A vulnerability assessment is a systematic examination of systems, applications, networks and processes to identify security weaknesses that could be exploited by threats. Unlike penetration testing, which actively attempts to exploit vulnerabilities, a vulnerability assessment focuses on discovery and classification, typically using a combination of automated scanning tools and manual analysis. Findings are prioritised based on severity, exploitability and potential business impact.
Regular vulnerability assessments are a fundamental component of any information security programme and are required by standards such as ISO 27001, PCI DSS and SOC 2. They provide a clear picture of an organisation's attack surface and feed directly into vulnerability management and remediation workflows. Combining assessments with threat intelligence ensures that the most relevant and dangerous weaknesses are addressed first.