Skip to content
Search our site  
    June 28, 2023

    Vulnerability scanning and penetration testing

    Think of your IT system as your building.  

    MicrosoftTeams-image (10)-1Not only does your building have hundreds of possible entrances and dozens of access systems – they are also constantly being changed, updated – and outdated.

    In your building, you store all your information – both of your customers and what you need to run your business.  If you add that a breach costs, on average, well above 4 million USD (source: IBM) – how would you prioritize security? 

    And running a risk analysis of your company - would you leave all security to internal staff as a part-time responsibility?  

    Having an external company perform a vulnerability check and penetration testing of your system is an inexpensive solution that considerably increases security.  

    What is penetration testing? 

    Simply put, pen-testing is when one of the good guys (or girls) is doing what the bad guys could do. They will scan your system for vulnerabilities and see if these can be exploited. In other words, they discover your vulnerabilities before the hackers do.  
    Afterwards, you will get a report of any findings – and recommendations to what to do to mitigate these vulnerabilities, improving your defence and resilience.  

    Why not use internal staff? 

    Own staff is the most crucial part of keeping your network secure, but there are two main reasons to use external. 

    • External pen-testers do not have a thousand “other things to do”. They are pen-testers - that’s what they do! This means that they have the updated tools, certifications and competence,  
    • They also have scheduled the time so the tests will be performed according to plan and not pushed back due to other tasks. 

    Relevant for small businesses? 

    It is tempting to think that cyber-attacks only hit large businesses, but statistics say it is not. According to Forbes, 43% of cyberattacks target small businesses in 2022. From the same source have only 14% of these companies proper defences. And 83% aren’t financially prepared to recover from such attacks. 
    But – what is needed for a small company will differ from the need of a large company, making the service and cost proportional to size. Even a tier 0 scan will help your small company improve security and get an inventory of what software is being used on your servers. For a first-time scan for a small business, we highly recommend a tier 1 scan. This is because you will get assistance from one of our consultants to prioritize the tasks, answer any questions about the findings, and plan the path. 

    Not more than you need – the four levels. 

    The exact need for vulnerability scan/penetration testing varies from company to company, so to make it easier to define, Nemko has developed a service delivery model where each "tier" of service delivery is progressively more advanced and thorough. 




    Extended Tier 2 for large environments 



    Penetration test with a report and assistance 


    Automated scan with assistance 

    Vulnerability scan with automated evaluation 

    Tier 0 

    Tier 1 

    Tier 2 

    Tier 3 

    Each tier includes and builds on all lower tiers. For example, if you choose tier 2, tiers 0 and 1 are included in the “package.” 

    Tier 0
    The penetration tester conducts a vulnerability scan and provides the customer with an automated report of the findings. 

    Tier 1
    The penetration tester will assist the customer with highlighting and prioritizing the various risks accompanying the vulnerabilities and provide general mitigation strategies. 

    Tier 2
    After performing a vulnerability scan, the penetration tester will perform a penetration test and produce a report with findings and suggestions for remediation. 

    Tier 3
    This is an extended version of Tier 2. This applies to projects where additional time is needed due to the scale and complexity of the penetration test. 

    One-offs or subscription services. 

    Regular scans are recommended because changes frequently happen in an IT system, and new vulnerabilities are discovered in existing programs.  A typical solution is running vulnerability scans and penetration testing followed by automated vulnerability scans regularly, e.g., quarterly. 

    Extensive penetration testing is usually performed as a one-off or at annual intervals.  

    A typical process 

    • Defining the scope together with the customer. 
    • Performing vulnerability scan of the system. 
    • Using the results from the scan to explore vulnerabilities. 
    • Present the analysis and recommendations in a report to the customer. 

    Typically, then an automated scan is done periodically, giving the customer a continuous overview of the  


    Nemko can help you close strengthen your defence. 

    Our team of cyber security experts can advise you on how to improve your systems by simulating a hacker attack and exploiting any vulnerabilities they come across to get an in-depth analysis of your system’s security. This can be done from the inside or as an attempt to get in. We can perform this once or regularly. 

    We offer penetration testing on networks and can provide vulnerability scanning of networks, Android and iOS applications. 

    Want to learn more about penetration testing and how it could help your company?  
    Schedule a  10 min virtual meeting with us at your convenience. 

    Schedule a 10 min. meeting with our Senior Penetration Tester here!

    Øyvind Storhaug

    Øyvind Storhaug is a seasoned cybersecurity professional with over a decade of experience in this field. He has served as a Security Consultant at Nemko for the past two years. In this role, Øyvind has been responsible for testing IoT products, performing penetration testing, and scanning for system vulnerabilities....

    Other posts you might be interested in