top of page

VULNERABILITY ASSESMENT

Understanding Key Terms

Before we go any further, let's identify some key terms that any IT or Infosec professional should understand and be able to explain clearly.

Vulnerability

A Vulnerability is a weakness or bug in an organization's environment, including applications, networks, and infrastructure, that opens up the possibility of threats from external actors. Vulnerabilities can be registered through MITRE's Common Vulnerability Exposure database and receive a Common Vulnerability Scoring System (CVSS) score to determine severity. This scoring system is frequently used as a standard for companies and governments looking to calculate accurate and consistent severity scores for their systems' vulnerabilities. Scoring vulnerabilities in this way helps prioritize resources and determine how to respond to a given threat. Scores are calculated using metrics such as the type of attack vector (network, adjacent, local, physical), the attack complexity, privileges required, whether or not the attack requires user interaction, and the impact of successful exploitation on an organization's confidentiality, integrity, and availability of data. Scores can range from 0 to 10, depending on these metrics.

Threat.Vulnerability.Risk

Threat

A Threat is a process that amplifies the potential of an adverse event, such as a threat actor exploiting a vulnerability. Some vulnerabilities raise more threat concerns over others due to the probability of the vulnerability being exploited. For example, the higher the reward of the outcome and ease of exploitation, the more likely the issue would be exploited by threat actors.

Exploit

An Exploit is any code or resources that can be used to take advantage of an asset's weakness. Many exploits are available through open-source platforms such as Exploitdb or the Rapid7 Vulnerability and Exploit Database. We will often see exploit code hosted on sites such as GitHub and GitLab as well.

Risk

Risk is the possibility of assets or data being harmed or destroyed by threat actors.

To differentiate the three, we can think of it as follows:

  • Risk: something bad that could happen

  • Threat: something bad that is happening

  • Vulnerabilities: weaknesses that could lead to a threat

PRICE LIST

  • Unlimited IT vulnerability assessments (within the IP range)

  • Configuration, compliance, and security audits

  • External attack surface scans

  • Cloud infrastructure scans

$250,000 - $350,000 mexican pesos/month

Taxes not included

bottom of page