A network vulnerability assessment is a structured scan of every device, port, and service on a corporate network to identify exploitable weaknesses before attackers reach them. Unlike a penetration test (which actively exploits findings), the assessment maps the attack surface, validates findings, and ranks risks for remediation. Canadian SMBs should run automated scans monthly and full-methodology assessments quarterly, with extra cycles after any major infrastructure change.
KEY TAKEAWAYS
- A network vulnerability assessment finds weaknesses across infrastructure before attackers do; it does not fix them.
- The defensible cadence for Canadian SMBs is monthly automated scans plus a full quarterly assessment, aligned to CIS Controls v8.1.
- Tooling matters less than methodology. Tenable Nessus, Qualys, Rapid7 InsightVM, Microsoft Defender Vulnerability Management, and Nmap all work when run inside a 7-step process.
- Internal and external scans answer different questions. Run both, on different cadences, with different rules of engagement.
- Score by CVSS plus exploit availability plus business context. Critical and CISA KEV findings get a 72-hour SLA. Everything else flows into 30, 90, or next-cycle tiers.
Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
What is a network vulnerability assessment?
A network vulnerability assessment is a systematic, mostly automated review of network-connected assets that catalogs known weaknesses (missing patches, weak configurations, default credentials, exposed services), validates them, and ranks each finding by exploitability and business impact. The output is a prioritized remediation plan, not a raw scanner export.
It is distinct from a penetration test. A pen test attempts to exploit findings to prove impact; an assessment maps and ranks findings so an internal team or MSP can fix them on a defined SLA. NIST SP 800-115 frames vulnerability assessment as a foundational technical security testing activity that feeds higher-order assurance work.
Why network VAs matter for Canadian SMBs in 2026
The Canadian Centre for Cyber Security flags unpatched and misconfigured network assets as one of the most exploited entry points behind ransomware and data theft against Canadian organizations. Cyber insurance underwriters now ask Canadian SMBs to evidence quarterly scans, documented remediation, and SLA tracking before binding or renewing coverage.
PIPEDA does not prescribe a scan cadence, but the Office of the Privacy Commissioner has consistently treated failure to identify and remediate known vulnerabilities as a breach of the safeguarding principle when a compromise follows. CIS Controls v8.1 names continuous vulnerability management as Control 7, the third-highest priority safeguard for any organization handling sensitive data.
Book a Vulnerability Assessment
The 7-step network VA methodology
A defensible Canadian SMB methodology follows seven steps. Each step has a single owner, a tool, and a documented output. Skipping a step (typically scope or manual validation) is the failure mode that turns a scan into noise.
| Step | Activity | Tool | Output |
|---|---|---|---|
| 1. Scope | Define IPs, segments, scan windows, rules of engagement | Signed RoE document | Approved scope statement |
| 2. Asset discovery | Enumerate live hosts, ports, services across in-scope ranges | Nmap, scanner discovery scan | Asset inventory CSV |
| 3. Authenticated scan | Credentialed scan against discovered assets for CVEs and config | Nessus, Qualys, InsightVM, Defender VM | Raw findings export |
| 4. Manual validation | Verify critical findings, eliminate false positives | Analyst review, Nmap NSE, manual checks | Confirmed findings list |
| 5. Risk scoring | Apply CVSS, CISA KEV, EPSS, and business context | NVD lookups, KEV catalog | Prioritized risk register |
| 6. Reporting | Executive summary plus technical detail per finding | Scanner reports, custom narrative | Board-ready PDF plus CSV |
| 7. Remediation and retest | Fix on SLA, document accepted risk, rescan to confirm | Ticketing system, scanner re-run | Closed-loop evidence pack |
Network VA tooling: what Canadian SMBs actually deploy
Five tools cover the bulk of Canadian SMB programs. Tenable Nessus leads on raw plugin coverage and is the most common choice for first-time programs. Qualys is the cloud-native option preferred by firms that already run other Qualys modules. Rapid7 InsightVM blends scanning with attacker analytics and pairs well with InsightIDR for SIEM integration.
Microsoft Defender Vulnerability Management is the default for Microsoft 365 E5 and Defender for Endpoint customers; it scans where the agent is already deployed and removes the need for a separate authenticated scanner on managed Windows fleets. Nmap rounds out every program as the discovery and validation utility used by analysts directly.
Authoritative sources: NIST SP 800-115 defines the assessment methodology baseline. The NIST National Vulnerability Database supplies CVE and CVSS data for every commercial scanner. OWASP guidance covers application-layer findings. CIS Controls v8.1 (Control 7, Continuous Vulnerability Management) names this work as a top-priority safeguard. The Canadian Centre for Cyber Security treats unpatched assets as a leading entry vector.
Internal vs external scanning: when each is needed
Internal and external scans answer different questions and need different rules of engagement. An external scan models an unauthenticated attacker on the public internet; an internal scan models a malicious insider or a foothold post-phishing. Both are required. Running only one leaves the other half of the attack surface unscored.
| Dimension | External scan | Internal scan |
|---|---|---|
| Attacker model | Unauthenticated internet attacker | Malicious insider or post-phish foothold |
| Targets | Public IPs, web apps, VPN concentrators, edge appliances | Workstations, file servers, AD, printers, OT, IoT |
| Authentication | Unauthenticated by default | Credentialed (domain or local admin) |
| Cadence | Weekly or continuous | Monthly authenticated, quarterly full |
| Typical findings | Exposed RDP, expired certs, vulnerable VPN, leaked services | Missing OS patches, weak local admins, SMBv1, stale software |
How to score and prioritize findings
CVSS alone is the most common scoring mistake. A CVSS 9.8 in an isolated test segment matters less than a CVSS 7.5 on an internet-facing asset that handles personal information. Use a three-factor model: CVSS base score, exploit availability (CISA KEV listing or public proof-of-concept), and business context (internet exposure, data sensitivity, recovery impact).
Translate the result into four SLA tiers. Critical findings (CISA KEV, internet-facing remote code execution, authentication bypass) get a 72-hour fix or compensating control. High findings get 30 days. Medium findings get 90 days. Low findings ride the next maintenance window or are formally accepted with documented rationale. Tier definitions belong in the scope document, not invented after the report lands.
Common Canadian SMB findings (the patterns)
Most first-assessment findings cluster into a small set of repeating patterns. Documenting them in advance speeds up triage and helps clients understand why the report looks the way it does.
| Pattern | Why it appears | Typical fix |
|---|---|---|
| Exposed RDP or SMB on edge | Legacy remote access never disabled after VPN rollout | Block at firewall, force VPN plus MFA |
| Unpatched VPN or firewall firmware | Vendor advisories not subscribed; patch fear | Subscribe to vendor PSIRT, schedule maintenance |
| Stale Windows Server builds | Reboot avoidance on production hosts | Cluster, patch, validate, then cut over |
| Default or shared local admin | Image-build hygiene drift | Deploy LAPS, randomize credentials |
| SMBv1, TLS 1.0, deprecated ciphers | Legacy compatibility checkbox left enabled | GPO disable, validate dependencies first |
| Out-of-support OS or appliance | Capex deferral on aging hardware | Replace, isolate, or accept risk in writing |
FIELD NOTE / FUSION COMPUTING
On a 60-seat Hamilton manufacturer onboarding earlier this year, our first authenticated Nessus pass returned 412 findings across 47 hosts. Half were the same Java JRE on the shop-floor MES. We grouped findings by software package, deployed one MSI to one OU, and closed 196 findings in a single change window. The lesson we keep relearning: report by package, not by host. The fix list looks short and the SLA is hit.
Why this matters for Canadian businesses: The Canadian Centre for Cyber Security and the Canadian Anti-Fraud Centre both report that ransomware and business email compromise losses against Canadian SMBs frequently begin on a single exposed service or unpatched edge device. CyberSecure Canada certification, PIPEDA safeguarding obligations, and most Canadian cyber insurance underwriting now treat quarterly vulnerability assessments and documented remediation SLAs as the defensible baseline.
Remediation: closing the loop
The assessment creates value only when findings are closed. Treat remediation as a tracked workstream with named owners, ticketed change requests, and a retest gate. Each closed finding gets a scanner re-run as evidence; each accepted finding gets a written rationale, a compensating control, and a review date. The pack of closed-loop evidence is what cyber insurance and CyberSecure Canada auditors want to see.
For Canadian SMBs without an internal security team, an MSP-led program collapses scope, scan, validate, and remediate into one accountable workflow. Fusion Computing runs assessments under CIS Controls v8.1 with PIPEDA-aligned reporting and PHIPA-aware handling for healthcare clients.
FAQ
How often should a Canadian SMB run a network vulnerability assessment?
The defensible cadence is monthly automated scans plus a full-methodology assessment quarterly, with extra cycles after any major change (new firewall, new site, new application, post-incident). This aligns with CIS Controls v8.1 and what Canadian cyber insurance underwriters now expect at renewal.
What is the difference between a vulnerability assessment and a penetration test?
A vulnerability assessment finds, validates, and ranks weaknesses across a broad asset base. A penetration test deeply exploits a smaller scope to prove real-world impact. NIST SP 800-115 frames assessments as foundational and pen tests as higher-assurance follow-on work. Most Canadian SMBs need a strong assessment program before commissioning a pen test.
Which scanner is best for a Canadian SMB?
For first-time programs, Tenable Nessus has the broadest plugin coverage and the lowest learning curve. Microsoft Defender Vulnerability Management is the right pick if the firm already runs Defender for Endpoint on every Windows host. Qualys and Rapid7 InsightVM fit organizations standardizing on those vendor stacks. Methodology matters more than the tool choice.
Do internal scans need to be authenticated?
Yes. Unauthenticated internal scans miss most missing-patch findings and produce noisy false positives. Use a service account with read-only or local admin rights, scoped to the scanner appliance, with credentials rotated each cycle. Authenticated scanning is what generates the patch-level CVE detail that drives remediation tickets.
How should we handle findings on a system we cannot patch?
Document accepted risk in writing with a named approver, a compensating control (segmentation, WAF, host firewall, monitoring), and a scheduled review date. Auditors and underwriters accept residual risk on legacy systems if the decision is documented. They do not accept silent omission.
Does PIPEDA require vulnerability assessments?
PIPEDA does not name a specific control, but its safeguarding principle requires security appropriate to the sensitivity of the data. The Office of the Privacy Commissioner has consistently treated failure to identify and remediate known vulnerabilities as a safeguarding failure when a breach follows. Quarterly assessments with documented remediation are the practical floor.
How do CISA KEV and CVSS work together?
CVSS scores severity in the abstract; the CISA Known Exploited Vulnerabilities catalog flags CVEs being actively used by attackers right now. A CVSS 7 in KEV beats a CVSS 9 not in KEV for triage. Canadian SMBs should treat any KEV-listed finding on an in-scope asset as a 72-hour SLA item regardless of base score.
How long does a network vulnerability assessment take?
For a typical Canadian SMB (50 to 250 endpoints, single site, one cloud tenant), a full first-cycle assessment runs three to five business days end-to-end: one day scope and discovery, one to two days scanning, one day validation and scoring, one day reporting. Subsequent quarterly cycles compress to two to three days as the asset inventory stabilizes.
Can vulnerability scanning break production systems?
Default scan profiles in Nessus, Qualys, and InsightVM are tuned to be safe on production. Fragile OT, medical devices, and very old appliances can still react badly. The scope document should list exclusions and a slower scan profile for sensitive segments. Run aggressive checks only in pre-production or with explicit approval.
Related Resources
- Managed cybersecurity services
- Security vulnerability assessment
- Network penetration testing
- Infrastructure security
- How to conduct a cybersecurity risk assessment
Fusion Computing is a Canadian-owned managed IT and cybersecurity provider serving businesses with 10 to 150 employees since 2012. CISSP-led security leadership, CIS Controls v8.1 alignment, and a 93% first-contact resolution rate on the help desk.
