Vulnerability Assessment: What It Is, How It Works and When You Need One
8 min read · AstraLoop Studio
If someone has pitched you a vulnerability assessment and you’re trying to figure out what you’re actually buying, you’re in the right place. In plain terms, a vulnerability assessment (VA) is a systematic scan of your IT systems to find security holes before an attacker does. It’s not an abstract exercise: it produces a concrete list of problems, ranked by severity, telling you what to fix and in what order.
The topic, unfortunately, isn’t theoretical. According to the 2026 Clusit Report, Italy accounts for roughly 10% of incidents worldwide, serious attacks grew 23% in the first quarter, and exploitation of known vulnerabilities is up 65% compared to 2024. SMBs make up 72% of the targets. In other words, most attacks don’t use exotic techniques — they use holes that are already known and never closed. That’s exactly what a vulnerability assessment is meant to find.
A VA is one of the basic building blocks of a complete IT security audit: the starting point for knowing where you’re exposed, before you even get to compliance, training, or insurance.

Vulnerability assessment: the working definition
A vulnerability assessment is a process for identifying, classifying and prioritizing the vulnerabilities present in an organization’s systems, networks, applications and devices. In practice it answers one question: what weak points do I have, and how dangerous are they?
A VA doesn’t just tell you “you’re vulnerable.” Every flaw found is tied to a public identifier (the well-known CVE, the international registry of known vulnerabilities) and a severity score (the CVSS standard, from 0 to 10). That way you can tell the critical issue that needs closing today apart from the marginal one that can wait.
What a vulnerability assessment is NOT
This is where half the confusion comes from. A VA finds vulnerabilities, but it doesn’t try to exploit them. It doesn’t get into your systems, doesn’t steal test data, doesn’t fully simulate a real attack. That’s the job of a penetration test, where a professional actually attempts to breach your defenses to show what a real attacker could pull off.
A quick analogy. The vulnerability assessment is the technician who walks through your house and notes down every broken window, every door with no lock, every alarm running low on battery. The penetration test is the person who actually tries to climb in through the broken window, to show you that from there they can reach the safe.
How it works, step by step
A vulnerability assessment done properly follows four phases. The difference between a serious service and a “bargain-bin automated scan” lives almost entirely in phases 3 and 4.
- Scoping. This defines what gets checked: public IPs, servers, the website, the VPN, firewalls, networked devices. A common mistake is checking only the website and forgetting the exposed infrastructure.
- Scanning. Specialized tools query every system looking for outdated software, weak configurations, open ports, expired certificates, default credentials. This is the automatable part.
- Analysis and manual verification. Every tool produces false positives. A professional discards the irrelevant alerts, verifies the real ones, and assesses the impact in your specific context. A theoretically critical flaw on a decommissioned server barely matters; a medium one on the system handling customer data matters a great deal.
- Report and prioritization. The output is a readable document: vulnerabilities listed by severity, an explanation of the risk, and an ordered remediation plan. A good report speaks both to the technical team (what to patch) and to the owner (what financial and legal risk am I carrying).
If all you’re offered is phase 2 — the PDF spat out by the software with no human analysis — you’re buying a list of alerts, not an assessment. It’s the classic case where an IT security audit costs next to nothing precisely because there’s no human work behind it.

What a vulnerability assessment actually finds
Let’s move from concept to facts. Here are the categories of problems a VA turns up most often in Italian SMBs, with real examples of known vulnerabilities on exposed systems.
Exposed VPNs and remote access
After the hybrid-work boom, almost every company has a VPN or remote access endpoint published on the internet. These are prime targets, because a flaw there opens the door to the entire internal network. In recent years, official advisories from CISA and Italy’s ACN have repeatedly flagged critical vulnerabilities in widely used VPN appliances and gateways (think of the mass-exploited flaws in Fortinet, Ivanti/Pulse Secure, and Citrix products). A VA checks whether your version is among those vulnerable and not yet patched.
Misconfigured firewalls and network devices
The firewall protecting your network can itself have vulnerabilities or be badly configured: admin panels reachable from the internet, outdated firmware, credentials that were never changed. A VA flags open ports that shouldn’t be open and exposed services nobody remembered turning on.
Outdated server software
Operating systems, databases, mail servers and web servers with missing patches. This is the number-one category for automated attacks: bots scan the internet around the clock looking for versions known to be vulnerable, and hit them with zero human involvement.
Websites, WordPress and e-commerce
This is where things get heavy. In 2025, 11,334 new WordPress vulnerabilities were logged (+42% year over year), and 97% of them sit in third-party plugins and themes, not the core. Sites get hit every few minutes by AI-powered botnets. A VA on your website checks exactly this: CMS version, outdated plugins, vulnerable forms, weak configurations. If your revenue runs through an online store, dig deeper with our guide to e-commerce security and our analysis of WordPress plugin vulnerabilities.
Weak credentials and default configurations
Default passwords never changed, exposed management panels, outdated protocols, weak encryption. They sound trivial, yet they cause a huge share of successful intrusions, often the first step that later leads to ransomware.
Not by coincidence: when one of these flaws isn’t closed in time, the typical ending is data encryption and a ransom demand. If you want to understand how you get there and how to prevent it, read our guide on ransomware and Italian SMBs.
When you need a vulnerability assessment (and how often)
It’s not a one-and-done exercise you file away. The practical rule for an SMB is this:
- At least once a year as basic hygiene, to get a snapshot of your infrastructure’s state.
- Every time you change something substantial: a new website, new management software, a cloud migration, opening up a new remote access point.
- On an ongoing basis if you have many systems exposed to the internet, because new vulnerabilities come out every week for software you consider secure today.
- If you fall under regulatory obligations. The NIS2 directive, in force in 2026, requires companies within scope to have risk-management measures and, in practice, knowledge of their own vulnerabilities. To find out if it applies to you, start with NIS2 and your company and the 2026 deadlines.
One regulatory note, without offering legal advice: under NIS2, responsibility for managing cyber risk falls directly on the CEO and management bodies, and can no longer be delegated “to the IT guy.” Knowing what vulnerabilities you have and having a documented plan to close them is no longer just good technical sense — it’s protection for whoever runs the company.
Want to know where your company is actually exposed before someone else finds out? Request a vulnerability assessment with us: we’ll tell you what to fix, and in what order.
Vulnerability assessment vs. penetration test: which one to choose
The right question isn’t “VA or pentest,” it’s “in what order.” They serve different purposes and often work together.
| Aspect | Vulnerability Assessment | Penetration Test |
|---|---|---|
| Goal | Find and classify vulnerabilities | Exploit them to prove real-world impact |
| Approach | Broad, covers many systems | Deep, targeted at specific objectives |
| Automation | Heavily automated plus human verification | Mostly manual, offensive-security skills |
| Frequency | Periodic (annual or continuous) | Point-in-time (annual or on critical systems) |
| Cost | More contained | Higher (specialist days) |
The sensible sequence for an SMB is clear: first the VA, to get the full map and close the obvious holes, then the pentest on the most critical systems to verify how well they really hold up. Running an expensive pentest on infrastructure full of basic flaws is like hiring an expert burglar to discover you left the door open — you already knew that. For a deeper comparison, see our guide on the difference between a vulnerability assessment and a penetration test, and for the investment side there’s our breakdown of penetration test cost.
The connection almost nobody makes: VA and insurability
Here’s a practical point that’s rarely explained: more and more cyber insurance policies, to be activated or to pay out on a claim, require you to demonstrate a minimum level of security hygiene. Having a recent vulnerability assessment, with a documented remediation plan, is often what moves you from “uninsurable” or “sky-high premium” to reasonable terms. So a VA isn’t just technical prevention — it’s also a document that lowers your risk profile in the eyes of whoever has to cover you.
In summary
A vulnerability assessment is an honest snapshot of your company’s weak points: it tells you where you’re exposed, how serious it is, and what to fix first. It doesn’t replace a penetration test, it doesn’t close the holes by itself, and it doesn’t bring you into compliance with one click — but it’s the first rational step. Without knowing where the holes are, every security investment is a guess. With that map in hand, every euro you spend goes exactly where it’s needed.
Frequently asked questions
What’s the difference between a vulnerability assessment and a penetration test?
A vulnerability assessment finds and classifies vulnerabilities broadly, without exploiting them. A penetration test actually attempts to breach your systems to demonstrate what a real attacker could do. Typically the VA comes first, then the pentest on critical systems.
How often should you run a vulnerability assessment?
At least once a year as basic hygiene, and every time you change something significant (new website, cloud migration, new remote access point). If you have many systems exposed to the internet, an ongoing or quarterly scan makes sense, since new vulnerabilities keep appearing.
Does a vulnerability assessment take systems down during the scan?
In the vast majority of cases, no. Scans are designed to be non-invasive and are often scheduled during low-load hours. A professional will still agree on timing and scope with you to avoid any impact on operations.
What exactly does a vulnerability assessment find?
Outdated server software, vulnerable or misconfigured VPNs and firewalls, unnecessary open ports, outdated WordPress plugins, default credentials, expired certificates and weak configurations. Every flaw is ranked by severity with a remediation plan.
Is a vulnerability assessment legally required?
There’s no explicit obligation under that exact name, but the NIS2 directive requires in-scope companies to have risk-management measures that, in practice, require knowing and addressing their own vulnerabilities. Under NIS2, responsibility falls directly on the management body.
How much does a vulnerability assessment cost for an SMB?
It costs less than a penetration test because it’s more automated, but the price varies a lot depending on the number of systems and whether there’s human analysis involved. Be wary of prices that are too low: they often mean just a software-generated report with no manual review.
If you don’t have an up-to-date map of your weak points, talk to us: we’ll start with a clear vulnerability assessment and give you a concrete priority plan.