What is the difference between vulnerability management and vulnerability scanning?

Vulnerability scanning identifies known CVEs at a point in time. Vulnerability management is the full lifecycle program including continuous asset discovery, recurring scanning, risk-based prioritization, tracked remediation, verification, and metrics-driven improvement.

How does CVSS scoring work and why is it not enough on its own?

CVSS rates vulnerabilities on a 0.0-10.0 scale across metrics including attack vector, complexity, privileges required, and impact. It provides a standardized baseline but does not account for your specific environment, asset criticality, or compensating controls.

How often should vulnerability scans be run?

PTG scans external-facing assets daily and internal networks weekly or biweekly. PCI DSS requires quarterly scans, NIST 800-171 requires periodic scanning, HIPAA requires ongoing technical evaluation. Our continuous approach exceeds every framework minimum.

What types of assets do you scan?

We scan Windows, Linux, macOS endpoints and servers, network devices, VMware/Hyper-V hypervisors, web applications, APIs, Docker containers, Kubernetes clusters, AWS/Azure/GCP cloud infrastructure, IoT/OT devices, wireless infrastructure, and SaaS configurations.

Do you handle patching or just identify vulnerabilities?

PTG offers both identification and managed remediation. Our standard service delivers prioritized findings with remediation guidance. Our managed patching add-on handles patch evaluation, test deployment, soak period, staged production rollout, and post-patch verification.

What happens when a zero-day vulnerability is disclosed?

PTG initiates an emergency response workflow. Within hours, our team runs targeted scans to identify every affected asset. If a vendor patch is available, we fast-track it. If no patch exists, we implement compensating controls: firewall rules, IPS signatures, or network isolation.

How does vulnerability management support CMMC certification?

CMMC Level 2 requires NIST 800-171 controls including RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation). PTG provides technical implementation and audit evidence: documented scanning schedules, scan results, prioritization, remediation tickets with SLA tracking.

Will scanning impact our network performance or system availability?

PTG configures all scanning with performance safeguards: bandwidth throttling, staggered scan jobs across network segments, intensive scans during maintenance windows, and lightweight endpoint agents. PTG has never caused a system outage from vulnerability scanning.

What reporting and metrics do you provide?

PTG delivers three reporting tiers: executive dashboards (aggregate risk scores, vulnerability trends, MTTR, SLA compliance), technical reports (every vulnerability with CVE, CVSS score, remediation instructions), and compliance reports mapped to HIPAA, CMMC, PCI DSS, NIST, SOC 2.

Do you serve clients outside the Raleigh-Durham area?

Yes. While headquartered in Raleigh, PTG's cloud-based scanning platform serves clients nationwide. Remote deployment, cloud-native scanning, and endpoint agents deliver continuous vulnerability management capabilities regardless of geographic location.

Continuous Security

Vulnerability Management Continuous Risk Reduction

A fully managed vulnerability management program that goes beyond scanning. We discover every asset, prioritize findings with CVSS and threat intelligence, orchestrate patching, and verify remediation -- all backed by 24/7 analyst oversight from our Managed XDR Suite.

CMMC Registered Practitioner Org | BBB A+ Since 2003 | 23+ Years Experience

Schedule a Vulnerability Assessment Call 919-348-4912

Program Components

What Our Program Covers

Continuous, systematic identification, prioritization, remediation, and verification across your entire environment.

Discovery and Scanning

Continuous asset discovery: every endpoint, server, and cloud instance
Authenticated scanning against CVE databases (NVD, vendor advisories)
OS, firmware, and application vulnerability identification
Configuration and compliance checks per NIST, CIS, DISA STIGs

Prioritization and Remediation

CVSS scoring enriched with threat intelligence and exploit maturity
Asset criticality weighting for risk-based prioritization
Managed patch orchestration on your maintenance schedule
Verification re-scanning to confirm successful remediation

Key Distinction

VM vs. Penetration Testing

Complementary disciplines that serve different purposes. You need both.

VULNERABILITY MANAGEMENT

Continuous Program

Automated scanning runs daily or weekly. Covers your entire attack surface. Output: ongoing vulnerability inventory with risk scores, trends, and SLA tracking.

PENETRATION TESTING

Point-in-Time Assessment

Manual exploitation by ethical hackers. Focused scope per engagement. Output: narrative report detailing exploited attack chains and business impact.

VM COMPLIANCE USE

Continuous Monitoring

Satisfies HIPAA, CMMC RA.L2-3.11.2, PCI DSS 11.3.1 requirements for ongoing vulnerability identification and remediation tracking.

PEN TEST COMPLIANCE USE

Periodic Assessment

Satisfies CMMC CA.L2-3.12.1, PCI DSS 11.4 requirements for annual offensive testing that validates control effectiveness.

Process

The VM Lifecycle

Asset Discovery

Vulnerability Scanning

Risk-Based Prioritization

Patch Orchestration

Verification Re-Scan

Reporting and Compliance

Who This Is For

Built For

Healthcare (HIPAA) Defense Contractors (CMMC) Financial Services (PCI DSS) SaaS Companies (SOC 2) Multi-Site Enterprises Hybrid Cloud Environments

FAQ

Frequently Asked Questions

How often do you scan our environment?

Continuous asset discovery runs 24/7. Vulnerability scans run at least weekly, with daily scanning available for critical assets. This frequency satisfies compliance requirements and ensures new vulnerabilities are identified within days rather than quarters.

What is risk-based prioritization?

Raw CVSS scores alone do not tell you what to patch first. We layer threat intelligence, asset criticality, exploit maturity, and network context on top of CVSS to determine real-world risk. A CVSS 9.8 flaw on a sandboxed dev server may be lower priority than a CVSS 7.5 on your internet-facing domain controller.

Do you handle patching or just scanning?

Both. Our managed program includes patch orchestration on your maintenance schedule. We coordinate deployment windows, test patches in staging where possible, and verify successful remediation through re-scanning.

How does this satisfy compliance requirements?

Our program maps to continuous monitoring controls in HIPAA, CMMC (RA.L2-3.11.2), PCI DSS (11.3.1), SOC 2, and NIST 800-53. Monthly reports include compliance dashboards with framework-specific evidence.

Can this integrate with our existing tools?

Yes. We integrate with your existing SIEM, ticketing systems, and patch management tools. Our Managed XDR Suite provides a unified view across vulnerability data, endpoint telemetry, and threat intelligence.

Get Started

Stop Drowning in Alerts. Start Reducing Risk.

Over 28,000 new CVEs are published every year. A managed vulnerability management program keeps your backlog shrinking instead of growing.

Schedule Your Assessment Call 919-348-4912