What Is a Vulnerability Scan — and Does My Business Actually Need One?

What is a vulnerability scan?

A vulnerability scan is an automated check of your internet-facing infrastructure — your domain, web server, open ports, DNS records, and running services — looking for known security weaknesses.

It works by probing your systems the way an attacker would: checking which ports respond, identifying what software is running and what version, testing for known misconfigurations, and comparing what it finds against databases of known vulnerabilities.

The result is a prioritised list of findings — from critical issues that need immediate attention down to informational notes — with explanations of what each finding means and how to fix it.

What does a vulnerability scan actually check?

A good external vulnerability scan covers:

Open ports and services — which ports on your server are responding to connections, and what is running on them. Databases, admin panels, and legacy services that should not be internet-facing are flagged here.

Web application issues — missing security headers, outdated software versions, insecure configurations, and common vulnerabilities in web frameworks.

DNS and email security — whether your domain has SPF, DKIM, and DMARC records configured correctly to prevent email spoofing.

SSL/TLS configuration — whether your certificate is valid, not expiring, and configured with strong encryption settings.

Known CVEs — whether the software versions you are running have publicly disclosed vulnerabilities with published exploits.

Subdomain exposure — whether any subdomains are misconfigured, pointing to abandoned services, or vulnerable to takeover.

Exposed secrets — whether any configuration files or repositories associated with your domain contain leaked API keys or credentials.

What a vulnerability scan does not do

It is worth being clear about the limitations:

• It does not test your staff. Phishing susceptibility, social engineering, and human error are outside the scope of a technical scan.
• It does not test bespoke application logic. Custom code vulnerabilities — things like SQL injection in your specific application — require manual penetration testing to find reliably.
• It is a point-in-time snapshot. Your infrastructure changes, new vulnerabilities are disclosed, and new services get added. A scan run once is useful; regular scanning is better.
• It does not access your internal network. An external scan only sees what is visible from the internet — the same view an attacker would have.

Vulnerability scanning vs penetration testing

These are often confused. The difference matters.

A vulnerability scan is automated, broad, fast, and relatively affordable. It covers your entire internet-facing surface and identifies known issues. It is what most businesses should be doing regularly.

A penetration test is manual, deep, slow, and expensive. A human security professional actively tries to exploit weaknesses, chain multiple vulnerabilities together, and get as far into your systems as possible. It finds things scanners miss, but costs £2,000–£15,000 for even a small engagement.

For most UK small businesses, regular vulnerability scanning is the right starting point — and is required for Cyber Essentials. Penetration testing becomes relevant when you are handling very sensitive data, working in regulated industries, or have specific enterprise or compliance requirements.

Does my business actually need a vulnerability scan?

The honest answer: if your business has a website, email, or any internet-connected systems, and you handle any customer or employee data, yes.

Here is why. Attackers do not target businesses individually based on their size or profile. Automated scanners probe the entire internet continuously, looking for easy targets. If your domain has an open database port or a missing security header, it will be found — not because someone targeted you specifically, but because everything gets scanned.

The question is not whether your infrastructure will be probed. It is whether you find the issues before the automated scanners do.

You particularly need a vulnerability scan if:

• You are working towards Cyber Essentials certification (a scan tells you what needs fixing before the assessment)
• You have recently launched a new website, changed hosting provider, or added new services
• You have not reviewed your external security posture in the last 12 months
• You handle customer payment data, health information, or other sensitive personal data
• You are about to pitch for a government contract or enterprise client that will ask about your security

How often should you scan?

For most small businesses, a scan every quarter is appropriate. Any time you make significant infrastructure changes — new server, new domain, new service going live — run a scan on the change.

Larger organisations or those handling sensitive data should scan monthly. Continuous monitoring (automatic re-scanning when changes are detected) is the gold standard but typically overkill for businesses under 50 employees.

What to do with the results

A vulnerability scan is only useful if you act on it. When you receive your findings:

1. Prioritise by severity. Fix critical and high findings first — these are the ones actively being exploited in the wild.
2. Understand what each finding means. A good scan report explains findings in plain English, not just CVE reference numbers. If you cannot understand what a finding means, you cannot assess the real risk.
3. Fix, verify, re-scan. After addressing a finding, re-scan to confirm it is resolved. Some fixes look complete but are not — the re-scan catches this.
4. Keep a record. Document what you found, when, and what you did about it. This is useful evidence for Cyber Essentials assessments, insurance applications, and ICO enquiries.

Run a free vulnerability scan on your domain with Olimpio — no setup, no credit card, results in around 15–20 minutes with plain-English explanations of every finding.