A structured, tool-led assessment of your external perimeter and internal network designed to identify, classify, and prioritise known vulnerabilities, with expert validation to eliminate false positives and direct remediation effort, aligned with global standards and Hong Kong regulatory expectations.
Visibility into the known vulnerabilities present across your environment, with the depth of human review needed to act on them with confidence.
A vulnerability assessment uses automated scanning to identify, classify, and prioritise known weaknesses across your external perimeter and internal network, with senior consultant review of the results to ensure findings reflect what is actually present in your environment.
Our consultants validate findings against your environment, remove false positives, calibrate severity to reflect actual exposure and business context, and prioritise remediation effort by what matters most to your operations.
Each engagement concludes with a detailed report containing prioritised findings, risk-rated severity, evidence, asset coverage maps, and clear remediation guidance suitable for both technical and executive stakeholders.
We combine elite offensive cybersecurity expertise with institutional backing to deliver vulnerability assessment that actually drives business resilience.
Our consultants bring deep offensive cybersecurity experience from top-tier global consulting firms, backed by the industry's most rigorous certifications including OSCE³, OSEP, OSWE, OSCP, and eCPTX. Vulnerability assessments are run by the same elite practitioners who define our methodology, with the technical depth to validate scanner output, eliminate false positives, and adjust severity to your real environment.
No junior bait-and-switch and no offshore hand-offs. The senior consultants who scope your engagement are the ones running the scans, validating the findings, and walking you through remediation. You get the same expert from kickoff through closure.
Vulnerability assessment requires absolute trust, you are granting deep access to your network and infrastructure. We are proudly supported by the HKSTP Incubation Programme and the CityU HK Tech 300 Seed Fund, making us a vetted Hong Kong cybersecurity partner with institutional accountability.
We don't deliver 800-page scanner exports. Every vulnerability assessment produces a risk-prioritised remediation roadmap, business-context impact analysis, and clear remediation guidance, translated for both your engineers and your board.
Clients engage us when coverage has to be exhaustive, findings have to be validated, and the outcome has to hold up to auditors, regulators, customers, and the board.
Organisations subject to ISO/IEC 27001, PCI DSS, HKMA C-RAF, or SFC requirements that mandate periodic vulnerability scanning evidence as part of their control framework.
Security and operations teams verifying that patching pipelines are actually closing the gap between vendor disclosure and applied fix across the production environment.
Organisations preparing for a penetration test who want to clear known-CVE noise first, so consultant time targets the deeper exploitation work scanners cannot perform.
Organisations re-validating environment posture following a reported intrusion, ransomware event, or significant network architecture change.
Mature security programmes with annual or semi-annual broad-coverage testing obligations to internal risk committees, customers, or regulators.
Security teams seeking an evidence-based baseline of their full external and internal vulnerability exposure, often as the foundation of a new vulnerability management programme.
Every engagement is scoped collaboratively to ensure assessment objectives align with business priorities, risk appetite, and regulatory context.
Coverage is structured around NIST SP 800-115 and CIS Benchmarks, supported by industry-standard scanning toolchains and senior consultant review of the results. The categories below highlight our core focus areas, but our complete coverage extends far beyond them.
Operating system and application patches missing against current vendor advisories, NVD CVE entries, and known-exploited vulnerability catalogues such as the CISA KEV list.
Software running past vendor support, deprecated components, and end-of-life systems no longer receiving security updates, including third-party libraries and frameworks bundled with applications.
Network services reachable that should not be, including legacy protocols, exposed management interfaces, debug services, and shadow exposures missed by inventory.
Default vendor credentials, blank passwords, and well-known weak credentials on exposed services, network devices, and management interfaces detected by credentialed and unauthenticated checks.
Cleartext protocols, deprecated TLS/SSL versions, weak cipher suites, and self-signed or expired certificates on internet-facing and internal services.
Deviations from CIS Benchmarks and vendor hardening guidance, including insecure defaults, unnecessary services, and overly permissive access controls (authenticated mode).
Full enumeration of hosts, services, and software versions reachable in scope, surfacing forgotten and shadow assets that don't appear in your asset register.
Beyond raw scanner output, our consultants validate findings against your environment, remove false positives, calibrate severity to reflect actual exposure and business impact, and translate the result into a prioritised remediation plan your team can act on.
A structured, repeatable methodology that delivers consistent quality, with clear entry and exit criteria at each phase and defined responsibilities on both sides.
Define IP ranges, network segments, scan windows, exclusion lists, and credential requirements. Confirm authority to scan, gather network diagrams, and agree communication protocols and rules of engagement.
Automated scanning across the agreed external and internal scope, followed by expert review and validation of findings to eliminate false positives and confirm accuracy of severity ratings against your environment. Critical issues are escalated in real time.
A detailed technical report with executive summary, risk-rated findings, CVSS scoring, evidence, asset coverage maps, business-context impact analysis, and prioritised remediation recommendations.
A structured walk-through of the findings with your technical team, covering exploitability, impact, and remediation guidance. Support for clarification during fix implementation.
Re-scanning of remediated findings to confirm fixes are effective, followed by an updated risk posture and formal engagement closure. Deliverables are packaged for internal follow-up, audit, and regulatory evidence.
Every engagement produces a comprehensive report designed to serve both technical remediation and executive decision-making.
A non-technical overview of the assessment, key vulnerability themes, business impact, and recommended priorities, written for leadership, risk, and board-level stakeholders.
Every confirmed finding documented with technical description, affected hosts and services, software versions, evidence, observed impact, and references to relevant standards and CVE/CWE identifiers.
Findings are rated using the Common Vulnerability Scoring System (CVSS) and the OWASP Risk Rating Methodology, combined with business-context adjustments to reflect realistic risk to your organisation.
Scanner output, captured banners, command output, and reproduction details for confirmed findings so your team can validate independently.
Full inventory of hosts, services, and software versions discovered in scope, providing an evidence-based view of your network footprint and a record of what was actually tested.
Clear, prioritised recommendations mapped to each finding, including patch references, configuration changes, and compensating controls where direct remediation is not immediately feasible.
Our methodology is built on internationally recognised assessment standards and mapped to the compliance frameworks most relevant to Hong Kong-regulated organisations.
A vulnerability assessment is automated and identifies known weaknesses through signatures and pattern matching across your network, with expert validation to remove false positives. A penetration test is manual. Consultants validate each finding by hand, chain issues together, exploit configuration and identity weaknesses, and demonstrate real-world business impact. Vulnerability assessment goes wide and surfaces what is exposed. Penetration testing goes deep and confirms what is exploitable. Mature programmes run both.
An unauthenticated scan runs without credentials and interrogates only services it can reach and interact with from the outside. It produces an attack-surface view of what an opportunistic attacker can see and probe. An authenticated scan runs with provided credentials and can additionally inspect operating system patch state, installed software versions, configuration hardening, and local services not exposed to the network. Authenticated coverage is significantly broader and is recommended for internal hosts where deep visibility is required. We will recommend the right combination during scoping based on your objectives.
Scanning is designed to be non-disruptive. Before execution, we agree on the scanning window, scan throttling, exclusion lists, and real-time escalation protocols. Higher-risk scanner plugins, such as those known to risk service stability or trigger denial-of-service conditions, are disabled by default and only enabled where explicitly authorized. Where production stability is particularly sensitive, we can perform discovery and identification in production and validate higher-impact findings against representative non-production targets, or schedule scanning out-of-hours with an open communication channel throughout. Where you operate a SOC, SIEM, or active monitoring tooling, we share scan source IPs, timing, and signatures in advance so your security team can suppress or contextualise the resulting alerts rather than triaging them as live incidents.
External scanning is conducted from our scanning infrastructure against your internet-facing IP ranges, with source IPs disclosed in advance for whitelisting. Internal scanning is conducted either via a temporary VPN-deployed scanning host that we provision, or by a consultant on site with a hardened scanning laptop. The deployment model is agreed during scoping based on your access policies, network architecture, and any data residency requirements.
All engagements are led by senior offensive security consultants. We do not assign junior operators or outsource execution to third parties. Our consultants hold recognised industry certifications across offensive security and red teaming, including credentials such as OSCE³, OSEP, OSWE, OSCP, and HTB CPTS. Every assessment, including scanner output and validation work, is reviewed by a senior lead before delivery, ensuring consistent technical depth and reporting quality regardless of engagement size.
Duration depends on scope size, the number of in-scope hosts and network segments, and whether External, Internal, or both perspectives are tested. As a general guide, an external engagement against a small-to-medium perimeter typically runs 3 to 5 business days of active scanning and validation, and an internal engagement of similar scale runs 5 to 10 business days, plus 3 to 5 days for reporting and review. Larger environments or combined engagements can extend further. An accurate estimate is provided during the scoping call based on your specific environment and objectives.
Most engagements kick off within 1 to 2 weeks of scoping sign-off, subject to consultant availability and the agreed scanning window. Where a regulatory deadline or audit milestone requires a faster start, we will do our best to accommodate and confirm feasibility during the scoping call.
Yes. False-positive elimination is a core part of our methodology and a major reason clients engage us rather than running scans themselves. Scanner output is reviewed manually by a senior consultant before reporting, with findings cross-referenced against affected hosts and software versions to confirm accuracy. Findings the scanner flags but cannot be reproduced or that do not apply to your environment are removed before the report is delivered. The result is a clean, validated set of findings that reflects what is actually present in your environment.
Our toolkit combines industry-standard commercial and open-source scanners with our own internal validation tooling. The core scanners we operate include Tenable Nessus, OpenVAS, and Nmap. Tool selection is driven by scope and objective, not by tool licensing, and findings are manually reviewed by a consultant regardless of which scanner surfaced them.
Any sensitive data, credentials, or system information encountered during scanning is handled under strict confidentiality. We do not extract, retain, or reproduce sensitive data beyond what is strictly necessary to evidence a finding, and where possible, data is anonymised in the final report. Credentials provided by you for authenticated scanning are held in access-controlled secrets management throughout the engagement, used only for the agreed scope and duration, and confirmed destroyed in writing after engagement closure. Scanner output and engagement artefacts are stored in access-controlled environments, transmitted over encrypted channels, and securely destroyed after the agreed retention period.
Unless explicitly agreed during scoping, the following are generally excluded: denial-of-service and volumetric load testing, destructive or proof-of-exploit actions against production systems and data, social engineering and physical intrusion (these are scoped under our Red Team and Phishing Simulation services), and scanning of third-party hosted infrastructure or services outside your direct control. OT/ICS environments (SCADA, PLCs, industrial control systems) and wireless network testing require specialised assessment and are scoped separately. Scanning is strictly confined to the agreed network ranges and target list, and exploratory scanning of adjacent systems or out-of-scope IPs is never performed without prior written authorization.
Yes. A complimentary retest is included with every engagement. After you have applied remediation, we re-scan confirmed findings to verify that fixes are effective and that no regressions have been introduced, and issue an updated report reflecting closure status for each item. The retesting window is agreed with you during scoping to align with your remediation plan.
Yes. On request, we issue a formal Letter of Attestation summarising the engagement scope, scanning period, methodology followed, and high-level outcome. The attestation is suitable for audit, regulatory submission, and third-party assurance purposes, including PCI DSS, SOC 2, ISO/IEC 27001, and HKMA-related obligations.
Schedule a scoping call with our specialists to define the right scope for your environment, regulatory context, and timeline. We will walk you through methodology, deliverables, and next steps.