Vulnerability scanning and assessment services for Australian organisations
Vulnerability scanning identifies known weaknesses in your systems, applications, and network infrastructure using automated tools, giving you visibility of your exposure before an attacker does. dotSec provides scanning as a managed service and as the initial phase of penetration testing engagements. Our testers analyse every scan in context: removing false positives, assessing actual exploitability, and providing prioritised remediation guidance based on your specific environment.
What is vulnerability scanning?
A vulnerability scan uses automated tools to check systems against a database of known vulnerabilities (CVEs), looking for missing patches, misconfigurations, default credentials, and other common weaknesses. Each finding is assigned a severity rating using the Common Vulnerability Scoring System (CVSS), producing a list of potential weaknesses ranked by criticality.
Vulnerability scanning and penetration testing address different questions. Scanning identifies whether a known vulnerability is present. Penetration testing confirms whether it is exploitable and determines the real-world impact of a successful attack. NIST SP 800-115 defines this distinction: vulnerability scanning is an automated identification process, while penetration testing involves active exploitation by a skilled tester. dotSec routinely conducts scanning as the first phase of a penetration testing engagement, and also offers it as a standalone managed service for organisations that need ongoing visibility without a full pen test.
How dotSec delivers vulnerability scanning
dotSec does not deliver raw scanner output. Every scan is followed by manual analysis: we remove false positives, assess the actual exploitability of findings in your environment, and produce remediation guidance that reflects your risk profile rather than a generic CVSS severity ranking.
Scanning can be scheduled as a continuous managed service with regular cadenced reporting, or conducted on demand for a specific compliance obligation or project milestone. Findings integrate directly with broader security programmes: they inform pen testing scope, contribute evidence for PCI DSS compliance (Requirement 11.3 mandates quarterly ASV scans and quarterly internal scans), and feed into risk register updates. For organisations running a security operations function, vulnerability data also provides context for SOC, SIEM, and EDR monitoring and alert triage.
dotSec’s scanning is conducted by the same testers who perform penetration tests. Findings are assessed by people who understand how vulnerabilities are actually exploited, not just which CVSS score they carry.
Contextual analysis, not raw reports
Scan findings are reviewed against your environment and threat profile. We remove false positives and prioritise findings by
actual risk, not CVSS score alone. You receive clear remediation guidance rather than a list of thousands of CVEs to work through yourself.
Integrated with penetration testing
Vulnerability scanning forms the first phase of every dotSec penetration test. Standalone scanning clients benefit from the same methodology and the same testers, meaning findings are assessed by people who understand real-world exploitability.
Compliance alignment
Regular scanning supports PCI DSS Requirement 11.3, ISO 27001 Annex A.8.8, the ACSC Essential Eight patch management controls, and APRA CPS 234 vulnerability management obligations. Scan reports can serve directly as compliance evidence.
Managed or on-demand
Choose continuous managed scanning with scheduled scans and regular reporting, or an ad hoc engagement for a specific project, pre-audit preparation, or post-change verification. Both options include expert analysis.
Vulnerability scanning FAQ
What is the difference between a vulnerability scan and a penetration test?
A vulnerability scan identifies known weaknesses using automated tools. A penetration test goes further: a tester manually verifies findings, attempts exploitation, and assesses real-world business impact. dotSec typically conducts vulnerability scanning as the first phase of a penetration test, but also offers standalone scanning as a managed service. NIST SP 800-115 sets out this distinction.
Reference: https://csrc.nist.gov/pubs/sp/800/115/final
How often should vulnerability scans be conducted?
Frequency depends on regulatory context and risk appetite. PCI DSS requires quarterly external scans by an Approved Scanning Vendor (ASV) and quarterly internal scans. ISO 27001 and the ACSC Essential Eight treat scanning as part of a continuous vulnerability management process. At minimum, scanning should occur after any significant system change, such as a new deployment or major configuration update.
What systems can dotSec scan?
Internal and external network infrastructure, web applications, cloud environments (AWS, Azure, GCP), wireless networks, and endpoints. Scans can be authenticated (using credentials to assess internal configuration) or unauthenticated (simulating an external attacker’s view of exposed services).
Do you use only automated tools?
Automated tools are used for discovery and initial identification. The analysis, false positive removal, contextual risk assessment, and remediation guidance are done manually by dotSec’s testers. Automated output without expert analysis produces noise, not actionable intelligence.
Can vulnerability scanning satisfy compliance requirements on its own?
For specific controls, yes. PCI DSS Requirement 11.3 mandates quarterly ASV scans and internal vulnerability scans; completing these with appropriate evidence satisfies that control. For broader frameworks such as ISO 27001 or the Essential Eight patch management controls, scanning is one component of a vulnerability management programme rather than a complete solution in itself.
What next?
If you need a vulnerability scan as a standalone exercise, as part of a compliance obligation, or as the first step toward a penetration test, dotSec can scope an engagement to match. Contact us to discuss your requirements.
Premier australian cyber security specialists
