A security vulnerability assessment is a systematic, non-exploitative scan of an organization’s IT environment that identifies, classifies, and prioritizes known weaknesses across servers, endpoints, network devices, cloud workloads, and applications. The output is a CVSS-scored remediation plan, not a one-time PDF.
According to the Canadian Centre for Cyber Security 2025-2027 Ransomware Threat Outlook, ransomware operators increasingly weaponize known, unpatched CVEs because custom exploit development is no longer the cheapest path in.
According to the Verizon 2025 Data Breach Investigations Report, roughly 60% of breaches involved a known vulnerability that had not been patched at the time of compromise.
According to NIST’s National Vulnerability Database, more than 33,000 new CVEs were published in 2025, almost double the 2020 volume.
Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
KEY TAKEAWAYS
- A security vulnerability assessment scores known weaknesses; a penetration test attempts to exploit them. Run both, on different cadences.
- External scans simulate an attacker on the internet. Internal scans simulate a compromised laptop. Both are required for a defensible program.
- The six-step methodology is Scope, Discover, Scan, Validate, Prioritize, Report. Skipping validation produces noise the business will ignore.
- CVSS base scores are a starting point. Real prioritization uses temporal exploit data (KEV, EPSS) and asset business value.
- Compliance-driven cadence in Canada is monthly authenticated scans, plus a fresh scan after every major change. Quarterly is the floor, not the goal.
Get a Scoped Vulnerability Assessment Quote
What is a security vulnerability assessment?
A security vulnerability assessment is a structured process that discovers assets, scans them with authenticated tools, validates findings to remove false positives, and ranks issues by exploitability and business impact. It produces an evidence-backed remediation plan, not raw scanner output.
The methodology is documented in NIST SP 800-115 and reinforced by CIS Controls v8.1, which name continuous vulnerability management as Control 7. A defensible assessment covers external attack surface, internal segments, cloud tenants, identity (Microsoft Entra ID), endpoints, and any web applications or APIs subject to OWASP Top 10 class flaws.
A vulnerability assessment is non-exploitative by design. The assessor confirms a flaw exists and could be exploited, but does not chain exploits or pivot. That distinction separates a vulnerability assessment from a penetration test and shapes the report’s legal posture, scope, and price.
Vulnerability assessment vs pen test vs risk assessment
The three terms are used interchangeably in sales conversations and almost never in audit reports. Each answers a different question and runs on a different cadence.
| Engagement | Question answered | Scope | Cadence |
|---|---|---|---|
| Vulnerability assessment | Where am I exposed? | Broad, automated, scored | Monthly to quarterly |
| Penetration test | Can an attacker reach my crown jewels? | Narrow, manual, exploit-driven | Annual or post-major-change |
| Risk assessment | What is the business loss exposure? | Process, people, data, controls | Annual, board-level |
For a deeper comparison of testing styles, see Fusion Computing’s pages on network penetration testing and network security testing, and the practitioner guide on how to conduct a cybersecurity risk assessment.
Internal vs external vulnerability scanning
An external vulnerability scan runs from the public internet against a defined IP or hostname range. It models an unauthenticated attacker probing the perimeter for exposed services, weak TLS, default credentials, and known CVEs in edge appliances. External scans are the cheapest evidence the front door is locked.
An internal vulnerability scan runs from inside the network, typically with an authenticated agent or scan account that can log into hosts. It models a compromised endpoint, a malicious insider, or post-phishing lateral movement. Internal scans surface unpatched workstations, weak service accounts, and privilege escalation paths the perimeter scan cannot see.
Across roughly 200 Canadian SMB engagements Fusion Computing has scoped since 2018, internal authenticated scans surface four to seven times more critical findings than unauthenticated external scans against the same client. Skipping the internal pass is the single most common gap we see in incumbent assessments.
A defensible program runs both, on the same cadence, against the same asset inventory, with results reconciled in one report.
The 6-step VA methodology
| Step | Goal | Typical artefact |
|---|---|---|
| 1. Scope | Define IP ranges, cloud tenants, exclusions, change windows. | Signed rules-of-engagement |
| 2. Discover | Enumerate live assets, services, owners. | Asset inventory + ownership map |
| 3. Scan | Run authenticated tooling (Nessus, Qualys, Rapid7 InsightVM, Microsoft Defender Vulnerability Management). | Raw findings export |
| 4. Validate | Confirm exploitability, drop false positives, capture evidence. | Validated finding list with screenshots |
| 5. Prioritize | Apply CVSS, KEV, EPSS, and asset business value. | Risk-ranked remediation queue |
| 6. Report | Brief executives, hand owners technical detail, schedule rescan. | Executive summary + technical appendix |
Steps 4 and 5 are where most low-cost assessments collapse. A scanner export with 4,000 unvalidated findings is not an assessment; it is homework that nobody on the IT team has time to do.
CVSS scoring and prioritization
The Common Vulnerability Scoring System (CVSS) version 3.1, maintained alongside NIST’s National Vulnerability Database, is the standard severity score attached to every CVE. The base score (0.0 to 10.0) measures intrinsic severity. It does not measure whether an exploit exists or whether the affected asset matters to the business.
| CVSS band | Score | SMB remediation SLA |
|---|---|---|
| Critical | 9.0 to 10.0 | 7 days, faster if on the CISA KEV list |
| High | 7.0 to 8.9 | 30 days |
| Medium | 4.0 to 6.9 | 90 days |
| Low | 0.1 to 3.9 | Next maintenance window |
Mature programs layer two more inputs on top of CVSS. The CISA Known Exploited Vulnerabilities (KEV) catalog flags CVEs under active exploitation; the FIRST EPSS score estimates the probability of exploitation in the next 30 days. A CVSS 8.1 with EPSS 0.92 and a place on KEV is a different problem than a CVSS 9.8 with EPSS 0.01 and no public exploit.
How often should you scan?
Compliance frameworks set the floor. PCI DSS requires quarterly external scans by an Approved Scanning Vendor and after every significant change. SOC 2 expects a documented vulnerability management cadence with evidence of remediation. OSFI’s 2025 to 2026 Annual Risk Outlook expects federally regulated entities to evidence quantified risk scoring and remediation timelines.
For Canadian SMBs outside regulated industries, the practical cadence is monthly authenticated internal and external scans, an out-of-band scan after any firewall change or major deployment, and a manual validation pass each quarter. Annual penetration testing sits on top of this cadence, not in place of it.
Talk to a CISSP About Your Scan Cadence
What does a quality VA report contain?
A defensible vulnerability assessment report has five layers. The executive summary frames business risk in plain language with a trend chart. The methodology section names the scanner, scan account privileges, and scope. The findings section lists each validated issue with CVSS, KEV flag, asset owner, and recommended fix. The remediation plan assigns dates and owners. The appendix carries raw scanner exports for auditors.
Field Note. When I review an incoming report from a prospective client, I look for two things first: scan authentication evidence and a validated finding count. If the report has neither, the assessment was a credentialled marketing exercise, not a security control. We rebuild the engagement from Step 1.
The report should also map findings to a control framework. CIS Controls v8.1 is our default for SMBs because it has implementation groups (IG1, IG2, IG3) sized to organizational maturity. NIST CSF 2.0 is the right choice for clients reporting up to a US parent. Either is acceptable; no framework at all is not.
How to choose a Canadian VA provider
Five tests separate a real provider from a reseller running a scanner.
First, ask which scanning platforms they license and operate, not which ones they have heard of. Tenable Nessus, Qualys, Rapid7 InsightVM, and Microsoft Defender Vulnerability Management are the credible answers in 2026. A Microsoft 365 E5 shop should expect their provider to also operate Microsoft Defender for Endpoint and pull telemetry from Microsoft Entra ID conditional access logs.
Second, ask for an anonymized sample report. Look for validation evidence and CVSS plus KEV plus asset owner on every finding.
Third, confirm Canadian data residency for scan results and tooling. PIPEDA, Quebec Law 25, and OSFI guidance all reward providers that keep evidence in Canada.
Fourth, confirm CISSP, OSCP, or equivalent credentials on the named engagement lead, rather than somewhere on the team page.
Fifth, ask how rescans and remediation tracking are billed. A provider whose business model rewards open findings is the wrong partner.
For an MSP-led program that bundles vulnerability assessment with managed detection, endpoint protection, and identity hardening, see Fusion Computing’s cybersecurity services page and the supporting infrastructure security overview.
FAQ
How much does a security vulnerability assessment cost in Canada?
For a Canadian SMB with 25 to 250 endpoints, a one-time vulnerability assessment typically ranges from $4,500 to $18,000, scoped by external IP count, internal subnet count, and cloud tenant complexity. Ongoing managed VA inside an MSSP retainer is usually $400 to $1,800 per month.
Is a vulnerability assessment the same as a penetration test?
No. A vulnerability assessment identifies and scores weaknesses without exploiting them. A penetration test attempts to exploit weaknesses to prove business impact. Most Canadian compliance frameworks expect both, on different cadences.
What is CVSS and why does it matter?
The Common Vulnerability Scoring System assigns each CVE a base severity from 0.0 to 10.0. CVSS gives a defensible starting point for prioritization, but mature programs combine it with CISA KEV and EPSS data plus the business value of the affected asset.
How long does a vulnerability assessment take?
A scoped assessment for a 100-endpoint Canadian SMB typically runs five to ten business days end to end: one day to scope, one to two days to scan, two to three days to validate, and one to two days to report.
What tools do credible providers use?
Tenable Nessus, Qualys VMDR, Rapid7 InsightVM, and Microsoft Defender Vulnerability Management are the four mainstream platforms. Microsoft 365 E5 customers should also expect Microsoft Defender for Endpoint telemetry and Microsoft Entra ID identity posture data folded into the report.
How does a vulnerability assessment support compliance?
Quarterly scans with evidence of remediation satisfy PCI DSS, SOC 2 CC7.1, ISO 27001 A.12.6.1, OSFI B-13, and most cyber insurance underwriting questionnaires. Without documented assessments, premium increases and renewal denials are now routine in Canada.
Can a vulnerability assessment cause downtime?
Authenticated scans are tuned to be non-disruptive and run inside change windows. Legacy SCADA, medical, and embedded devices need explicit exclusions. A reputable provider documents these exclusions before scanning, not after an outage.
What is the difference between authenticated and unauthenticated scans?
Unauthenticated scans probe assets the way an outsider would. Authenticated scans log into hosts with a scan account and read installed-software inventory. Authenticated scans surface four to seven times more findings and dramatically reduce false positives.
How does the Canadian Centre for Cyber Security guidance affect SMBs?
The Canadian Centre for Cyber Security publishes baseline cyber security controls for small and medium organizations and the annual Ransomware Threat Outlook. Both name vulnerability management as a foundational control, not an optional one.
Related Resources
- Cybersecurity services: managed program that includes ongoing VA, MDR, endpoint protection, and identity hardening.
- Network penetration testing: the exploitation engagement that follows an assessment.
- Network security testing: broader testing scope including segmentation and firewall review.
- How to conduct a cybersecurity risk assessment: the business-risk wrapper around technical findings.
- Infrastructure security: the hardening services that close the findings a VA surfaces.
