Vulnerability Assessment Checklist: What to Check Before and After Every VA

You've scheduled a vulnerability assessment. The provider is confirmed, the timeline is set, and the engagement starts next week. Now what?

The difference between a vulnerability assessment that produces genuine security improvement and one that produces a report nobody acts on is determined by what happens before and after the assessment itself. Organisations that prepare properly get better results. Organisations that follow through after the assessment get actual security improvement. Organisations that do neither get an expensive PDF that sits in a shared drive.

This vulnerability assessment checklist covers everything your team needs to do before, during, and after a VA to maximise the value of every assessment. It's the practical companion to understanding what vulnerability assessment and penetration testing (VAPT) is and how the VAPT process works. Those guides explain what and why. This checklist explains what to do.

Before the Vulnerability Assessment: Preparation Checklist

Asset Inventory and Scope Definition

The most critical pre-assessment activity. You cannot assess what you don't know exists, and you cannot get value from assessing the wrong things.

Asset inventory checklist:

• Complete inventory of all systems within assessment scope documented

• IP addresses and ranges for all in-scope networks identified

• All domains and subdomains catalogued (including staging, development, legacy)

• Web applications listed with URLs, user roles, and technology stacks

• API endpoints documented (REST, GraphQL, SOAP) with authentication requirements

• Mobile applications identified (iOS, Android) with backend service details

• Cloud infrastructure inventoried across all providers (AWS, Azure, GCP)

• Network devices (firewalls, routers, switches, wireless APs) catalogued

• IoT and OT devices within scope identified

• Third-party integrations and vendor connections documented

• Shadow IT discovery conducted (scanning for unknown assets)

Scope definition checklist:

• In-scope systems clearly defined and documented

• Out-of-scope systems explicitly identified with justification

• Scope aligned with compliance requirements (PCI DSS scope, SOC 2 boundary, ISO 27001 ISMS)

• Scope includes systems processing sensitive data (PII, financial, health)

• Previous VA scope reviewed and gaps addressed

• Scope document signed off by security and IT leadership

Understanding attack surface management helps organisations ensure assessment scope covers the complete attack surface rather than just known assets.

Environment and Access Preparation

Ensure the assessment team can actually assess everything in scope without delays.

Access and credentials checklist:

• Assessment team access confirmed for all in-scope systems

• VPN access or network connectivity provided if testing remotely

• Scanning credentials provided for authenticated scanning (higher-quality results)

• Service account with read-only access for infrastructure scanning prepared

• Cloud platform access (AWS IAM role, Azure reader, GCP viewer) provisioned

• Firewall rules updated to allow scanning traffic from assessment source IPs

• IDS/IPS tuned to avoid blocking legitimate scanning activity (or assessment IPs whitelisted)

• WAF configured to allow assessment traffic (or assessment IPs whitelisted)

• Domain credentials provided if Active Directory scanning is in scope

Environment readiness checklist:

• Testing windows confirmed with operations and infrastructure teams

• Change freeze communicated during assessment period (avoid confusing results)

• Backup verification confirmed before assessment begins

• Emergency contacts established (security team, network team, application owners)

• Escalation procedures defined for critical findings during assessment

• Production system assessment approved by appropriate authority

• Staging environment available if production testing is restricted

Compliance and Objectives Alignment

Ensure the vulnerability assessment addresses your compliance obligations and business objectives.

Compliance alignment checklist:

• Applicable compliance frameworks identified (PCI DSS, SOC 2, ISO 27001, HIPAA, RBI, CERT-In)

• Specific compliance requirements for vulnerability assessment reviewed

• Assessment scope covers all compliance-mandated systems

• Report format requirements confirmed (compliance mapping, evidence format)

• Previous audit findings requiring VA validation identified

• Timing aligned with compliance calendar (annual testing, quarterly scanning)

For US organisations, see our PCI DSS penetration testing guide and SOC 2 compliance guide. For Indian organisations, compliance mapping across regulatory standards covers RBI, SEBI, and CERT-In requirements.

‍Business objectives checklist:

• Primary assessment objectives defined (compliance, risk reduction, pre-launch validation)

• Priority systems identified (highest business impact if compromised)

• Key stakeholders who will receive results identified

• Success criteria established (what does a "good" assessment look like?)

• Previous VA results reviewed to establish baseline for comparison

• Known issues from previous assessments documented (track whether they've been resolved)

Documentation Gathering

Collect documentation that helps assessors understand your environment and conduct more thorough analysis.

Documentation checklist:

• Network architecture diagrams gathered

• Application architecture documentation available

• Data flow diagrams showing sensitive data paths

• Previous vulnerability assessment reports (for year-over-year comparison)

• Previous penetration test reports (for context on validated vulnerabilities)

• Security policy documents (access control, patch management, incident response)

• Cloud architecture documentation (VPC layout, IAM structure, service dependencies)

• API documentation (Swagger/OpenAPI specs, Postman collections)

• Change management records since last assessment

• Known vulnerability exceptions or risk acceptances documented

Internal Communication

Ensure all relevant teams know the assessment is happening and what's expected.

Communication checklist:

• IT and infrastructure teams informed of assessment timeline

• SOC/security monitoring team informed (distinguish assessment traffic from attacks)

• Application development teams informed if their applications are in scope

• Cloud operations team informed if cloud infrastructure is in scope

• Network operations team informed of expected scanning traffic

• Management informed of assessment timeline and expected deliverable dates

• Emergency contact list distributed to assessment team

During the Vulnerability Assessment: Monitoring Checklist

Active Monitoring During Assessment

While the assessment is underway, your team has responsibilities.

Operational monitoring checklist:

• Monitor for unexpected system impact from scanning activity

• Maintain communication channel with assessment team (Slack, Teams, email)

• Track assessment progress against agreed timeline

• Respond promptly to assessor questions about systems and configurations

• Review critical findings communicated during assessment (don't wait for final report)

• Begin remediation planning for critical findings as they surface

• Document any systems unavailable during assessment window

• Track any scope changes required during assessment

Quality Assurance During Assessment

Verify the assessment is covering what you need.

Quality checklist:

• Confirm all in-scope systems are being assessed (no accidental exclusions)

• Verify authenticated scanning is producing results (credential issues caught early)

• Confirm cloud infrastructure scanning is functional (API access working)

• Verify that assessment covers the specific compliance requirements identified in scoping

• Check that critical/production systems are being handled with appropriate care

After the Vulnerability Assessment: Action Checklist

Report Review and Validation

The assessment is complete and the report is delivered. Now the real work begins.

Report review checklist:

• Executive summary reviewed by security leadership

• Technical findings reviewed by security team for accuracy and completeness

• All in-scope systems represented in findings (confirm nothing was missed)

• False positive review conducted (validate findings match your environment)

• Severity ratings reviewed for appropriate business context

• Compliance mapping verified against your applicable frameworks

• Findings compared against previous assessment (new vs recurring vs resolved)

• Critical and high-severity findings highlighted for immediate attention

• Report quality meets agreed deliverable standards

For report quality expectations, see our penetration testing reports guide.

Remediation Planning

Convert findings into actionable remediation.

Remediation planning checklist:

• Findings prioritised by combined severity and business impact

• Each finding assigned to a responsible team or individual

• Remediation timelines established based on severity:
  
  • Critical: Remediate within 48 to 72 hours
  • High: Remediate within 2 weeks
  • Medium: Remediate within 30 days
  • Low: Remediate within 90 days or accept risk with documentation

• Remediation tasks created in project management/ticketing system

• Dependencies identified (findings requiring infrastructure changes vs code changes)

• Quick wins identified (findings fixable immediately without change management)

• Resource requirements assessed (does remediation need additional budget or expertise?)

• Compensating controls identified for findings requiring longer remediation

• Risk acceptance documented for findings the organisation chooses not to remediate

Remediation Execution

Track remediation to completion.

Remediation execution checklist:

• Critical findings remediated within agreed SLA

• High-severity findings remediated within agreed SLA

• Remediation verified by the implementing team before closin

• Remediation doesn't introduce new vulnerabilities (regression awareness)

• Configuration changes follow change management process

• Patches tested in staging before production deployment

• Remediation progress tracked and reported to stakeholders weekly

• Blockers escalated promptly

• Documentation updated for configuration changes

• Security team informed when remediation is complete for retesting

Retesting and Validation

Verify that remediation actually resolved the vulnerabilities.

Retesting checklist:

• Retesting requested from assessment provider after remediation completion

• All critical and high findings included in retest scope

• Retesting confirms vulnerabilities are no longer exploitable

• No regression vulnerabilities introduced by remediation

• Retesting report documenting resolved vs remaining findings received

• Remaining unresolved findings have documented risk acceptance or extended timeline

• Retesting evidence archived for compliance and audit purposes

Compliance and Reporting

Package assessment results for compliance and stakeholder reporting.

Compliance documentation checklist:

• Assessment report archived in compliance evidence repository

• Findings mapped to specific compliance framework controls

• Remediation evidence documented for each resolved finding

• Risk acceptance documented for unresolved findings with management sign-off

• Assessment timing satisfies compliance frequency requirements

• Report format meets auditor expectations (PCI QSA, SOC 2 auditor, ISO 27001 certification body)

• Next assessment scheduled within required frequency

For US compliance, PCI DSS mandates quarterly external scanning and annual penetration testing. SOC 2 requires evidence of regular security testing. ISO 27001 requires regular assessment supporting ISMS effectiveness.

For India compliance: RBI Master Directions require periodic vulnerability assessment for regulated entities. SEBI Cybersecurity Framework mandates testing for market intermediaries. CERT-In guidelines recommend regular security auditing.

Stakeholder reporting checklist:

• Executive summary shared with leadership and board (if applicable)

• Technical findings shared with relevant development and operations teams

• Remediation progress dashboard or report established

• Next assessment timeline communicated to all stakeholders

• Lessons learned documented for process improvement

Continuous Improvement

Use assessment results to improve security posture beyond individual findings.

Improvement checklist:

• Root cause analysis conducted for recurring vulnerability categories

• Patch management process reviewed if unpatched systems were widespread

• Configuration management practices assessed if misconfigurations were prevalent

• Development team training updated if code-level vulnerabilities were common

• Security standards updated to address newly identified patterns

• Assessment scope reviewed for next cycle (add systems, adjust focus areas)

• Vulnerability management programme updated based on findings

• Monitoring and alerting reviewed (could ongoing monitoring have caught these issues?)

Understanding how to build an effective application security programme helps organisations integrate VA findings into broader security improvement.

Network Vulnerability Assessment Checklist

External Network

• All public IP ranges scanned

• Open ports identified and justified (unnecessary ports flagged)

• Administrative ports (RDP 3389, SSH 22) not exposed to internet without restriction

• SSL/TLS configuration validated (TLS 1.2+ minimum, strong ciphers)

• DNS configuration checked (zone transfers restricted, DNSSEC evaluated)

• Email authentication validated (SPF, DKIM, DMARC configured)

• VPN gateway tested for known vulnerabilities and configuration issues

• IDS/IPS signatures current and thresholds appropriate

• Firewall rules reviewed for overly permissive entries

See our network security assessment guide and external penetration testing guide for detailed methodology.

Internal Network

• Internal network segmentation validated

• Critical systems (domain controllers, databases, backups) isolated from user networks

• Management interfaces on dedicated management VLAN

• Legacy protocols (LLMNR, NBT-NS) identified for remediation

• Network device credentials not using defaults

• SNMP v3 enforced (v1/v2c disabled)

• Switch port security or 802.1X deployed

• Internal vulnerability scan covering all subnets

See our internal penetration testing guide for internal assessment depth.

Web Application Vulnerability Assessment Checklist

• OWASP Top 10 vulnerabilities tested across all web applications

• Authentication mechanisms validated (strength, MFA, lockout policies)

• Session management tested (token randomness, expiry, secure flags)

• Authorisation controls validated (IDOR, privilege escalation)

• Input validation tested across all user input vectors

• Output encoding verified preventing XSS

• File upload functionality validated (type checking, size limits, content validation)

• Error handling reviewed (no sensitive information disclosure)

• Security headers implemented (HSTS, CSP, X-Frame-Options, X-Content-Type-Options)

• Third-party libraries scanned for known CVEs (SCA)

• Admin interfaces restricted and separately authenticated

For detailed web application assessment, see our web application penetration testing guide.

API Vulnerability Assessment Checklist

• API authentication validated (key management, OAuth, JWT)

• API authorisation tested (BOLA, BFLA at every endpoint)

• API input validation tested for injection across all parameters

• Rate limiting enforced preventing brute-force and enumeration

• Excessive data exposure checked (APIs returning more data than needed)

• API versioning assessed (old versions with weaker security still accessible?)

• API documentation reviewed for unintentional endpoint exposure

• Error responses not leaking internal details

• CORS configuration appropriately restrictive

For API-specific methodology, see our API penetration testing guide.

Cloud Vulnerability Assessment Checklist

AWS

• IAM roles and policies reviewed for least privilege

• S3 buckets verified as private (no unintended public access)

• Security groups reviewed for overly permissive rules

• CloudTrail enabled across all regions

• RDS instances not publicly accessible

• KMS encryption enabled for sensitive data

• MFA enforced on root and admin accounts

• Lambda functions reviewed for excessive permissions

See our AWS penetration testing guide.

Azure

• Azure AD roles reviewed for overprivilege

• Blob storage containers verified as private

• NSG rules reviewed for unrestricted access

• Azure Monitor diagnostic settings enabled

• Key Vault access policies following least privilege

• MFA enforced on all admin accounts

• App Service configurations reviewed

See our Azure penetration testing guide.

GCP

• IAM bindings reviewed for excessive permissions

• Cloud Storage buckets verified as private

• Firewall rules reviewed

• Cloud Audit Logging enabled

• Service account keys managed securely

• VPC configuration validated

See our GCP penetration testing guide.

Mobile Application Vulnerability Assessment Checklist

• Insecure data storage tested (keychain/keystore usage, plaintext storage)

• Transport layer protection validated (certificate pinning, TLS enforcement)

• Authentication mechanism tested (biometric bypass, token storage)

• Binary protections assessed (obfuscation, anti-tampering)

• Third-party SDK security evaluated

• Backend API security tested through mobile client

• Local authentication bypass tested

See our mobile application penetration testing guide.

Vulnerability Assessment Tools

Understanding the tools used helps organisations evaluate assessment quality.

Infrastructure Scanning

Nessus: Industry-leading vulnerability scanner with extensive plugin library. Credentialed scanning provides deeper assessment. Qualys: Cloud-based vulnerability management with continuous monitoring capabilities. OpenVAS: Open-source alternative providing comprehensive coverage.

Web Application Scanning

Burp Suite Professional: Industry-standard web application testing proxy for both automated and manual assessment. OWASP ZAP: Open-source web application scanner. Acunetix: Automated web vulnerability detection.

Cloud Security Assessment

ScoutSuite: Multi-cloud security auditing tool. Prowler: AWS security best practice assessment. CloudSploit: Cloud configuration monitoring.

Software Composition Analysis

Snyk: Developer-focused vulnerability scanning for dependencies. Dependabot: Automated dependency update alerts (GitHub native). OWASP Dependency-Check: Open-source SCA tool.

Tools provide the scanning component of vulnerability assessment. Manual penetration testing provides the exploitation validation that transforms scanner findings into confirmed, actionable vulnerabilities.

Common Vulnerability Assessment Findings

Understanding frequent findings helps organisations prepare for remediation before the assessment even begins.

Missing Patches

The most common finding across every vulnerability assessment. Operating systems, applications, libraries, and firmware running outdated versions with known CVEs. Patch management programmes that are documented but not consistently executed.

Pre-emptive action: Run internal patch compliance reports before the VA. Address critical patches proactively. Your VA shouldn't be discovering patches your internal processes should have caught.

Default or Weak Credentials

Systems and applications using manufacturer default passwords, shared accounts, or weak credentials that automated cracking defeats quickly.

Pre-emptive action: Scan for default credentials across all systems before the VA. Implement password policy enforcement. Deploy LAPS for local administrator accounts.

Misconfigured Cloud Resources

Public storage buckets, excessive IAM permissions, missing encryption, and overly permissive security groups creating unintended exposure.

Pre-emptive action: Run cloud security posture management (CSPM) tools or native cloud security services before the VA to catch obvious misconfigurations.

Missing Security Headers

Web applications lacking HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and other security headers providing basic browser-level protection.

Pre-emptive action: Implement security headers as standard configuration across all web applications. This is a quick win addressable before assessment.

SSL/TLS Configuration Issues

Outdated protocols (TLS 1.0, 1.1), weak cipher suites, expired certificates, and misconfigured certificate chains.

Pre-emptive action: Run SSL Labs or similar tools against your internet-facing services. Address TLS configuration issues before the VA.

Excessive Service Exposure

Unnecessary services running on production systems, administrative interfaces accessible beyond management networks, and debug endpoints enabled in production.

Pre-emptive action: Audit running services against operational requirements. Disable unnecessary services. Restrict management interfaces to management networks.

Vulnerability Assessment Frequency: When to Run the Checklist

Quarterly vulnerability assessment for critical systems and internet-facing infrastructure. PCI DSS mandates quarterly external vulnerability scanning for payment environments.

Monthly automated scanning for ongoing visibility between quarterly manual assessments. Automated scanning catches new CVEs and configuration changes continuously.

After significant changes including new deployments, infrastructure modifications, cloud migrations, and third-party integration additions.

Annually at minimum with comprehensive manual validation complementing automated scanning. Annual assessment should be combined with penetration testing validating that identified vulnerabilities are genuinely exploitable.

Continuous penetration testing maintains ongoing security validation between scheduled assessments.

For detailed frequency guidance, see our guide on how often to do penetration testing.

US and India Compliance Requirements for Vulnerability Assessment

US Compliance

PCI DSS Requirement 11.2 mandates quarterly external vulnerability scanning by an Approved Scanning Vendor (ASV) and quarterly internal vulnerability scanning. Requirement 11.3 mandates annual penetration testing complementing ongoing VA.

SOC 2 expects regular vulnerability assessment evidence supporting Trust Services Criteria.

HIPAA requires risk assessment including vulnerability identification for healthcare systems processing ePHI.

NIST CSF DE.CM (Continuous Monitoring) function directly aligns with ongoing vulnerability assessment.

FedRAMP requires monthly vulnerability scanning and annual penetration testing for cloud service providers.

India Compliance

RBI Master Directions require periodic vulnerability assessment and penetration testing for regulated financial institutions. RBI expects quarterly vulnerability assessments for critical systems.

SEBI Cybersecurity Framework mandates regular vulnerability assessment for market intermediaries with results reported to the SEBI-mandated Technology Committee.

CERT-In Guidelines recommend regular vulnerability assessment for organisations operating critical information infrastructure.

‍India's DPDP Act requires reasonable security safeguards. Regular vulnerability assessment demonstrates proactive security validation.

For comprehensive compliance mapping, see our penetration testing compliance guide.

How AppSecure Delivers Vulnerability Assessment

AppSecure provides comprehensive vulnerability assessment combined with expert manual validation and penetration testing for complete security evaluation.

Beyond Automated Scanning

AppSecure combines automated vulnerability scanning with manual testing by certified professionals (OSCP, GXPN, CREST). Every finding is manually validated. Zero false positives ensure your team remediates genuine vulnerabilities, not scanner noise.

Comprehensive Coverage

Assessment spans web applications, APIs, mobile platforms, cloud infrastructure, and networks. Application security assessment provides end-to-end coverage.

US and India Compliance Mapping

Reports map findings to PCI DSS, SOC 2, ISO 27001, HIPAA, NIST CSF, RBI guidelines, SEBI framework, and DPDP Act requirements. Dual-market compliance mapping in a single engagement.

3-Week Delivery

Standard engagements deliver within three weeks. 90-day remediation support includes developer Q&A and complimentary retesting.

Flexible Models

Point-in-time assessment, continuous penetration testing, and pentesting as a service matching your assessment cadence and compliance requirements.

Ready for vulnerability assessment that produces genuine security improvement?

Contact AppSecure:

• Schedule Vulnerability Assessment
• Application Security Assessment
• VAPT Testing Services Guide

Frequently Asked Questions

1. What is a vulnerability assessment checklist?

A vulnerability assessment checklist is a structured list of items to verify before, during, and after a vulnerability assessment to ensure comprehensive coverage, proper preparation, and effective follow-through. Pre-assessment checklists cover asset inventory, scope definition, access preparation, and compliance alignment. During-assessment checklists cover operational monitoring and quality assurance. Post-assessment checklists cover report review, remediation planning, retesting, compliance documentation, and continuous improvement. Using a checklist ensures no critical step is missed and that assessment investment produces genuine security value.

2. What is the difference between vulnerability assessment and penetration testing?

Vulnerability assessment identifies security weaknesses through automated scanning and manual review but doesn't attempt exploitation. It provides breadth by discovering as many vulnerabilities as possible across the environment. Penetration testing actively exploits validated vulnerabilities demonstrating real-world risk and business impact. It provides depth proving which weaknesses are genuinely exploitable. VAPT combines both for comprehensive security evaluation. This checklist primarily covers vulnerability assessment preparation, execution, and follow-through, with penetration testing as the recommended complement.

3. What should I prepare before a vulnerability assessment?

Prepare a complete asset inventory covering all in-scope systems (IPs, domains, applications, cloud resources). Provide scanning credentials for authenticated assessment. Configure firewalls, IDS/IPS, and WAFs to allow assessment traffic. Gather architecture documentation and previous assessment reports. Identify compliance requirements the assessment must address. Establish communication channels and emergency contacts. Inform IT, development, and monitoring teams about the assessment timeline. Review and address obvious issues (missing patches, default credentials) before the assessment.

4. How often should vulnerability assessments be conducted?

Quarterly vulnerability assessment is recommended for critical systems and internet-facing infrastructure. PCI DSS mandates quarterly external scanning. Monthly automated scanning provides continuous visibility between quarterly manual assessments. Annual assessment minimum satisfies most compliance frameworks. Additional assessments should follow significant changes (new deployments, infrastructure modifications, cloud migrations). RBI expects quarterly assessments for regulated Indian financial institutions.

5. What should a vulnerability assessment report include?

A quality vulnerability assessment report includes an executive summary for leadership, detailed findings with severity ratings (CVSS), affected systems for each finding, false positive verification results, compliance mapping to applicable frameworks, specific remediation guidance with implementation steps, remediation prioritisation based on combined severity and business impact, and comparison with previous assessment results showing improvement or regression. Reports should serve both executive and technical audiences.

6. What are the most common vulnerability assessment findings?

The most common findings include missing operating system and application patches, default or weak credentials on systems and applications, misconfigured cloud resources (public storage, excessive IAM permissions), missing security headers on web applications, outdated SSL/TLS configurations, excessive service exposure on production systems, and third-party libraries with known CVEs. Organisations can address many of these proactively before assessment by running internal compliance checks and implementing security baselines.

7. What happens after a vulnerability assessment?

After assessment, review the report for accuracy and completeness. Prioritise findings by severity and business impact. Assign each finding to a responsible team with remediation deadlines (critical: 48-72 hours, high: 2 weeks, medium: 30 days, low: 90 days). Track remediation progress through ticketing systems. Request retesting from the assessment provider to validate that fixes are effective. Archive assessment reports and remediation evidence for compliance. Conduct root cause analysis for recurring vulnerability categories. Schedule the next assessment.

8. Should vulnerability assessment be combined with penetration testing?

Yes. Vulnerability assessment identifies potential weaknesses. Penetration testing validates which weaknesses are genuinely exploitable and demonstrates business impact. Assessment alone produces lists of findings without exploitation validation, including false positives and theoretical risks. Penetration testing alone may miss vulnerabilities that efficient scanning detects. VAPT combining both provides comprehensive, validated security evaluation. Most compliance frameworks expect both components.

9. What vulnerability assessment tools do professionals use?

Professional vulnerability assessment uses Nessus and Qualys for infrastructure scanning, Burp Suite Professional and OWASP ZAP for web application scanning, ScoutSuite and Prowler for cloud security assessment, Snyk and OWASP Dependency-Check for software composition analysis, and Nmap for network discovery. However, tools provide the automated scanning component. Manual validation by security professionals eliminates false positives and identifies issues automated tools miss. The combination of automated tools with manual expertise produces the highest-quality assessment results.

10. How does this checklist apply to both US and India organisations?

The assessment process and checklist items are universal. Compliance mapping differs by jurisdiction. US organisations align with PCI DSS, SOC 2, HIPAA, NIST CSF, and FedRAMP. Indian organisations align with RBI Master Directions, SEBI Cybersecurity Framework, CERT-In guidelines, and DPDP Act. The checklist's compliance alignment section guides organisations in both markets to map assessment scope and reporting to their applicable frameworks. Assessment providers should map findings to jurisdiction-specific requirements.