Service · Vulnerability Management
Your attack surface changes every day. New software, new integrations, new team members — each one is a potential entry point. VMaaS keeps continuous watch on your entire environment, prioritises the threats that actually matter, and closes them before they become incidents.
Most businesses that do think about vulnerability management treat it as an annual event — a penetration test scheduled alongside the financial audit, reviewed once, and then set aside until the same time next year. The problem is that vulnerabilities do not operate on an annual cycle. New ones are discovered every day. New software is deployed every week. New people join and bring their own devices and habits. The gap between when a vulnerability appears and when an attacker exploits it is getting shorter, not longer. A point-in-time assessment gives you a snapshot of a moment that has already passed by the time you read the report.
New CVEs published globally every day on average
Median time for attackers to weaponise a new vulnerability
Of cyberattacks specifically target small and mid-sized businesses
Of SMEs that suffer a significant breach close within 6 months
Continuous visibility, not a snapshot
VMaaS gives you an up-to-date view of your security posture at all times — not a picture taken twelve months ago that is already out of date. Every time something changes in your environment, we know about it.
Prioritised by real-world risk, not just severity scores
Not every vulnerability is a genuine threat to your business. We filter and prioritise based on exploitability, asset criticality, and your specific environment — so your team focuses on what actually matters rather than a list of hundreds of findings sorted by a number.
We fix things, not just find them
A penetration test report tells you what is wrong. VMaaS tells you what is wrong, explains why it matters, gives you a clear remediation action, and follows up until it is actually closed. We own the outcome, not just the discovery.
Your security posture improves continuously
With VMaaS, every month should be better than the last. We track your vulnerability metrics over time so you can see the programme working — fewer open criticals, faster mean time to remediation, and a risk profile that is genuinely decreasing rather than just being measured.
We begin by mapping your complete attack surface — every server, endpoint, cloud resource, application, and network component that could be a target. Many businesses are surprised to discover assets they had forgotten about or did not realise were exposed. The discovery phase establishes the scope of what we are protecting and gives us the baseline against which everything is measured going forward.
We run continuous automated scans across your environment using industry-leading tooling, configured for your specific infrastructure. These are not generic, noisy scans that overwhelm your team with findings. They are tuned to your environment to minimise false positives and surface the vulnerabilities that are genuinely present and genuinely exploitable — with credentials where appropriate to go deeper than an external attacker could see.
Every vulnerability finding goes through a prioritisation process before it reaches your team. We assess each finding against its CVSS score, its real-world exploitability, whether active exploit code exists in the wild, the criticality of the affected asset to your business, and any relevant threat intelligence for your sector and geography. The result is a ranked list of actions where the first item on the list is genuinely the most important thing to fix next.
For each prioritised finding, we provide a clear, specific remediation action — not a generic recommendation to "apply patches" but the exact patch, configuration change, or control that resolves the issue. We work directly with your IT team or provider to implement the fix, and we verify the remediation by rescanning the affected asset. Nothing is marked as resolved until we have independently confirmed it is closed.
Modern businesses have attack surfaces that extend well beyond their office network. Our VMaaS programme covers the full breadth of your digital environment — on-premises and cloud, internal and external, user-facing and back-end infrastructure.
Your internet-facing assets are the first thing an attacker sees. We continuously scan your external perimeter — public IP addresses, web applications, APIs, DNS records, and exposed services — to identify anything that is visible from the outside and potentially exploitable. We also monitor for shadow IT and forgotten assets that your team may not even know are exposed.
Attackers who get inside your network — through phishing, a compromised credential, or a supply chain breach — move laterally through vulnerabilities in your internal systems. We scan your internal network, servers, workstations, and endpoint devices for the misconfigurations, unpatched software, and weak credentials that make lateral movement easy. This coverage requires authenticated scanning and a lightweight agent on managed endpoints.
Cloud environments are fast-moving and frequently misconfigured. Exposed S3 buckets, overly permissive IAM roles, publicly accessible databases, and unauthenticated management interfaces are among the most common sources of significant cloud breaches. We cover AWS, Azure, and Google Cloud environments with configuration scanning that assesses your cloud setup against security best practices and CIS benchmarks on a continuous basis.
The boundary between your corporate network and the outside world has effectively disappeared for most businesses. Employees work from home, from coffee shops, and from personal devices. We assess the security of your remote working infrastructure — VPN configurations, mobile device management policies, and the controls governing how corporate data is accessed outside your office — and identify the gaps that are most likely to be exploited.
Some of the most significant breaches in recent years have entered through a third-party vendor or supplier with access to the target's systems. We assess the security posture of your key third-party relationships, review the access permissions granted to external parties, and monitor for indicators that a supplier relationship may be introducing risk into your environment.
Compromised credentials are among the most common entry points for attackers. We monitor dark web sources, breach databases, and threat intelligence feeds for any credentials associated with your domain appearing in places they should not be. When a match is found, you hear about it from us — not from a threat intelligence notification six months after the fact.
One of the most common frustrations with vulnerability management tools and services is that the reporting is designed for security engineers rather than the people who actually need to make decisions. We produce reports that your IT team can act on and your leadership team can understand — without needing to translate one into the other.
Monthly Vulnerability Report
Period: October 2025 — Your Company
23 findings remediated this month. Mean time to remediation: 4.2 days for critical, 9.1 days for high severity. Overall risk score improved 18% month-on-month. 2 new critical findings require action within 48 hours — remediation guidance provided on pages 4 and 6.
For Your IT Team
Technical Remediation Guidance
Every finding comes with a specific, actionable remediation step — the exact patch version, the precise configuration change, or the specific control that resolves the issue. Your IT team should never have to guess what to do with a finding. If they have questions, our team is available to walk through the fix with them directly.
For Your Leadership
Executive Summary and Trend View
Every monthly report includes a plain-language executive summary that tells your leadership team where things stand, how the programme is progressing over time, and what decisions or investments might be needed. No jargon, no CVE numbers, no technical depth that obscures the business-relevant message.
For Your Auditors
Compliance-Ready Documentation
VMaaS reporting is structured to support your regulatory compliance obligations. SAMA, NCA, ISO 27001, and PCI-DSS all require evidence of vulnerability management. Our reports and remediation logs are formatted to serve as compliance evidence directly, reducing the work your team needs to do when an audit or review comes around.
The vulnerability management industry has a dirty secret: most tools and many services are very good at finding vulnerabilities and very poor at making sure they are actually fixed. Reports pile up. IT teams get overwhelmed. Findings that were marked as "in progress" six months ago are still open. This is not how VMaaS works at Code Defence. We track every finding from discovery through to verified remediation. A finding is not closed on our side until we have confirmed it is closed in your environment. That accountability is built into every engagement and is not something you have to ask for.
Finding identified and classified
Every new finding is reviewed by our team, validated against your environment, and classified by severity and exploitability before it reaches you. No false positives, no noise.
Remediation guidance issued within 24 hours
Critical findings receive specific remediation guidance within 24 hours. High-severity findings within 48 hours. You always know what action to take next.
We work alongside your team
Where your team needs support implementing a fix, we are available to help directly — whether that means a call to walk through the steps or hands-on assistance with the configuration.
Remediation verified before closure
We rescan the affected asset after remediation is reported to confirm the vulnerability is genuinely resolved. The finding is only marked closed when our independent verification confirms it.
Do we need to install anything on our systems?
For external scanning of your internet-facing assets, no installation is required. For internal and endpoint scanning — which gives significantly deeper and more accurate results — we deploy a lightweight agent on managed endpoints and a scanning appliance on your internal network. The deployment is straightforward and we handle it entirely. The performance impact on your systems is negligible.
Will the scanning disrupt our business operations?
In the vast majority of cases, no. We configure scanning windows to avoid peak business hours and use scan profiles that are tailored to minimise any performance impact on production systems. For particularly sensitive environments — hospitals, financial trading systems, operational technology — we discuss the scan configuration in detail before anything runs, and we have established approaches for each. We have never caused a production outage through scanning, and our approach is designed to ensure that remains the case.
How is VMaaS different from a penetration test?
A penetration test is a skilled manual exercise where a tester attempts to compromise your systems using the same techniques an attacker would. It is valuable and we recommend it periodically — typically annually or after significant infrastructure changes. VMaaS is complementary to that. It provides continuous automated coverage that catches new vulnerabilities as they emerge, monitors for configuration drift, and tracks remediation over time. The best security programmes use both: continuous VMaaS monitoring to maintain an up-to-date baseline, with periodic penetration tests to validate that baseline against a skilled human attacker.
We have a small IT team. Will they be overwhelmed by the findings?
This is one of the most common concerns we hear, and it is a legitimate one. The answer is that our prioritisation process exists precisely to prevent your team from being buried in a long list of findings that creates more confusion than clarity. At any given time, your team will have a short, ranked list of actions with clear guidance on each. We pace the remediation workload to what your team can realistically absorb and work alongside them directly for the findings that require support. The goal is to make your small IT team significantly more effective — not to create more work for them.