Skip to content
  • There are no suggestions because the search field is empty.

Vulnerability Scanning for Assessments

Why should I be scanning 100% of all assets

TLDR: Scanning everything does not increase remediation effort; it reduces it. As all vulnerabilities should be addressed regardless, full coverage simply replaces assumptions with certainty, revealing the true scope of issues across the estate and enabling focused, risk-based remediation.

<=14 DAYS ADVICE FOR CYBER ESSENTIALS

When performing vulnerability scanning for Cyber Essesntials, we assess what is in and out of scope based on the fix's availability date, not the date the issue was first found.

If a new issue appears during the assessment process, where a fix was available for over 14 days, you will be required to remediate the issue before certification.

Cyber Essentials is a point-in-time assessment; therefore, you are expected to be fully compliant on the day of certification. If, within the scheme requirements, you are allowed further time for remediation post assessment, you must still be compliant with all remediation that may fall into the 14+ day requirement. Thus, a not-in-scope fix on your assessment day, which was available 12 days ago, will be in scope after 2 further days if you have not certified before that time.

SCANNING

As part of a Cyber Essentials Plus assessment, we are required to test a realistic sample of your devices. This sample is based on the different types of systems you use – for example, Windows, macOS, Linux – and is then broken down further by version, such as Windows 11 24H2 and 25H2, macOS 15 and 26, Ubuntu, and other OS types.

In most cases, to deliver a fair and representative sample, we use around 20% of devices for each system type, subject to some required minimums, if you have very few devices, which is enough for us to complete the assessment and not only meet the minimum scheme requirements, but as assessors, we are able to stand-by our assessments and say that we tested a reasonable sample.

While this meets the minimum requirement, it may not be the best approach for your business.

NOTE: We must be able to electronically confirm your entire estate asset list before we commence device selection and the certification process. If you have no electronic asset discovery solution, you need to install our agent on all of your assets.

Why scanning everything is better than scanning a sample

If we only scan <=20% of your devices and find a security issue, that issue must still be fixed on every single device – not just the ones we tested; you must assume that you have the same issue across all devices, as you may well have that issue on all devices.

The issue identified is likely to show that you are not compliant with Cyber Essentials (<=14 days to fix) and therefore, poses a risk to your organisation, and should be fixed not only on the scanned devices but also on those we have not scanned.

There is no issue with "offline devices" as either they are compliant, or slightly off compliance (>14 days), as we would not have seen them for xx days and there are only issues that are as old as the xx days outstanding - that we can work with, as of course, we have people off sick, on holiday, bereavement leave, maternity leave, and many other reasons a device may be offline and therefore not remediated; however, that should always be no older than the last seen time.

For example, if now we have a device we have not seen since December, and it's now February, it will of course not have the January updates and probably not the December ones either - if we are not seeing it, that is OK; however, if that device checked in yesterday and today and has December and January updates missing, that is of course an issue as it demonstrates that we are not delivering the <=14 days fixing requirements of the standard.

NOTE: As required by the standard, if you are not scanning everything, we will ask you to add our agent to other devices 72 hours before your final assessment (as we must pick the devices, but with only 72 hours' notice). Devices chosen by us from the asset list, and utilised to confirm compliance with the <=14 days fix requirements. If you are scanning everything, we will advise you 72 hours in advance which devices we will be testing interactively during your assessment. We will base our selection on those devices we have seen online, avoiding those which may be offline for any number of reasons.

 

The difference is:

With partial scanning:

You assume the same issue exists everywhere, but you don’t know for sure.

With full scanning:

You know exactly which devices are affected, what the issues are, and when they’re fixed.

Scanning all devices removes guesswork and gives you complete visibility of your security posture.

Installation is quick and straightforward

The scanning software (the Qualys agent) does not require manual installation on each device, although this may be the case if you are unable to install via tooling or scripting.

In most organisations, it can be deployed easily using:

  • Existing IT management tools (RMM, Intune, MDM, etc.)
  • Simple scripts
  • Other tools you already use day-to-day

This means:

  • No disruption to staff
  • No long installation time
  • No need for hands-on work on every machine
  • Fix once, apply everywhere

It’s very common for scans to find the same issues across many devices.

This is actually a good thing.

Why?

  • It means you clearly understand what needs fixing
  • The fixes can usually be applied in bulk
  • Your existing tools or scripts can handle this quickly

We also provide ready-made guidance and scripts where appropriate, available at:

👉 https://kb.cybertecsecurity.com

  • Better insight, better security, better value
  • By installing the agent on all devices, you get:
  • A full vulnerability assessment of your environment
  • Clear knowledge of what needs fixing and where
  • Confidence that no devices are missed
  • Better long-term security, not just compliance

Ultimately, any issues found must be fixed on all devices anyway.

Scanning everything simply means you know exactly what you’re dealing with, rather than making assumptions.

The bottom line

Scanning all devices:

  • Is easy to deploy
  • Uses tools you already have
  • Saves time in the long run
  • Gives you the best return on your Cyber Essentials Plus assessment

It turns the assessment from a tick-box exercise into a meaningful security improvement, giving you confidence that your environment is genuinely secure.

Scanning everything does not increase remediation effort; it reduces it. As all vulnerabilities should be addressed regardless, full coverage simply replaces assumptions with certainty, revealing the true scope of issues across the estate and enabling focused, risk-based remediation.