DWA Services

Vulnerability Scanning

(VS)

Fully Managed or Co-Managed

​​​

You already know vulnerability scanning matters. The real questions are the practical ones: What exactly should be scanned? How often? Who should do it? What should it cost? 

DWA has helped clients answer those questions for 15+ years - and when you need a straightforward, right sized solution (especially for smaller organizations), we’re here to help. 

What we mean by “Scanning” vs. “Assessing”​

• Vulnerability scanning finds technical weaknesses across your environment (external, internal, website, and cloud). 

• Vulnerability assessing answers: “What is the risk of these vulnerabilities to your organization?” (prioritization and context). 

• Vulnerability management (tracking, remediation, configuration and patch management) should be performed by your in house IT staff and / or managed service provider - not by your auditor / assessor. 

• Vulnerability governance (oversight of vulnerability management performance) is a board / senior management responsibility. 

​​

In short: DWA helps you scan and assess. Your IT team (or MSP) fixes. Leadership governs. 

Best practice model

​

When possible, vulnerability scanning should follow this order: 

1. In house IT staff (preferred). 

2. Managed service provider (if in house isn’t an option).

3. Independent auditor / assessor (DWA) when: 

   • IT staff / MSP aren’t an option, or

   • you want an independent audit assessment view of scanning performance and results.

Also important: vulnerability management should be explicitly evidenced in monthly IT meeting minutes, and governance should be explicitly evidenced in monthly / quarterly board or senior management meeting minutes. 

Recommendations​

• If your organization is critical infrastructure (for example, banks and credit unions), we strongly recommend CISA Cyber Hygiene Services - they’re good and they’re free. Enroll here: https://www.cisa.gov/cyber-hygiene-services.

Note: CISA focuses on external network and website scanning - not internal network, cloud, or other internal surfaces. 

• Conduct external and internal scanning across network, website, and cloud quarterly or more often. 

• Use authenticated (credentialed) scanning - this is critical for meaningful results. 

• Use a reputable scanner and ensure it’s configured correctly (examples include Tenable, Rapid7, Qualys, and others). 

Pricing

​

External network and website scanning + assessing (per scan / typically quarterly): 

• $500 for fewer than 5 locations (branches) 

• $750 for fewer than 10 locations 

• $1,000 for fewer than 15 locations 

• TBD for 15+ locations 

​

Internal network and website scanning + assessing (per scan): 

• $500 for fewer than 5 locations 

• $750 for fewer than 10 locations 

• $1,000 for fewer than 15 locations 

• TBD for 15+ locations 

​

Internal scanning setup (one time): 

• $500 / $750 / $1,000 (aligned to location count above) 

• $0 if your organization provides the scanning computer 

• $1,000 if DWA provides the scanning computer 

​​

Value check: If scanning + assessing (not management/governance) costs more than 125% of DWA pricing, you should consider alternative options. 
 

What the quarterly process looks like​

1. Monday (the week of scanning): DWA requests an updated network diagram. If changes occurred, we incorporate them. 

2. Friday at 6:00 PM: Scans begin and typically complete Saturday or Sunday. 

3. Monday: We upload scan and assessment reports to our secure cloud drive for your team to consume and distribute as needed. 

4. Ongoing: DWA is available to help interpret results, prioritize issues, and provide audit assessment consulting.​​

​

Contact us to discuss your needs, pricing, timelines, and the best approach for your organization.