Get Support

Request a Quote

Platform
PSA & RMM

PSA

RMM

CPQ

Remote Access

Reporting

Documentation

Payments

Customer Feedback

Solve any challenge with one platform

Operate more efficiently, reduce complexity, improve EBITDA, and much more with the purpose-built platform for MSPs.

Explore the Platform

Innovation Webinar

See new and upcoming product enhancements in our monthly innovation webinar series!
Cybersecurity & Data Protection

MDR

SIEM

Cloud Backup

BCDR

Security Dashboard

Backup Dashboard

SaaS Security

Vulnerability Management

Ensure security and business continuity, 24/7

Protect and defend what matters most to your clients and stakeholders with ConnectWise's best-in-class cybersecurity and BCDR solutions.

Explore Cyber and BCDR

Innovation Webinar

See new and upcoming product enhancements in our monthly innovation webinar series!
Hyperautomation

RPA

Sidekick

Integrations

Integrate and automate to unlock cost savings

Leverage generative AI and RPA workflows to simplify and streamline the most time-consuming parts of IT.

Explore Our Marketplace

Innovation Webinar

See new and upcoming product enhancements in our monthly innovation webinar series!
Solutions
By Use Case

Client Onboarding

Increase agility and reduce complexity

Service Desk Ticketing

Deliver fast and efficient service

Cyber Remediation

Deliver holistic cybersecurity and data protection

Billing Reconciliation

Error-free invoicing and revenue protection

Patch Management

Automate patching across all your endpoints

The first and only true MSP platform

 
By Market

MSPs

Purpose-built MSP solutions to accelerate profitability and growth

IT Departments

IT service management (ITSM) software and cybersecurity for IT teams

Managed Print

Print security, event management, and monitoring

VAR

Proven as-a-service offerings and integrations

The first and only true MSP platform

 
By Category

Business Management

Streamline end-to-end business management with robust professional services automation

Unified Monitoring & Management

Unlock workflows, automation, and insights you can’t get anywhere else with one suite of solutions

Cybersecurity & Data Protection

Get the software, services, and support you need to sell and secure your clients 24/7

Expert Services

Expert MSP Support and Help Desk Services

The first and only true MSP platform

 
Community
IT Nation

IT Nation Evolve™

Accelerate your MSP business growth with the premier annual membership program and peer experience focused on planning, accountability, and success

IT Nation Connect™ Global 

Join the groundbreaking MSP community at the can't-miss industry conference for education, inspiration, and networking. Attendees return year after year to be part of a collaborative community focused on helping individuals solve business challenges and grow. 

Service Leadership, Inc.®

Drive financial performance and Operational Maturity Level™ through benchmarking, advanced peer groups, industry best practices, education, and speaking.

Let’s meet up at the industry’s largest MSP event! 
Events

IT Nation Connect Global

November 5-7, 2025 | Orlando & Virtual

IT Nation Connect Europe

March 9-11, 2026 | London

IT Nation Connect ANZ

August 20-22, 2025 | Sydney

IT Nation Secure

June 8-10, 2026 | Orlando

IT Nation Grow

August 13, 2025 I Denver

PitchIT

Apply Today for your chance at $100K in prize money!

Explore ConnectWise Events

Join fellow IT pros at ConnectWise industry & customer events!

Explore Today

Let’s meet up at the industry’s largest MSP event! 
University

Product Training

Calendar

What's New

University Log-In

Check out our online learning platform, designed to help IT service providers get the most out of ConnectWise products and services.

ConnectWise University

Explore our product training course catalog.
Resources

Webinars

Blog

eBooks

Case Studies

Resources

Feature Sheets

On-demand Demos

Live Demos

Cybersecurity Center

Explore the ConnectWise Resource Center

Search our resource center for the latest MSP ebooks, white papers, infographics, webinars and more!

Explore Today

Explore the latest product innovations designed to enhance your ConnectWise experience.
About Us
About Us

Mission & Values

Careers

Leadership

Board of Directors

Philanthropy

Experience the ConnectWise Way

Join hundreds of thousands of IT professionals benefiting from and contributing to a legacy of industry leadership when you become a part of the ConnectWise community.

Learn More

Transform your business with the ConnectWise community
News & Press

Press Room

Awards

Case Studies

Experience the ConnectWise Way

Join hundreds of thousands of IT professionals benefiting from and contributing to a legacy of industry leadership when you become a part of the ConnectWise community.

Learn More

ConnectWise Partner Success Stories
ConnectWise

12/20/2022 | 8 Minute Read

How to conduct a vulnerability assessment

Topics:

Contents

    Efficient vulnerability assessments improve cybersecurity management.

    Learn how we can support

    Conducting a vulnerability assessment is an essential part of the cybersecurity process. MSPs and other IT professionals use this test as a barometer to measure a client’s current level of cybersecurity protection. Without it, deciding where to start or what cybersecurity tools to implement to reduce your client’s risk would be difficult.

    When done properly, a vulnerability assessment will determine your current and future vulnerabilities to cybersecurity threats. MSPs should conduct these regularly for their clients. Failure to do so could cause the loss of mission-critical data and files.

    As a technician conducts the vulnerability assessment, each detected weakness is assigned a security level. Next, the cybersecurity team analyzes the list of vulnerabilities and prioritizes them. Some may require immediate remediation, while others can be addressed later without causing significant damage.

    Fortunately, MSPs can rely on a library of vulnerability assessment tools to ensure that the testing and reporting are done right. The dynamic application security testing (DAST) tool is a popular tool for this process.

    DAST tools scan your software applications for vulnerabilities while they’re running. The benefits of this are twofold:

    • Running the assessment won’t cost your client any additional downtime.
    • Assessing applications while they’re running allows MSPs to uncover threats more like what they might see in the real world.

    DAST tools are often coupled with static application security testing (SAST) tools to cover all bases. SAST tools provide the same function, but these assessments run while applications are shut down.

    Vulnerability assessments vs. penetration testing

    IT experts often mention penetration testing in the same breath as vulnerability assessments. While both processes go hand-in-hand to foster network protection, they’re not the same.

    A vulnerability assessment will identify and repair any network vulnerability a hacker might exploit. This process needs to cover a vast number of unpatched vulnerabilities throughout the entire network. As a result, it’s usually an automated process.

    Conversely, penetration testing is a choreographed attack run by ethical hackers. There are specific cybersecurity goals in mind when running such a test, and its structure is such that the assessment mimics a real-world cybersecurity attack.

    Penetration testing can also test an organization’s cybersecurity at a more granular level. Where a vulnerability assessment does a great job of detecting and alleviating larger-scale network vulnerabilities, penetration testing can help fill in the gaps.

    Issues like inferior security settings and lack of password encryption are exactly what a penetration test is designed to flag. These tests work in conjunction with broader vulnerability assessments and, like all vulnerability assessments, should be run regularly to provide clients with the utmost safety and protection.

    Why do you need vulnerability assessments as an MSP?

    MSPs do their best work when they’re preventing problems before they start, and that’s exactly what a network vulnerability assessment is designed to do. By running these tests regularly, you’ll be able to detect issues early for your clients and stop them before they become significant cybersecurity risks.

    Vulnerability assessments will also give you and your client an in-depth view of their current system. You’ll be able to identify areas of weakness, as well as strength, and come up with a data-driven plan to protect their most critical digital assets.

    To learn more about the importance of vulnerability assessments, check out our webinar, Who Really Needs A Vulnerability Program Anyway? in the ConnectWise resource library.

    Vulnerability assessment types

    Vulnerability assessments are an essential litmus test for all components of an organization’s network. There are a variety of specific security vulnerability assessments you should be running for your clients as MSPs. They are as follows:

    • Web application assessment – scans web application source code to check for any loopholes or vulnerabilities. This scan can be done manually, or it can be automated.
    • Network-based assessment – a more general scan to help identify loopholes in an organization’s networks, both hard-wired and wireless.
    • Wireless network assessment – examines an organization’s wireless network configuration to protect against unauthorized users' access.
    • Host-based assessment – network ports, services, servers, and other network hosting components are rigorously scanned to root out any weaknesses in the overall hosting environment.
    • Database assessment – looks to identify weaknesses in database security. These scans protect against popular hacker TTPs like DDoS attacks, brute force attacks, SQL injections, and more.

    For more information about some of the common digital threat actor attack methods, check out the ConnectWise cybersecurity center.

    How to perform an effective vulnerability assessment

    Cybersecurity experts agree that there is a standard strategy MSPs and other IT technicians should follow when conducting a vulnerability assessment. The process can be broken down into 5 steps.

    1. Laying out your testing scope

    MSPs and their clients must work together to take a good, hard look at the current system infrastructure. Consider your client’s entire IT estate and leave no stone unturned.

    Ask yourself and your client where the most critical data is stored. Be sure to dig deep and uncover any hidden sources of company data. Ultimately, you’ll use this step to map out your client’s entire digital presence and set yourself up to streamline the vulnerability assessment process.

    2. Preparing system baselines

    To make any improvement to a client’s cybersecurity, you have to know where you’re starting. This step of the vulnerability assessment prompts you to look at your client’s current system configuration.

    Analyze all systems and hardware and check them for the following:

    • The proper software and drivers for each asset
    • The correct access permission configurations
    • Any network ports that shouldn’t be open
    • The information the system should transmit and what peripherals the network “talks to” under its current setup.

    3. Perform the vulnerability scan

    Now it’s time to run your scan. Your client’s industry may require you to adhere to compliance requirements. Carefully examine this aspect of your scan and ensure you comply, as you don’t want to cost your client any fines or lead to any legal action.

    You’ll also want to consider the scan schedule at this stage. Certain industries may prevent you from running your scan all at once and necessitate you breaking it down into smaller segments. An example would be any industries that fall under PCI compliance.

    The vulnerability assessment platform you use will have plug-in tools available to help give you the best results. Some of these tools are:

    • A content management system (CMS) web scan (for CMS platforms like WordPress, Joomla, Drupal, etc.)
    • Quick scan
    • Best scan
    • Most common ports best scan
    • Stealth scan
    • Firewall scan
    • Aggressive scan
    • Open web application security project (OWASP)
    • Payment card industry data security standard (PCI DSS) scan for web apps
    • Health insurance portability and accountability act (HIPAA) compliance scan
    • Full scan, checks against DDoS attacks

    Occasionally, you may need to manually scan your client’s most vital assets. These scans are done manually to ensure the best results and that nothing is missed by an automated scanner.

    4. Building out your vulnerability assessment report

    Building your report is a crucial part of the vulnerability assessment process because it synthesizes your findings. By aggregating all of your client’s cybersecurity data in one place, you’ll be able to take actionable steps toward improving their security level and minimizing their risk.

    Your report should highlight any critical details the assessment uncovers. Note if there is a significant difference between the report’s findings and the system’s baseline. Recommendations to remediate these insufficiencies or loopholes should follow shortly after.

    MSPs should organize their reports in a way that’s easy to decipher and act on. If you’re not sure where to start, here is a brief rundown of information your report should contain:

    • The name of the vulnerability
    • Date and time of discovery
    • The vulnerability’s common vulnerabilities and exposures (CVE) score
    • A description of the vulnerability
    • Information regarding affected systems
    • An outline of the process necessary to correct the vulnerability
    • Blank space to record who is going to address the vulnerability, how long it took to mitigate, a scheduled date for the next revision, and any defense measures taken in between

    These parameters are a good start, but when it comes to reporting, the more information the better. Consult with your clients and your team to see if you should add any additional data points.

    5. Deciding how to act on your report’s findings

    Once you complete the scan and analyze the report data, it’s time to develop an action plan. To make this plan as effective as possible, you’ll need to revisit your prioritization of assets from earlier in the vulnerability assessment.

    Your report’s findings should categorize each vulnerability by severity. When designing your mitigation plan, you should first focus on tackling the highest-severity vulnerabilities. Also, prioritize any vulnerabilities affecting mission-critical software applications or equipment.

    While prioritization is important, MSPs can’t ignore vulnerabilities that are further down the list. Occasionally, hackers will use a chain of seemingly mild vulnerabilities to gain access to a target system – knowing that addressing them will typically be put off until a later date.

    Other areas of interest include employee laptops, internet-facing systems, software vulnerabilities, and systems containing sensitive data that could potentially hurt your business if compromised.

    Stopping vulnerabilities is a continuous cycle

    While running an efficient vulnerability assessment is a crucial step of the cybersecurity process, it’s only the beginning. The assessment and the corresponding report only give you system feedback for that timeframe. New software installations and updates, new configurations to system settings, and the discovery of new vulnerabilities may ultimately change your client’s system.

    This ever-changing nature of network infrastructure and cybersecurity makes the assessment process a continuous cycle. MSPs must perform these scans and tests regularly to ensure the best cybersecurity services for their clients.

    Fortunately, ConnectWise offers a suite of cybersecurity tools to help organize, automate, and streamline your threat and vulnerability assessment process. Contact us today to learn more about how our MSP software applications can help you improve and scale your growing business.

    Topics:

    FAQs

    What is the difference between vulnerability assessment and penetration testing?

    A vulnerability assessment is a test to identify and remediate any system vulnerabilities within an organization’s network. Automated software tools can usually conduct these scans on a cybersecurity professional’s behalf. Penetration testing uses some tools but also includes a manual component done by ethical hackers. They mimic real-world cyber threat scenarios and attempt to infiltrate a network to expose its weaknesses.

    How to conduct a vulnerability assessment?

    There are 5 steps to conducting an effective vulnerability assessment:

    1. Laying out your testing scope
    2. Preparing system baselines
    3. Perform the vulnerability scan
    4. Building out your vulnerability assessment report
    5. Deciding how to act on your report's findings.

    Why is vulnerability assessment important?

    Vulnerability assessments allow MSPs and IT techs to stay ahead of client issues. By continuously running these scans, system admins can be sure their cybersecurity efforts are adapting along with their client’s infrastructure as it grows. Assessment report findings also present the opportunity to create data-driven solutions to the vulnerabilities that matter most – resulting in meaningful improvement in an organization’s overall cybersecurity.

    Related Articles

    Blog

    EDR vs. SIEM: How they differ and why you need both

    03/07/2025

    EDR and SIEM software shouldn’t be an “either or” scenario. Learn why you need both of these powerful tools to help your clients.
    Blog

    What is attack surface management?

    03/03/2025

    Learn about the critical role of attack surface management in identifying, reducing, and protecting your organization's digital vulnerabilities.
    Blog

    How to prevent ransomware: Mitigation strategies for MSPs

    03/10/2025

    While it’s not possible to prevent ransomware attacks, we can significantly reduce the potential and impact of a ransomware event. Learn essential detection and mitigation techniques.
    Blog

    Phishing prevention tips: 8 ways MSPs and SMBs can prevent attacks

    12/17/2024

    Discover essential phishing prevention tips for MSPs and SMBs. Learn how to stop phishing attacks and protect sensitive data with these expert strategies from ConnectWise. 
    Blog

    10 common cybersecurity threats and attacks: 2025 update

    02/18/2025

    Learn about the top most common cybersecurity threats and attacks that are used today and how to prevent them with ConnectWise.