Vulnerability scanning is the process of automatically identifying security weaknesses before attackers do. Here's everything UK businesses need to know about running and interpreting scans.
Vulnerability scanning is the automated process of probing a website, application, or network for known security weaknesses. A scanner sends a series of requests to the target — checking for misconfigured headers, outdated software, exposed files, weak encryption, and hundreds of other indicators — then produces a report ranking findings by severity.
It is distinct from penetration testing (pen testing), which involves a human security professional actively attempting to exploit vulnerabilities. Scanning is automated, fast, and should be run regularly. Pen testing is manual, expensive, and typically done annually or before major releases.
The threat landscape changes constantly. A website that was secure last month may be vulnerable today because:
The UK's Cyber Essentials scheme — the government-backed certification for basic cyber hygiene — explicitly requires organisations to scan for vulnerabilities as part of maintaining a secure configuration. Regular scanning is also cited in ICO guidance as an example of the "appropriate technical measures" required under UK GDPR Article 32.
A comprehensive scanner like WebGuard examines multiple layers of your website's security posture:
| Category | What's Checked |
|---|---|
| SSL/TLS | Certificate validity, expiry, protocol versions, cipher suites |
| HTTP Headers | CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy |
| DNS | SPF, DMARC, DKIM, DNSSEC, zone transfer exposure |
| Cookies | Secure flag, HttpOnly flag, SameSite attribute |
| Information Disclosure | Server version headers, technology fingerprinting, error messages |
| Exposed Files | .env files, .git directories, backup files, configuration files |
| Deprecated Protocols | TLS 1.0/1.1, SSLv3, weak cipher suites |
| Open Ports | Unexpected services exposed to the internet |
| Security.txt | Presence of responsible disclosure policy |
Vulnerabilities are typically rated using the Common Vulnerability Scoring System (CVSS), a standardised 0-10 scale:
| Score Range | Severity | Typical Action |
|---|---|---|
| 9.0-10.0 | Critical | Fix immediately — active exploitation likely |
| 7.0-8.9 | High | Fix within 24-72 hours |
| 4.0-6.9 | Medium | Fix within 30 days |
| 0.1-3.9 | Low | Fix in next maintenance window |
| 0.0 | None | Informational only |
WebGuard presents findings with clear severity ratings and prioritises them so you know exactly where to focus first.
The right frequency depends on how often your site changes and your risk profile:
WebGuard's scheduled scanning feature lets you set up automatic weekly or monthly scans with email alerts when new issues are detected — no manual intervention required.
Use vulnerability scanning when you need:
Commission a pen test when you need:
For most UK SMEs, regular automated scanning plus an annual pen test is the pragmatic approach that balances cost, coverage, and compliance.
WebGuard runs 100+ security checks on any website in under 60 seconds. No installation, no configuration, no account required for a basic scan. Start your free scan [blocked] now and get a full security report with AI-powered fix instructions for every issue found.
Free scan, no account required. See exactly which issues affect your site.
Start Free ScanFrom missing security headers to exposed configuration files, these are the vulnerabilities WebGuard finds most frequently — and they're all fixable in under an hour.
WordPress powers 43% of the web and is the most targeted CMS by attackers. This practical guide covers the essential steps to harden your WordPress site against the most common attack vectors.
UK online retailers face GDPR fines, PCI DSS obligations, and increasingly sophisticated skimming attacks. Here's how to protect your customers and your business.