Vulnerability Management
Continuous and one-off scanning across websites and infrastructure. Know what's exposed week after week, not just at audit time.
Penetration testing tells you where you stand today. This tells you every week.
A penetration test is a point-in-time assessment. It answers the question on the day it's conducted. New vulnerabilities are disclosed daily. New services get spun up. Configurations drift. Something that was fine in January may not be fine in March, and a penetration test conducted in January won't tell you that.
Vulnerability management is the ongoing programme that sits alongside a penetration test. Scheduled scans, prioritised findings, tracked remediation. The difference between knowing where you stand and knowing where you stand right now.
Buying a scanner and pointing it at your estate is the easy part. Interpreting the output, weeding out the false positives, prioritising the real issues, and tracking remediation over time is the actual service. That is what we provide.
One-off or continuous. Both fixed-price.
We offer vulnerability management as two distinct services depending on what you need.
Vulnerability assessment
A point-in-time scan of your websites, external infrastructure, and internal networks. For organisations that need a clear picture of current exposure: ahead of an audit, insurance renewal, acquisition, or simply because nobody has looked in a while.
- Authenticated and unauthenticated scans
- Manual validation to remove false positives
- Risk-ranked findings with remediation guidance
- 60-minute walkthrough with your team
- Free retest within 90 days
Monthly scanning and review
Regular scheduled scans of your agreed assets, with alerts when high-severity issues appear and a monthly review call. For organisations required to demonstrate ongoing vulnerability management, or simply tired of finding out about vulnerabilities six months too late.
- Weekly, fortnightly, or monthly scans
- New vulnerability alerting tied to your stack
- Triaged, deduplicated findings
- Monthly summary report and review call
- Direct line to your assigned consultant
What we scan.
Websites and web applications
Public-facing sites, internal portals, customer applications, and application programming interfaces. Both authenticated and unauthenticated scanning to reflect what different attacker profiles would see.
External infrastructure
Everything visible from the internet in your name. Every exposed service, every open port, every subdomain resolving to an address. The view an attacker gets before they've made contact with you.
Internal infrastructure
Servers, endpoints, network devices. For continuous management programmes, internal scanning models what an attacker can see after getting past the perimeter, which is the more realistic threat in most environments.
Cloud workloads
Amazon Web Services, Microsoft Azure, and Google Cloud Platform exposed services and configuration. Includes Microsoft 365 tenant configuration drift for continuous management clients.
Fixed-price. Always.
One-off assessments are priced by scope. Continuous management is priced monthly based on asset count and scan frequency. Both are quoted up-front after a free 15-minute scoping call.
No surprise invoices. No hourly billing. No "that's out of scope" when a finding takes longer to validate than expected.
If you want to know what a one-off assessment or a monthly programme would cost for your specific environment, the scoping call is the place to start.
Book a scoping callRelated capabilities
Penetration Testing
A penetration test answers one question: could a determined attacker do real harm to this business? Everything else (checklists, …
Read moreCyber Essentials Certification
Read moreFractional CISO & Information Security Manager
In most growing businesses, the person who answers for security is whoever is nearest. The managing director signs the Cyber …
Read more