Logo with a red square containing a white "N" and a dot, above the word "Neoteric" in bold, dark blue letters.
Contact

Vulnerability Assessment: Find Your Gaps First

April’s step in the NCSC resilience series — the part most organisations avoid until it’s too late.

Three months in — governance mapped, assets catalogued, threats understood. Now it’s time for the part most organisations skip until a breach forces the conversation: finding exactly where you’re exposed before an attacker does.

A vulnerability assessment maps your weaknesses across every domain — network, endpoints, cloud, identity, and third-party connections — before they become incidents. It is not a penetration test. A pen test exploits what it finds. An assessment finds it first. For most Irish businesses in 2026, assessment comes before pen testing.

48%

of Irish organisations say third-party breaches are their #1 cyber threat — two years running.

PwC Digital Trust Insights 2026

8%

of Irish firms invest significantly more in proactive security than reactive — vs 24% globally.

PwC Digital Trust Insights 2026

41%

of Irish companies now run all core systems in the cloud, up from 15% in 2023 — misconfiguration is the #1 attack vector in that estate.

EY Ireland Tech Leaders Outlook 2025

What To Assess

The 5 IT Vulnerability Assessment Domains

  • 01

    Network & Infrastructure

    Perimeter, firewalls, VPNs, routers, and cloud infrastructure. Misconfigured cloud environments are among the most exploited weaknesses in Irish organisations right now.

  • 02

    Endpoints & Devices

    Laptops, BYOD, workstations. Windows 10 reached end-of-support in October 2025 — with ~40% of global devices still running it unpatched, this is a live exposure in most environments.

  • 03

    Web Applications & APIs

    Customer portals, internal apps, and every API integration your business exposes. Injection attacks, broken authentication, and misconfiguration top OWASP’s list year after year.

  • 04

    Identity & Access — Highest Risk

    Verizon DBIR 2025: credential abuse was the initial access vector in 22% of all breaches, and 88% of web application attacks used stolen credentials. Review your Active Directory, MFA coverage, and privileged accounts now.

  • 05

    Third-Party & Supply Chain

    The NCSC 2025 National Cyber Risk Assessment explicitly flags Ireland’s exposure to “second-order consequences” from supply chain attacks. Every MSP, SaaS tool, and API with access to your data is part of your attack surface.

How To Do It

The 4-Phase Assessment Framework

Phase 1

Scope & Asset Discovery

Confirm your full asset inventory — including shadow IT, forgotten test servers, and cloud resources provisioned outside normal procurement. Undiscovered assets are a common finding in first-time assessments.

Phase 2

Authenticated Scanning

Run credentialled vulnerability scans across your in-scope estate. Authenticated scanning produces far more complete results than unauthenticated tooling — the difference is significant.

Phase 3

Manual Review & Validation

A qualified analyst eliminates false positives and identifies issues automated tools miss — logic flaws in applications and misconfigured access controls that don’t trigger automated alerts.

Phase 4

Risk-Based Prioritisation

Weight findings by exploitability, exposure, and business impact. CVSS scores alone are not enough context — a critical score on an isolated internal system may matter less than a medium score on your internet-facing payment portal.

Avoid These

5 Mistakes That Make Assessments Worthless

  1. Scanning without credentials — unauthenticated scans miss the majority of findings on internal systems.
  2. Treating it as a one-time event — environments change daily. Run assessments at minimum quarterly.
  3. Prioritising by CVSS score alone — severity in the abstract is not the same as risk in your specific environment.
  4. Stopping at the scan report — a vulnerability list with no owners and no remediation plan is an expensive document, not a security programme.
  5. Forgetting third parties — every MSP with admin access, every SaaS app storing your data, and every API integration is part of your attack surface.

NIS2 & Compliance

Ireland is subject to EC infringement proceedings for late NIS2 transposition as of early 2026. The National Cybersecurity Bill is still in the legislative process — but Article 21 of NIS2 already requires risk analysis and security policies. Waiting for the law to pass is not a strategy. The technical work needs to happen now.

Your April Checklist

By end of April, can you answer these?

  • Complete, prioritised vulnerability list across our in-scope estate?
  • Do we know which vulnerabilities are actively exploited in the wild right now?
  • Findings mapped to our critical assets (Feb) and threat picture (Mar)?
  • Remediation plan with owners, timelines, and verification steps?
  • Recurring scanning schedule in place — not just a one-off?
  • Visibility into third-party and supply chain exposure?

Coming in May

Strengthen Identity & Access Management

The identity gaps your April assessment uncovers feed directly into May’s work — MFA rollout, privileged access review, and directory hardening.

Verified Sources

  • NCSC Ireland — 2025 National Cyber Risk Assessment
  • PwC Ireland — Digital Trust Insights 2026
  • EY Ireland — Tech Leaders Outlook 2025
  • Verizon — Data Breach Investigations Report 2025
  • NCSC UK — Cyber Assessment Framework v3.2
  • William Fry — NIS2 Ireland Guidance 2025
  • Matheson — NCRA SME Resilience Report 2025

Related Posts