Vulnerability Scoring System (CVSS). They reflect the theoretical severity of the vulnerability in isolation, not the actual risk to your specific environment.

A critical finding on a system isolated from the internet with no sensitive data is different from the same finding on an internet-facing server handling client data. Context matters.

What to prioritise

Start with critical and high findings on internet-facing systems. Then work through critical and high findings on internal systems that hold sensitive data. Medium findings should be assessed and addressed systematically. Low and informational findings are generally lower priority.

How vulnerability findings relate to Cyber Essentials

If you are pursuing Cyber Essentials or CE Plus, your vulnerability scan findings are directly relevant. Cyber Essentials requires that high and critical patches are applied within 14 days. Outstanding critical or high findings at assessment will cause a failure.

A REPORT WITHOUT A REMEDIATION PLAN IS INCOMPLETE

A vulnerability scan tells you what is wrong. It does not tell you what to fix first, what can wait, or what the findings mean for your certification posture. If you have received a report and are not sure what to do with it, that is the conversation to have before you start remediating.

Related guides

Vulnerability & Technical

Penetration testing — what it is, when you need it, and what to do with the results.

Failed Assessments

We failed our Cyber Essentials assessment. What happens now?

Certification Basics

Cyber Essentials vs Cyber Essentials Plus — what is the difference and which do you need?

GOT A REPORT YOU ARE NOT SURE HOW TO ACT ON?

Start with a conversation.

Our initial consultation is a working call — typically 30 minutes — in which we understand your organisation, your certification objectives, and your current security posture. You will leave with a clear picture of what is required and what it will cost.

Book a Consultationinfo@systemizer.co.uk