What is a vulnerability assessment?

A vulnerability assessment is the systematic process of identifying, quantifying, and prioritizing security weaknesses in a system, network, or application. Unlike a penetration test, it does not attempt to exploit vulnerabilities — it only identifies and documents them. Process: (1) Asset discovery: inventory all systems and software. (2) Scanning: use automated tools (Nessus, OpenVAS, Qualys) to scan for known CVEs, misconfigurations, and patch levels. (3) Analysis: rank findings by severity (CVSS score) and exploitability. (4) Reporting: document findings with remediation recommendations. (5) Remediation: apply patches, fix configurations. Vulnerability assessments should be run regularly (monthly/quarterly) and after major system changes. They complement penetration testing but serve a different purpose — breadth (all known vulnerabilities) vs depth (actual exploitability).