You have a vulnerability scan report, now what?

You have a vulnerability scan report, now what?

A great way to identify your IT security weaknesses is to run a vulnerability scan against your applications and/or infrastructure. Now that you have the scan report, what do you do with it?

You have probably asked yourself and/or your team the following questions:

  • What should I do with the analysis?
  • Are these vulnerabilities really exploitable?
  • What is a false positive and what is a true positive?
  • How will I know if it’s really gone after it has been resolved?

Vulnerability Scanning vs Penetration Testing

Benefits of a Penetration Test

  • Live, manual tests mean more accurate and thorough results
  • Retesting after remediation is often included
  • Rules out false positives

Limitations of a penetration test

  • Time (1 day to 3 weeks)
  • Cost – penetration can be expensive

 Benefits of a vulnerability scan

  • Quick, high-level look at possible vulnerabilities
  • Very affordable
  • Automated – can be scheduled to run weekly, monthly, quarterly, etc
  • Quick to complete

Limitations of a vulnerability scan

  • The results can contain false positives, which increase the time spent on reviewing the findings
  • Less likely to identify business logic flaws and other complex vulnerabilities


If you are trying to decide which is the best option, you could consider something more comprehensive that a vulnerability scan, but not as expensive as a penetration test. CheckScan+ bridges the gap and gives the benefits of both.

CheckScan+ is a fully managed vulnerability scanning platform, which is fully scalable across all environments. Our platform delivers verified and accurate reporting of each vulnerability found with the support from our security consultants (SOC Analysts or Pen Testers) eliminating potential false positives from vulnerability scan results.

Ian O’Connell is the SOC & CheckScan+ Team Lead at CommSec.