Free Vulnerability Scan
Request a free authenticated vulnerability assessment for your systems. Our security team will deliver a comprehensive report with prioritised findings.
About the Free Vulnerability Scan
A free vulnerability scan tests the IP or domain you provide against the published CVE feeds (Common Vulnerabilities and Exposures) for the services running on each open port. The scanner identifies the service and version from its banner, then matches that against the CVE database and tells you which known vulnerabilities apply, with their CVSS severity score and remediation guidance.
Vulnerability scanning is the headline activity Cyber Essentials Plus assessors run on assessment day. They scan a sample of devices on your network, check that the patches relevant to high-severity and critical-severity vulnerabilities have been applied within the 14-day window the scheme requires, and write the result up against the secure-configuration and patch-management controls. If you have not run a scan against your own estate before the assessor does, you will find the gaps for the first time during the assessment, which is the wrong place to find them.
The free scan does not authenticate against your services or check for application-layer vulnerabilities (OWASP Top 10 issues, business-logic flaws, or chained attacks across services). It is the right tool for a quick external check. For full pre-assessment coverage we run an authenticated scan with the same class of enterprise scanner the assessor will use.
Common questions
Is the free vulnerability scan really free?
Yes, the basic version is free and unlimited per IP you own. We rate-limit per IP per day to keep the service usable.
How does this differ from the network scan?
The network scan tells you which ports are open. The vulnerability scan goes further: it identifies the service running on each port, checks the version against the CVE database, and tells you which known vulnerabilities apply.
Will the free scan find every vulnerability on my estate?
No. It covers the high-severity issues visible to an unauthenticated scan against the IP or domain you provide. It does not test internal services, application logic, or chained vulnerabilities. For full pre-assessment coverage use our paid pre-assessment service.
What is CVSS and why does it matter for Cyber Essentials?
CVSS is the Common Vulnerability Scoring System, a 0 to 10 severity score for each CVE. Cyber Essentials requires that vulnerabilities scored CVSS 7.0 or higher (high and critical) are patched within 14 days of vendor release. The scan output flags those scores against the patch deadline.
Beyond the free check
CE Plus Pre-Assessment
Full credentialed scan using the same class of enterprise scanner IASME assessors run, before the formal CE+ assessment day.
Learn moreManaged Vulnerability Scanning
Continuous scanning, risk prioritisation, and remediation support across your estate all year.
Learn moreCyber Essentials 14-Day Patching
The patching window for high-severity vulnerabilities and what assessors actually check on the day.
Learn more