What is a Vulnerability Assessment?

A Vulnerability Assessment is the “first phase” of a Penetration Test in many ways but it also has a few key differences.

Its intended purpose is to identify vulnerabilities and weaknesses in the security perimeter of your organization and its assets. These vulnerabilities are identified using a multi-tiered approach, combining software and hardware based tools, applications and manual investigation by DFDR’s consultants.

The scope and areas of the assessment can span a number of different areas. Typically, the assessment is driven by audit requirements, budget and collaboration with the client. DFDR works with the client, identifying the areas most concerning or sensitive to an organization, the risks presented by threats and how the executive management wants to proceed.

Why perform a Vulnerability Assessment?

Many industries and audit standards now require regular scans and assessments to be performed against your organization. PCI and HIPAA, in particular, require this type of testing to be peformed quarterly OR each time a major change is made to your environment.

As part of a comprehensive Information Technology program, a vulnerability assessment is a vital piece to an organization’s strategy. This process identifies risks previously unknown to an organization but also determines the effectiveness of controls and systems in place currently. A company invests significantly in its technical infrastructure, a Vulnerability Assessment helps validate those controls or identify areas in which they are lacking, improving the security posture.


There are many vital components to an assessment. Depending on the agreed upon scope of work, the following components are part of a full solution:

  • Open source and public information gathering
  • Scanning and assessment of External, Internal and Wireless networks
  • Physical perimeter controls
  • Social engineering demonstration
  • Security policy review
  • Internal security controls assessment review
  • Data collection on the organization from an Information Security perspective.

A rigorous review of the environment with a custom report detailing vulnerabilities and possible risk exposure present is delivered to the client. The key difference between this type of engagement and a penetration test is that vulnerabilities and risk are evaluated but not exploited.

Along with the fully customized and easily understood report, the client is supplied raw data and generated reports that not only validate the identified issues but also supply the client with actionable intelligence and information.

The key to any successful InfoSec engagement is the the reporting of the data, strong guidance and a deliverable which is easily understood by all parties and decision makers in an organization. Implementing changes or acting upon the risks and vulnerabilities discovered during the assessment is critical. DFDR’s role in the process is delivering a report with recommendations by evaluating the data gathered in a sound, logical and appropriate manner.

DFDR has extensive experience in both CyberSecurity and Digital Forensics. With a combined 20+ years of experience in the field and spanning a wide range of specialties in Information Assurance, DFDR is a leader in the industry. DFDR has worked with a large number of organizations spanning a wide array of industries focused on risk, information assurance and asset protection.

  • Forensic/Ediscovery
    • Consulting
    • Digital Forensics
    • Mobile Forensics
    • Expert Witness Testimony
    • Litigation Support
  • Data Revovery
  • Password Recovery
  • Drive/Data Wiping
  • Training
  • Security


690 Sugartown Rd.
Malvern, PA
Suite WH-201
United States
View in Google Maps


1845 Walnut St.
Philadelphia, PA
Suite 1600
United States
View in Google Maps