Vulnerability scanning and assessment services for Australian organisations
Zero-day attacks can be devastating but zero-days are hard to come by. It is far more cost-effective for an attacker to exploit known, low-hanging, unpatched vulnerabilities rather than investing in zero-day research and development.
New vulnerabilities are constantly being detected and vulnerability catalogs are updated continuously, and without regular scanning, exploitable weaknesses can persist undetected for months.
Vulnerability scanning identifies known weaknesses in your systems, applications, and network infrastructure using automated tools, giving you visibility of your exposure before an attacker does. This gives you a current, evidence-based view of where those weaknesses exist, so that you evaluate the corresponding level of risk and act accordingly to protect your business as described in CPS 234, “commensurate with the level of risk”.
dotSec provides scanning as a managed service and as the initial phase of penetration testing engagements. Our testers analyse every scan in context: removing false positives, assessing actual exploitability, and providing prioritised remediation guidance based on your specific environment.
What is vulnerability scanning?
A vulnerability scan uses automated tools to check systems against a database of known vulnerabilities (CVEs), looking for missing patches, misconfigurations, default credentials, and other common weaknesses. Each finding is assigned a severity rating using the Common Vulnerability Scoring System (CVSS), producing a list of potential weaknesses ranked by criticality.
Scanners work by probing hosts, services, and applications against a continuously updated catalogue of known issues. They can identify outdated software versions, weak or default credentials, exposed management interfaces, TLS configuration weaknesses, and missing security headers, among other findings. Scanning can target external-facing assets (such as web servers, APIs, and firewalls), internal network infrastructure, cloud environments, and endpoints. The output is a point-in-time snapshot of your attack surface against the current threat landscape.
Vulnerability scanning and penetration testing address different questions. Scanning identifies whether a known vulnerability is present. Penetration testing confirms whether it is exploitable and determines the real-world impact of a successful attack. NIST SP 800-115 defines this distinction: vulnerability scanning is an automated identification process, while penetration testing involves active exploitation by a skilled tester. dotSec routinely conducts scanning as the first phase of a penetration testing engagement, and also offers it as a standalone managed service for organisations that need ongoing visibility without a full pen test.
It is worth noting that a vulnerability scan on its own does not confirm whether a finding can be exploited in your specific environment. Two organisations may share the same CVE but face very different levels of risk depending on the client’s network segmentation as well as existing organisation controls. This is why dotSec pairs every scan with manual analysis rather than delivering raw output.
How dotSec delivers vulnerability scanning
dotSec does not deliver raw scanner output. Every scan is followed by manual analysis: we remove false positives, assess the actual exploitability of findings in your environment, and produce remediation guidance that reflects your risk profile rather than a generic CVSS severity ranking.
Our process begins with scoping: identifying the target systems, scanning windows, and any constraints such as production uptime requirements or change control processes. Scans are then conducted using industry-standard tooling, with configuration tailored to the target environment. Once scanning is complete, our testers review every finding manually. False positives are removed, findings are validated against your architecture and controls, and each confirmed vulnerability is assigned a risk rating that accounts for exploitability, exposure, and business context rather than relying solely on the CVSS base score.
Scanning can be scheduled as a continuous managed service with regular cadenced reporting, or conducted on demand for a specific compliance obligation or project milestone. Findings integrate directly with broader security programmes: they inform pen testing scope, contribute evidence for PCI DSS compliance (Requirement 11.3 mandates quarterly ASV scans and quarterly internal scans), and feed into risk register updates. For organisations running a security operations function, vulnerability data also provides context for SOC, SIEM, and EDR monitoring and alert triage.
The resulting report provides a prioritised list of confirmed vulnerabilities with clear remediation steps, expected effort, and references to relevant advisories and patches.
dotSec’s scanning is conducted by the same testers who perform penetration tests. Findings are assessed by people who understand how vulnerabilities are actually exploited, not just which CVSS score they carry.
Contextual analysis, not raw reports
Scan findings are reviewed against your environment and threat profile.
dotSec’s testers review every scan result in context, removing false positives and prioritising findings by actual exploitability, taking into account the network segmentation, compensating controls in place and business impact rather than CVSS score alone.
You receive clear remediation guidance rather than a list of thousands of CVEs to work through yourself.
Integrated with penetration testing
Vulnerability scanning forms the first phase of every dotSec penetration test. Standalone scanning clients benefit from the same methodology and the same testers, meaning findings are assessed by people who understand how vulnerabilities are actually exploited, not just which score they carry.
This shared experience means our testers recognise when individually low-risk findings can be chained together to create a more significant exploitation path.
Compliance alignment
Regular vulnerability scanning supports PCI DSS v4.0.1 Requirements 11.3.1, 11.3.2, ISO 27001 Annex A.8.8, the ACSC Essential Eight patch management controls, and APRA CPS 234 vulnerability management obligations.
dotSec’s scan reports are structured to serve directly as compliance evidence, reducing the effort needed to demonstrate conformance at audit time
Managed or on-demand
Choose continuous managed scanning with scheduled scans and regular reporting, or an ad hoc engagement for a specific project, pre-audit preparation, or post-change verification. Both options include expert analysis.
For managed service clients, historical scan data provides a baseline that helps track remediation progress and identify regressions over time.
Vulnerability scanning FAQ
What is the difference between a vulnerability scan and a penetration test?
A vulnerability scan identifies known weaknesses using automated tools. A penetration test goes further: a tester manually verifies findings, attempts exploitation, and assesses real-world business impact. dotSec typically conducts vulnerability scanning as the first phase of a penetration test, but also offers standalone scanning as a managed service. NIST SP 800-115 sets out this distinction.
Reference: https://csrc.nist.gov/pubs/sp/800/115/final
How often should vulnerability scans be conducted?
Frequency depends on regulatory context and risk appetite. PCI DSS requires quarterly internal vulnerability scans (performed by a qualified internal resource(s) or qualified external third party) and external vulnerability scans by an Approved Scanning Vendor (ASV). ISO 27001 and the ACSC Essential Eight treat scanning as part of a continuous vulnerability management process. At minimum, scanning should occur after any significant system change, such as a new application version release or major infrastructure change e.g., implementation of a Zero Trust Network Access (ZTNA) solution
What systems can dotSec scan?
Internal and external network infrastructure, web applications, cloud environments (AWS, Azure, GCP), wireless networks, and endpoints. Scans can be authenticated (using credentials to assess internal configuration) or unauthenticated (simulating an external attacker’s view of exposed services). Note: The external vulnerability scans for PCI DSS compliance need to be performed by an Approved Scanning Vendor (ASV). DotSec can assist with setting-up and reviewing these scans with an ASV.
Do you use only automated tools?
Automated tools are used for discovery and initial identification. The analysis, false positive removal, contextual risk assessment, and remediation guidance are done manually by dotSec’s testers. Automated output without expert analysis produces noise, not actionable intelligence.
Can vulnerability scanning satisfy compliance requirements on its own?
For specific controls, yes. For broader frameworks such as ISO 27001 or the Essential Eight patch management controls, scanning is one component of a vulnerability management programme rather than a complete solution in itself. For PCI DSS, Requirement 11.3.1 mandates quarterly internal vulnerability scans as well as performing rescans to verify if the high-risk or critical-risk vulnerabilities are resolved. The rescans need to be performed until all high, critical risks from the vulnerability scan are remediated and a clean (no high/critical vulnerability) vulnerability scan report is obtained.
What next?
If you need a vulnerability scan as a standalone exercise, as part of a compliance obligation, or as the first step toward a penetration test, dotSec can scope an engagement to match. Contact us to discuss your requirements.
Premier australian cyber security specialists
