Vulnerability Scanning for Cyber Essentials Plus: A Practical Guide

Vulnerability scanning is the cornerstone of the Cyber Essentials Plus technical assessment. Unlike the self-assessed Cyber Essentials certification, the Plus level requires an accredited assessor to conduct hands-on technical testing of your systems — and external vulnerability scanning is typically the first element they perform. Understanding what vulnerability scanning involves, what it looks for, and how to prepare for it is essential for achieving a first-time pass.

This guide explains vulnerability scanning in the context of Cyber Essentials Plus, covering the technical requirements, common findings, preparation strategies, and how to interpret and remediate scan results.

What Is Vulnerability Scanning?

Vulnerability scanning is the automated process of probing computer systems, networks, and applications to identify known security weaknesses. A vulnerability scanner sends carefully crafted requests to target systems and analyses the responses to determine whether known vulnerabilities are present. Unlike penetration testing, which involves active exploitation of vulnerabilities, scanning is a non-intrusive identification exercise.

In the Cyber Essentials Plus context, vulnerability scanning serves a specific purpose: to verify that your internet-facing systems are free from known, exploitable vulnerabilities that could be used by attackers to compromise your organisation. The scan results provide objective, technical evidence that your systems meet the patching and secure configuration requirements of the scheme.

How Vulnerability Scanning Works in Cyber Essentials Plus

The Cyber Essentials Plus assessment includes an external vulnerability scan of your organisation's internet-facing IP addresses and domains. The assessor uses professional-grade scanning tools to examine every publicly accessible service, port, and application endpoint. The scan identifies:

Missing patches — software with known security updates that have not been applied. This is the most common finding and directly tests the patch management control.

Insecure configurations — services running with default settings, weak encryption protocols, or unnecessary features enabled. This tests the secure configuration control.

Open ports and services — network services accessible from the internet that should be restricted or removed. This tests the firewalls and internet gateways control.

Weak or default credentials — where authentication services are exposed and configured with weak or default passwords. This relates to the user access control requirement.

SSL/TLS weaknesses — expired certificates, outdated protocol versions, or weak cipher suites that could expose communications to interception.

Vulnerability Severity Levels

Vulnerability scanners classify findings using the Common Vulnerability Scoring System (CVSS), which assigns a severity score from 0 to 10. Understanding these severity levels is crucial for prioritising remediation efforts.

For Cyber Essentials Plus, critical and high severity vulnerabilities will almost certainly cause your assessment to fail. These represent actively exploitable weaknesses that attackers could use to compromise your systems. Medium severity vulnerabilities are assessed on a case-by-case basis — some will cause failure, particularly if they relate to missing patches or insecure configurations, whilst others may be accepted with appropriate justification.

Low severity findings are generally informational and unlikely to cause assessment failure on their own. However, a pattern of low-severity issues may indicate broader configuration or maintenance weaknesses that the assessor may flag.

What Gets Scanned

The external vulnerability scan covers all internet-facing IP addresses and domains owned or controlled by your organisation. This includes:

• Your primary website and any subdomains
• Email servers (SMTP, IMAP, POP3)
• VPN gateways and remote access endpoints
• Cloud-hosted services with public IP addresses
• Web applications and APIs
• DNS servers
• Any other service accessible from the public internet

It is essential that you provide the assessor with a complete and accurate list of your internet-facing assets. Missing assets from the scan scope could constitute a failure if the assessor discovers unlisted services during the assessment.

Common Vulnerability Findings

Based on extensive experience supporting organisations through Cyber Essentials Plus assessments, the most frequently encountered vulnerability scan findings fall into several categories.

Missing Security Patches

The single most common finding is unpatched software. This includes operating system patches, web server updates (Apache, Nginx, IIS), programming language runtime updates (PHP, Java, .NET), CMS updates (WordPress, Drupal), and SSL/TLS library updates (OpenSSL). The Cyber Essentials requirement is clear: all software must be patched within 14 days of a security update being published.

For externally facing services, patch currency is critical. A web server running an outdated version of Apache with known vulnerabilities will be flagged immediately. Similarly, a WordPress installation with outdated plugins represents a well-known and frequently exploited attack vector.

Outdated SSL/TLS Configuration

SSL/TLS vulnerabilities are extremely common in scan results. Findings include support for deprecated protocols (TLS 1.0 and 1.1), weak cipher suites (RC4, DES, 3DES), expired or self-signed certificates, and missing security headers. While TLS 1.0 and 1.1 have been deprecated for years, many organisations still have services that support these protocols for backward compatibility.

The current expectation is that internet-facing services support TLS 1.2 as a minimum, with TLS 1.3 preferred. All connections using TLS 1.0 and 1.1 should be disabled. Cipher suites should be restricted to those providing forward secrecy and strong encryption (AES-256 or AES-128 with GCM mode).

Exposed Administrative Interfaces

Administrative interfaces accessible from the internet represent a significant risk. Examples include WordPress admin panels (/wp-admin), database management tools (phpMyAdmin), server administration panels (cPanel, Plesk), and network device management interfaces. These should either be restricted to specific IP addresses, placed behind VPN access, or removed from public accessibility entirely.

Information Disclosure

Vulnerability scanners often identify information disclosure issues — server version headers, detailed error pages, directory listings, and exposed configuration files. While these are typically medium or low severity, they provide attackers with valuable reconnaissance information that aids further attacks.

Preparing for the Scan

Preparation is the key to a clean vulnerability scan. The following steps will significantly reduce the likelihood of unexpected findings.

Step 1: Asset discovery. Create a comprehensive inventory of all internet-facing systems. Use tools like Shodan, Censys, or DNS enumeration to discover all public-facing assets associated with your organisation. Cross-reference this against your known asset register to identify any forgotten or shadow IT services.

Step 2: Pre-scan with your own tools. Before the assessment, conduct your own vulnerability scan using tools such as Nessus, OpenVAS, Qualys, or Rapid7 InsightVM. This gives you visibility into what the assessor will find and time to remediate before the formal test. Many of these tools offer free community editions suitable for pre-assessment scanning.

Step 3: Patch everything. Apply all available security patches to internet-facing systems. Pay particular attention to web servers, content management systems, SSL/TLS libraries, and any public-facing applications. Verify patch levels after deployment to confirm updates were applied successfully.

Step 4: Review configurations. Check SSL/TLS settings, disable deprecated protocols and weak ciphers, remove unnecessary services, and restrict access to administrative interfaces. Use tools like SSL Labs Server Test to verify your TLS configuration meets current best practice.

Step 5: Remove or isolate legacy systems. If you have old systems that cannot be patched or updated, either decommission them or isolate them behind a firewall that prevents public access. A legacy server running unsupported software will cause assessment failure if it is accessible from the internet.

Interpreting Scan Results

When you receive vulnerability scan results — either from your own pre-assessment scan or from the assessor — understanding how to interpret them is essential for effective remediation.

Each finding will typically include a CVE identifier (Common Vulnerabilities and Exposures), a description of the vulnerability, the affected service or software, the CVSS severity score, and recommended remediation steps. Focus your attention on the highest-severity findings first, as these pose the greatest risk and are most likely to cause assessment failure.

False positives are a reality of vulnerability scanning. Sometimes a scanner will report a vulnerability that does not actually exist in your environment — perhaps because the scanner misidentified a software version, or because mitigating controls render the vulnerability unexploitable. If you believe a finding is a false positive, document your reasoning clearly and discuss it with the assessor. Legitimate false positives can be excluded from the assessment results.

Internal Device Scanning

While the external vulnerability scan receives the most attention, the Cyber Essentials Plus assessment also includes an internal component where the assessor examines individual devices. Although this is not technically a vulnerability scan, the assessor will check device configuration, patch levels, and malware protection status — effectively performing a manual vulnerability assessment of sampled devices.

The internal assessment typically covers:

• Operating system patch currency — are all critical and important updates applied?
• Application patch currency — are browsers, office suites, and other applications up to date?
• Malware protection status — is anti-malware software installed, running, and updated?
• Firewall configuration — is the host firewall enabled and properly configured?
• User account configuration — are administrative accounts limited and properly managed?
• Auto-run settings — is auto-run disabled for external media?

Ensure that all devices that may be sampled during the assessment meet these requirements. A single laptop with an outstanding critical patch can cause the entire assessment to fail.

Ongoing Vulnerability Management

Passing the Cyber Essentials Plus vulnerability scan is not a one-time achievement — it requires ongoing vulnerability management to maintain compliance and genuine security throughout the certification year.

Implement a regular vulnerability scanning programme that runs at least monthly for external assets and quarterly for internal systems. Many organisations scan externally on a weekly basis, which provides earlier detection of new vulnerabilities and reduces the remediation window.

Subscribe to vulnerability notification services from your software vendors and from organisations like the NCSC. The NCSC publishes alerts for high-severity vulnerabilities affecting UK organisations, providing early warning and remediation guidance.

Establish a remediation SLA aligned with the Cyber Essentials 14-day requirement. Critical and high-severity vulnerabilities should be patched within 14 days of discovery. Medium-severity vulnerabilities should be addressed within 30 days. Low-severity findings can be scheduled for the next maintenance window.

Tools and Technologies

Several vulnerability scanning tools are commonly used in the Cyber Essentials Plus context:

Nessus Professional is one of the most widely used commercial vulnerability scanners, offering comprehensive coverage of network vulnerabilities, configuration issues, and compliance checks. It is frequently used by certification bodies for Cyber Essentials Plus assessments.

OpenVAS (now Greenbone Vulnerability Management) is a powerful open-source alternative that provides similar functionality to commercial tools. It is suitable for organisations wanting to conduct their own pre-assessment scanning without significant licensing costs.

Qualys offers cloud-based vulnerability management with comprehensive scanning capabilities. Its cloud delivery model makes it particularly suitable for organisations with distributed infrastructure.

SSL Labs Server Test is a free online tool specifically designed to test SSL/TLS configuration. It provides a detailed assessment of your web server's SSL/TLS settings and assigns a letter grade from A+ to F.

How Cloudswitched Can Help

At Cloudswitched, we provide comprehensive vulnerability scanning and management services to help organisations prepare for and maintain Cyber Essentials Plus certification. Our approach includes pre-assessment vulnerability scanning, remediation guidance and support, ongoing vulnerability management programmes, and expert interpretation of scan results.

We use industry-leading scanning tools and our experienced team understands the specific requirements and expectations of Cyber Essentials Plus assessments. We identify issues before the assessor does, provide clear remediation guidance, and verify that fixes have been applied correctly before the formal assessment begins.

Frequently Asked Questions

Will the vulnerability scan affect my live systems?
Vulnerability scanning is designed to be non-intrusive and should not affect the normal operation of your systems. However, in rare cases, poorly configured or fragile systems may experience issues. The assessor will typically confirm the scan scope and timing with you beforehand.

What if the scan finds vulnerabilities I cannot fix immediately?
If the formal assessment scan identifies critical or high-severity vulnerabilities, you will typically be given a remediation window (usually 30 days) to address them before a re-scan. Working with an experienced partner to conduct pre-assessment scanning significantly reduces this risk.

Do I need to scan internal systems myself?
The assessor handles the external scan. For internal devices, the assessor manually examines a sample. However, conducting your own internal vulnerability assessments is strongly recommended as good practice and helps ensure all devices meet the required standards.

How often should I scan after certification?
We recommend monthly external scans as a minimum, with weekly scanning for organisations with significant internet-facing infrastructure. Internal device assessments should be conducted quarterly. Regular scanning ensures ongoing compliance and early detection of new vulnerabilities.

Can cloud services be vulnerability scanned?
Cloud services like Microsoft 365 or Google Workspace are managed by the provider and cannot be directly scanned. However, the configuration of these services — access controls, MFA settings, and administrator account security — is within scope and will be examined during the assessment.