Vulnerability Assessment (VA only)
Fast, affordable scan-and-report service for SMEs and first-time assessments. Known-vulnerability coverage across your external attack surface and internal hosts — Nessus / OpenVAS / Nuclei, CVSS-scored, false-positive-filtered. The entry-level engagement.
What it is
A professional breadth-first vulnerability scan of your networks, hosts, or web applications — delivered with filtered, CVSS-scored findings and actionable remediation guidance. Scanners run; a human validates the critical and high findings, removes false positives, and writes the report.
The fastest way to know what's exposed, patchable, and exploitable by known techniques. For UAE SMEs that aren't ready for a full pen test, or for organisations that need PCI ASV quarterly evidence, this is the right engagement.
Who this is for
What you get
- Scope & rules of engagement — targets, scan window, escalation contact.
- Vulnerability report — all detected vulnerabilities, CVSS-scored, affected assets, remediation guidance. Critical / high findings manually validated.
- Executive summary — 1-page view for non-technical readers.
- Remediation guidance — prioritised fix list with effort estimates.
How we deliver
Pricing
Published range
Per engagement. Price driven by target count and scan type (network / web app / both).
- Deposit: 50% at signing
- Net terms: Net-30
- Quarterly recurring: 20% discount on recurring-engagement agreement
- Upgrade to Pen Test: VA fee credits toward pen test if upgraded within 30 days
Your cert-backed lead
Lead Tester
Nelson Durairaj
OSCP · eJPT · CEH
Focus: Scan calibration, critical-finding validation, false-positive filtering, CVSS accuracy.
Frequently asked questions
How is a Vulnerability Assessment different from a Penetration Test?
A VA is a scan-based, breadth-first inventory of known vulnerabilities — automated tooling (Nessus, OpenVAS, Nuclei) catches what's known and exposed. A pen test goes deeper: it validates which vulnerabilities are actually exploitable, chains them together, and demonstrates business impact manually. VA is faster and cheaper; pen test is deeper and more rigorous. For SMEs, regulatory-minimum compliance, or first-time assessments, VA is often the right starting point.
What do I actually get?
A scan-and-report: complete list of detected vulnerabilities, CVSS scores, affected assets, remediation guidance. Critical and high findings are manually validated to remove false positives. Informational-only findings are flagged separately.
How long does it take?
2 – 5 working days for a typical SME (10 – 50 hosts or a single web application). End-to-end in about 1 week calendar time.
Can I satisfy a compliance requirement with this?
For compliance frameworks that specifically require 'vulnerability scanning' (not penetration testing) — yes. PCI DSS quarterly external scans, some SOC 2 continuous monitoring evidence, and NESA baseline scanning can use this service. For frameworks that require penetration testing (ISO 27001 A.8.8, PCI DSS pen test requirement, client procurement questions) — upgrade to a Pen Test.
You might also need
Need a scan, not a six-figure engagement?
From AED 5k. Start in a week. Upgrade to pen test anytime.
