Every UK business connected to the internet has vulnerabilities. Not might have — has. Unpatched software, misconfigured firewalls, weak passwords, outdated SSL certificates, exposed services, default credentials left on network devices — these weaknesses exist in virtually every business environment, and cybercriminals are actively scanning for them around the clock. The question is not whether your business has vulnerabilities, but whether you find and fix them before an attacker exploits them.
Vulnerability scanning is the systematic process of identifying security weaknesses in your IT environment. It uses automated tools to probe your systems, applications, and network infrastructure, cataloguing every vulnerability found and rating its severity. Think of it as a health check for your IT security — a structured examination that reveals problems you did not know existed, prioritises them by risk, and guides you towards effective remediation.
For UK businesses, vulnerability scanning is not just a best practice — it is increasingly an expectation. The National Cyber Security Centre (NCSC) recommends regular vulnerability scanning as a fundamental security measure. Cyber Essentials Plus certification requires an internal and external vulnerability scan. GDPR demands appropriate technical measures to protect personal data. And many supply chain questionnaires now ask specifically about vulnerability management practices. This guide explains how vulnerability scanning works, what it can and cannot find, and how to implement an effective scanning programme for your business.
What Is Vulnerability Scanning?
Vulnerability scanning is an automated process that examines your IT systems for known security weaknesses. A vulnerability scanner connects to your systems — either from outside your network (external scan) or from inside (internal scan) — and systematically checks for thousands of known vulnerabilities. These include missing security patches, software versions with known flaws, misconfigured services, weak encryption settings, default or easily guessable credentials, open ports that should be closed, and insecure protocol usage.
The scanner compares its findings against databases of known vulnerabilities, such as the Common Vulnerabilities and Exposures (CVE) database, and generates a report listing every issue found, rated by severity. Critical and high-severity vulnerabilities demand immediate attention. Medium and low-severity findings should be addressed in a planned remediation cycle.
Vulnerability scanning and penetration testing are complementary but distinct activities. Vulnerability scanning is automated, broad, and identifies known weaknesses across your entire environment. It tells you what vulnerabilities exist but does not attempt to exploit them. Penetration testing is manual, targeted, and performed by a skilled ethical hacker who actively attempts to exploit vulnerabilities to determine real-world impact. Think of vulnerability scanning as an automated security health check and penetration testing as a full security stress test. Most UK businesses should run vulnerability scans monthly and commission a penetration test annually. The NCSC recommends both as part of a comprehensive security programme.
Types of Vulnerability Scans
Different types of scans serve different purposes. Understanding these distinctions helps you build a comprehensive scanning programme.
External Scans
External scans examine your systems from the perspective of an attacker on the internet. They probe your public-facing assets — websites, email servers, VPN gateways, firewalls, and any other services accessible from the internet. External scans identify vulnerabilities that a remote attacker could exploit without needing physical or network access to your premises. Every UK business with internet-facing services should run external vulnerability scans at least monthly.
Internal Scans
Internal scans are conducted from inside your network, examining systems that are not visible from the internet. These scans often find far more vulnerabilities than external scans because internal systems are frequently less rigorously maintained — the firewall provides a false sense of security, leading to complacency about patching internal servers and workstations. Internal scans are essential because many attacks begin with phishing or social engineering to gain internal access, at which point internal vulnerabilities become exploitable.
Authenticated Scans
Authenticated scans provide the scanner with valid credentials to log into systems, allowing it to examine installed software, registry settings, file permissions, and configuration details that would not be visible from an unauthenticated scan. Authenticated scans find significantly more vulnerabilities — typically 3-5 times more — than unauthenticated scans, making them essential for a thorough assessment.
What Vulnerability Scanning Finds
- Missing security patches and updates
- Software with known CVE vulnerabilities
- Misconfigured services and protocols
- Weak or default credentials
- Expired or weak SSL/TLS certificates
- Open ports exposing unnecessary services
- Outdated firmware on network devices
- Insecure file and folder permissions
What Scanning Cannot Find
- Zero-day vulnerabilities (unknown flaws)
- Business logic flaws in custom applications
- Social engineering susceptibility
- Physical security weaknesses
- Insider threat risks
- Complex multi-step attack chains
- Data leakage through legitimate channels
- Supply chain compromise risks
Popular Vulnerability Scanning Tools
The vulnerability scanning market offers tools ranging from free open-source options to enterprise-grade commercial platforms. Here is an overview of the most widely used tools for UK businesses.
| Tool | Type | Best For | Approximate Cost |
|---|---|---|---|
| Nessus Professional | Commercial | Comprehensive internal and external scanning | £2,500-£4,000/year |
| Qualys VMDR | Cloud-based (SaaS) | Enterprise vulnerability management | £5,000-£15,000/year |
| OpenVAS / Greenbone | Open source | Budget-conscious businesses with IT expertise | Free (community) / £3,000+ (enterprise) |
| Microsoft Defender Vulnerability Management | Integrated (M365) | Microsoft-centric environments | Included in M365 E5 / Defender for Endpoint P2 |
| Rapid7 InsightVM | Cloud + on-premises | Mid-market businesses needing remediation tracking | £4,000-£12,000/year |
Building a Vulnerability Management Programme
Scanning for vulnerabilities is only useful if you act on the findings. A vulnerability management programme provides the structure for discovering, prioritising, remediating, and tracking vulnerabilities on an ongoing basis.
Phase 1: Discovery and Inventory
Before you can scan for vulnerabilities, you need to know what you are scanning. Create a comprehensive inventory of all IT assets — servers, workstations, network devices, cloud services, web applications, and IoT devices. You cannot protect what you do not know about, and shadow IT (systems deployed without IT's knowledge) often harbours the most severe vulnerabilities.
Phase 2: Regular Scanning
Establish a scanning schedule that balances thoroughness with operational impact. We recommend external scans weekly or fortnightly, internal authenticated scans monthly, and additional scans after any significant infrastructure changes such as new server deployments, major software updates, or network configuration changes.
Phase 3: Prioritisation
Not all vulnerabilities are equal. A critical vulnerability on an internet-facing server is vastly more urgent than a low-severity finding on an internal workstation. Prioritise remediation using the Common Vulnerability Scoring System (CVSS) score, the asset's exposure (internet-facing versus internal), the asset's importance to your business, and whether a known exploit exists in the wild.
Phase 4: Remediation
For each vulnerability, determine the appropriate remediation action. Most commonly this is applying a patch or update, but it may also involve reconfiguring a service, disabling an unnecessary feature, strengthening a password, or replacing obsolete software. Track remediation progress and verify that fixes have been applied by rescanning after remediation.
Phase 5: Reporting and Continuous Improvement
Regular reporting transforms raw scan data into actionable intelligence. Track metrics over time: total open vulnerabilities, average time to remediate, number of critical vulnerabilities, and vulnerability trends. Share these reports with leadership to demonstrate security posture improvements and justify ongoing investment in security.
Vulnerability Scanning and UK Compliance
For UK businesses, vulnerability scanning supports compliance with multiple frameworks and regulations.
Cyber Essentials Plus. The Cyber Essentials Plus certification process includes an external vulnerability scan as a mandatory component. A qualified assessor scans your internet-facing IP addresses and any critical or high-severity vulnerabilities will result in certification failure. Regular scanning throughout the year ensures you are always ready for certification renewal.
UK GDPR. Article 32 of the UK GDPR requires organisations to implement appropriate technical measures to ensure the security of personal data processing, including "a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures." Vulnerability scanning is a direct implementation of this requirement.
PCI DSS. If your business processes card payments, PCI DSS Requirement 11 mandates quarterly vulnerability scans by an Approved Scanning Vendor (ASV) for external scans, plus regular internal scans. Non-compliance can result in fines from your payment processor and increased transaction fees.
ISO 27001. The ISO 27001 information security standard requires organisations to identify and manage technical vulnerabilities. A documented vulnerability management programme, supported by regular scanning, is a key control in any ISO 27001 implementation.
Find Your Vulnerabilities Before Hackers Do
Cloudswitched provides comprehensive vulnerability scanning and management services for UK businesses. Our security team conducts regular external and internal scans, prioritises findings based on real-world risk, and works with you to remediate vulnerabilities efficiently. Whether you need a one-off scan for Cyber Essentials Plus certification or an ongoing vulnerability management programme, we have you covered.
Book a Free Security AssessmentKey Takeaways
Vulnerability scanning is not a one-time event — it is an ongoing discipline that should be embedded in your security operations. The threat landscape evolves daily, with new vulnerabilities disclosed and new exploits developed at an accelerating pace. Regular scanning, combined with disciplined prioritisation and timely remediation, is the most effective way to reduce your attack surface and protect your business from the ever-present threat of cyber attack. Start with the basics — an external scan and an internal scan — and build from there. Every vulnerability you find and fix before an attacker does is a potential breach prevented, a potential fine avoided, and a potential disaster averted.
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.