New vulnerability projections for 2026 sit at 31,000 to 34,000 CVEs. Firms average over 1,000 open security holes at any given time. Only 22% of companies fix critical bugs within a week. The gap between vulnerabilities being discovered and vulnerabilities being fixed is where attackers live.
Vulnerability assessment is how organisations find out what they are exposed to before attackers do. It is also one of the most in-demand entry-level skills in offensive and defensive security alike. And it is something you can start learning today with free tools and a clear methodology.
What Is Vulnerability Assessment and How Is It Different From Penetration Testing?
This distinction matters and most beginners get it wrong.
Vulnerability assessment identifies gaps in IT systems before attackers exploit them. It scans, analyses, and prioritises weaknesses across a defined scope. The output is a prioritised list of findings with risk ratings and remediation recommendations. The goal is breadth: finding as many vulnerabilities as possible across the attack surface.
Penetration testing goes further. It exploits confirmed vulnerabilities to demonstrate real-world impact and tests whether an organisation's defences can detect and respond to an active attack. The goal is depth: proving what a real attacker could achieve.
The two work hand in hand in a mature security organisation. Vulnerability assessment tells you what is there. Penetration testing tells you what can be done with it. For beginners, vulnerability assessment is the right starting point because it builds the asset discovery, scanning, and analysis skills that penetration testing builds on top of.
What Does a Vulnerability Assessment Actually Involve?
Every vulnerability assessment follows the same process regardless of the target environment.
Scoping and discovery. Define exactly what is in scope: IP ranges, applications, systems. Then identify all assets within that scope. Vulnerabilities you miss do not cease to exist. They represent an unknown risk. Asset discovery is where completeness matters most.
Scanning and identification. Run vulnerability scanners against the identified assets. Tools like Nessus, OpenVAS, and Nmap's scripting engine probe services for known CVEs, misconfigurations, and weak configurations automatically. This generates a raw list of potential findings.
Prioritisation and analysis. This is the critical step. Triage findings using CVSS scoring, asset importance, and likelihood of exploitation. A critical CVSS score on an internet-facing web application is not the same priority as a critical CVSS score on an internal development server. Context changes everything.
Manual verification. Automated scanners produce false positives and miss context. Human judgment is essential. Verify scanner findings manually before including them in a report. A finding you cannot reproduce is a finding you cannot report with confidence.
Reporting. Document findings with CVSS ratings, evidence, business impact, and prioritised remediation recommendations. The report is what the client acts on. A technically accurate finding that is not clearly communicated does not get fixed.
Which Tools Do Vulnerability Assessors Use?
| Tool | Phase | What it does | Cost | Practise on TryHackMe |
|---|---|---|---|---|
| Nmap | Discovery and enumeration | Host discovery, port scanning, service and version detection, OS fingerprinting. NSE scripts extend into vulnerability detection. | Free, open-source | Jr Penetration Tester path |
| Nessus Essentials | Vulnerability scanning | The industry-standard vulnerability scanner. Checks for CVEs, misconfigurations, and compliance issues. Free tier covers up to 16 IPs. | Free (Essentials tier) | Jr Penetration Tester path |
| OpenVAS / Greenbone | Vulnerability scanning | Free, open-source alternative to Nessus. Comprehensive CVE database, network vulnerability testing, and web application scanning. | Free, open-source | Home lab deployment |
| Nikto | Web server scanning | Scans web servers for dangerous files, outdated software, and misconfigurations. Fast and noisy: not for stealth, ideal for authorised assessments. | Free, open-source | Jr Penetration Tester path |
| Gobuster / Feroxbuster | Content discovery | Brute-force directory and file discovery on web servers. Surfaces hidden paths, admin panels, and exposed files that scanners miss. | Free, open-source | Jr Penetration Tester path |
| Metasploit (auxiliary) | Manual verification | Auxiliary modules verify whether scanner findings are genuinely exploitable without running a full exploit. Confirms real risk before reporting. | Free, open-source | Jr Penetration Tester path |
| Burp Suite Community | Web application testing | Intercepts and analyses web traffic. Manual testing of OWASP Top 10 vulnerability classes: SQLi, XSS, IDOR, CSRF, auth bypass. | Free (Community Edition) | Jr Penetration Tester path |
Learn discovery and enumeration tools first, then vulnerability scanners, then validation and reporting tools. That sequence mirrors the assessment workflow.
How Do You Read and Interpret Scan Results?
This is the skill that separates a beginner running a scanner from a practitioner conducting an assessment. Scan output is raw material, not a finished product.
Understand CVSS scoring. The Common Vulnerability Scoring System rates vulnerabilities from 0 to 10. Critical is 9.0 to 10.0. High is 7.0 to 8.9. In 2026, between 13,500 and 15,000 serious bugs rated CVSS 7.0 and above are projected. CVSS score alone does not determine priority. A high CVSS finding on an asset with no internet exposure and no sensitive data warrants a different response than the same finding on a customer-facing web application.
Identify false positives. Automated scanners report anything that looks like a match for a known vulnerability signature. Not all matches are genuine. Cross-checking findings between tools and supplementing automated output with manual checks increases confidence and reduces noise. Run a finding you cannot reproduce, and you cannot report it.
Prioritise by exploitability and business impact. A finding with a public exploit and a path to sensitive data is a different priority from one with no known exploit on an isolated internal service. CVSS base score, CVSS environmental score, exploit availability, and asset criticality all feed into the prioritisation decision. Repairing medium-level vulnerabilities matters because multi-step attacks chain them. Do not filter to critical only.
Document as you go. Every finding needs evidence: the scanner output, the affected host, the CVE reference, a reproduction step, and your assessment of impact. Documentation completed during the assessment is accurate. Documentation reconstructed after the fact is not.
How Do You Practise Vulnerability Assessment Hands-On?
Hands-on practice is non-negotiable, but it must be legal and contained. Never run scanners against systems you do not own or have explicit written permission to test. Full stop.
TryHackMe's Jr Penetration Tester path is the most structured starting point. The revamped path includes dedicated Vulnerability Knowledge modules covering CVE and vulnerability databases, vulnerability scanning tools, and basic identification techniques, alongside the Nmap, web application, and Metasploit content that builds the full assessment toolkit. All labs run in pre-configured, isolated environments in-browser. No setup, no risk of accidentally scanning something you should not.
Intentionally vulnerable VMs. Metasploitable 2 and 3, DVWA, and OWASP Juice Shop all provide legal targets to scan and assess in a home lab. The workflow: spin up the VM in an isolated network, run Nmap and your scanner of choice, generate a raw finding list, then manually verify and prioritise. Do this repeatedly until the process feels automatic.
Run the same scan twice. A strong practice habit is to run the same scan twice: once with default settings and once tuned for credentials and reduced false positives, then compare results side by side. The difference between the two outputs teaches you more about how scanners work than any tutorial.
What Does a Vulnerability Assessment Report Look Like?
The report is the deliverable. Everything else is preparation for it.
A professional vulnerability assessment report has three sections. The executive summary explains what was assessed, the overall risk posture, and the most significant findings in non-technical language. The technical findings section documents each vulnerability with its CVSS score, affected asset, evidence (screenshot or output), business impact, and specific remediation recommendation. The appendix contains raw scan output, scope details, and methodology notes.
At beginner level, write up every lab you complete in this format. Not as a learning exercise. As actual evidence of professional methodology. A folder of ten structured assessment reports from TryHackMe rooms and home lab practice is a portfolio that answers the question every technical hiring manager asks: can this person document what they find clearly enough for a client to act on it?
Where Do You Start?
Open TryHackMe's Jr Penetration Tester path. The vulnerability knowledge and assessment modules cover CVE databases, scanning tools, and identification techniques in a guided, hands-on format. Work through the Nmap modules to build your discovery foundation, then move into the vulnerability scanning content.
Document everything as a report. The skill compounds fast.
Nick O'Grady