Vulnerability assessment and penetration testing

Vulnerability assessment services (VAPT)

A vulnerability assessment systematically finds and ranks the weaknesses across your systems. Paired with penetration testing, the combination known as VAPT, it also proves which of those weaknesses an attacker could actually exploit.

CloudKey vulnerability assessment services give you broad, repeatable coverage of what is weak across your estate, then validate the findings that matter with manual penetration testing. You get the full VAPT picture: breadth from the assessment, certainty from the testing.

Broad coverage
Risk-ranked findings
Validated by manual testing
Repeatable cadence

Request a VAPT engagement Talk to our team

6.4

Mean CVSS

Unpatched edge service, exploit available edge-gw-01
Exposed admin interface, weak authentication vpn-portal
Outdated web framework, known CVE CVE-2024-XXXX
Misconfigured storage, public read access assets-bucket

Illustrative findings, not a real scan. Your report shows your own systems, triaged and ranked by a human.

Overview

Breadth and certainty, in one engagement

A vulnerability assessment answers "what is potentially wrong across everything?" A penetration test answers "what can an attacker actually do?" You need both. Run an assessment alone and you drown in findings with no sense of which are real. Run only a deep test on one app and you miss the rest of the estate. VAPT combines them: wide assessment first, focused validation second.

CloudKey vulnerability assessment services scan your systems for known weaknesses, then a human triages the results, removes the false positives, and ranks what is left by real risk to your business. That alone turns a raw scanner dump into a usable plan. For the findings that look genuinely exploitable, our penetration testers validate them by hand and prove the impact.

The result is coverage you can trust and a short list you can act on, on a cadence that fits your release cycle and your compliance calendar.

What an assessment delivers

Coverage you can trust, a short list you can act on

4: Surfaces assessed: infrastructure, network, web and APIs
5: Steps from scope to prioritized report
1: Prioritized report, breadth and validation combined

These figures describe the scope and shape of a CloudKey engagement, not performance metrics or guaranteed results.

Assessment vs testing

Vulnerability assessment or penetration test?

They answer different questions. Most teams need both, in that order.

Vulnerability assessment

Broad and repeatable. Finds and ranks known weaknesses across many systems, ideal for ongoing coverage and a complete picture of where you stand. Strong on breadth.

Penetration testing

Deep and manual. Confirms which weaknesses are actually exploitable and chains them to prove business impact. Strong on certainty. See our penetration testing services for the full scope.

What we cover

What does a CloudKey vulnerability assessment cover?

Coverage across the surfaces that carry your risk, then a human pass that turns raw output into a plan.

Infrastructure and network

Servers, network devices and internet-facing services assessed for known vulnerabilities and weak configurations.

Internet-facing services mapped and checked
Servers and network devices in scope
Weak configurations flagged alongside known CVEs

edge-gw-01 - perimeter gateway 3 findings
web-prod-04 - public web server 2 findings
db-core-02 - internal database 1 finding
mail-relay-01 - mail relay Clean

Illustrative asset list, not real infrastructure.

Web applications and APIs

Applications and APIs assessed for common weaknesses, with the candidates worth deeper manual testing flagged for validation.

Common web and API weaknesses assessed
Exploitable-looking findings flagged for validation
Handed to manual testers where it matters

Auth bypass candidate, login flow Validate
Injection candidate, search endpoint Validate
Sensitive data in API response Review
Outdated JS dependency, low impact Note

Illustrative flags, not a real application scan.

Triage and prioritization

A human removes false positives and ranks findings by real exploitability and business impact, not just a raw severity score.

False positives removed by a human
Ranked by real exploitability and business impact
Remediation tracked from open to fixed

2 Open critical

5 In progress

29 Resolved

Unpatched edge service Open
Exposed admin interface In progress
Missing security headers Resolved

Illustrative tracker, not live remediation data.

How it works

How does a VAPT engagement work?

Assess broadly, validate what matters, report once.

01
Scope

We agree the systems in scope and the cadence, and put the access and boundaries in writing before anything runs.
02
Assess

We assess the systems for known weaknesses across infrastructure, network and applications.
03
Triage

A human removes false positives and ranks the real findings by exploitability and business impact.
04
Validate

For the findings that matter, our testers confirm exploitability by hand and capture the evidence.
05
Report

You get one prioritized report combining the assessment breadth and the validated findings, with clear remediation guidance.

FAQ

Vulnerability assessment, answered

What is VAPT?

VAPT stands for Vulnerability Assessment and Penetration Testing. It combines a broad assessment that finds and ranks weaknesses across your systems with focused penetration testing that proves which of those weaknesses are genuinely exploitable. Breadth plus certainty, in one engagement.

What is the difference between a vulnerability assessment and a penetration test?

A vulnerability assessment is broad and largely automated: it finds and ranks known weaknesses across many systems. A penetration test is deep and manual: it confirms which weaknesses are exploitable and proves impact. The assessment gives coverage; the test gives certainty.

Is a vulnerability assessment the same as a vulnerability scan?

A scan is the automated step that produces raw output. A vulnerability assessment includes that scan plus human triage: removing false positives and ranking findings by real risk. The assessment is what turns scanner output into something you can act on.

How often should you run a vulnerability assessment?

Many teams assess quarterly, and after significant changes, with deeper penetration testing at least annually or when a major release or compliance deadline calls for it. We set a cadence that matches your risk and your release cycle.

Can vulnerability assessment be continuous?

Yes. For continuous coverage of new CVEs against your live inventory, our VulnMonitor service tracks and prioritizes vulnerabilities as they emerge, between scheduled assessments.

Next step

Get the full VAPT picture

Tell us what is in scope and how often you need coverage. We assess broadly, validate what matters by hand, and deliver one prioritized report with a fixed quote.