Cyber Essentials Plus Vulnerability Scanning, the Hub
Net Sec Group is an IASME and NCSC certification body. Vulnerability scanning is the technical centre of the CE Plus assessment; the assessor reads scan output as the primary evidence for the patching control and as supporting evidence for secure configuration, malware protection, and user access control. This hub indexes the four vulnerability-scanning spokes on this site, each written from the assessor's accept/reject perspective drawn from our 800-plus engagement history.
Articles in this hub
CE Plus Vulnerability Scanners Compared, by Assessor Pass/Fail
The five vulnerability scanners (Tenable Nessus, Qualys VMDR, Rapid7 InsightVM, OpenVAS / Greenbone, AWS Inspector / Defender for Cloud / GCP SCC) compared against five assessor criteria: authenticated coverage, CVSS clarity, false-positive triage, OS coverage, evidence-pack exportability. The matrix names which scanner output passes a CE Plus audit cleanly, which gets queried, and which gets rejected. Recommendations per buyer profile (in-house engineering team, MSP-managed estate, cloud-only estate, microbusiness).
External vs Internal Scanning for CE Plus, the Per-Control Mapping
The two CE Plus scan tiers (external perimeter, internal authenticated) mapped onto the five Cyber Essentials controls. Each control gets a row showing which scan tier evidences it, the typical pass evidence, and the typical fail evidence drawn from real engagements. Plus the four scope errors we see at audit (external scan against shared hosting IP, internal scan with insufficient credentials, missing endpoints from the authenticated inventory, scan timing outside the patch window).
False Positives in CE Plus Vulnerability Scans, What the Assessor Accepts
The three-tier acceptance framework for documented false positives: tier 1 always-accepted (vendor advisory exclusion, compensating control with logged enforcement, version banner mismatch), tier 2 queried (in-house written exception, scanner-specific quirk), tier 3 rejected (undocumented assertions, deferred remediation without compensating control, age of finding). Plus a sample exception template the assessor accepts and a CVSS environmental score adjustment treatment.
Scanning Cloud vs On-Premises Estates for CE Plus
The methodology table for the three estate shapes (SaaS-only, IaaS-heavy hybrid, on-premises-heavy hybrid). What changes about scanning per estate type, the assets in scope per type, the scanner methodology that produces audit-acceptable evidence, and the three asset categories typically missing from cloud-estate scanner inventories at audit (untracked SaaS apps, IaaS workloads outside the scanner inventory, unmanaged virtual hosts).
When to read which article
| Where you are | Read this | |---|---| | Choosing or replacing a vulnerability scanner before CE Plus | CE Plus Vulnerability Scanners Compared | | Confused about whether you need an external scan, internal scan, or both | External vs Internal Scanning for CE Plus | | Triaging a finding the engineering team believes is a false positive | False Positives in CE Plus Vulnerability Scans | | Cloud-only or hybrid estate, unsure how scanning maps to scope | Scanning Cloud vs On-Premises CE Plus | | All four conditions apply (most CE Plus engagements) | Read in order: scanner choice, scan tiers, scope mapping, then false-positive handling as findings emerge |
How this hub relates to the other three
The vulnerability-scanning hub is one of four on this site. The other three:
- Audit-evidence: the screenshot specification and MFA evidence formats the assessor expects across all controls. Indexed at the audit-evidence hub.
- Platform-specific: per-control hardening for Windows 11, macOS, Microsoft Intune, and Google Workspace. Indexed at the platform-specific hub.
- Technical-controls: the foundation references for each Cyber Essentials control. Indexed at the technical-controls hub.
A typical CE Plus engagement reads the platform-specific hub (to harden the fleet), the vulnerability-scanning hub (to choose tooling and methodology), and the audit-evidence hub (to assemble the evidence pack); the technical-controls hub provides the foundation references each pillar leans on.
Common questions
What is the absolute minimum scanning posture for CE Plus?
An external perimeter scan against the firm's public IP set, plus an internal authenticated scan against every in-scope host. Both runs within 48 hours of the assessment day. Both produce per-finding output the firm has triaged before submission.
Can I run free or open-source scanners and pass CE Plus?
Yes. OpenVAS / Greenbone Community Edition produces audit-acceptable output if configured correctly. The trade-off is operational cost (configuration time, FP triage, evidence-pack assembly), not assessor preference. See the scanner comparison for the per-tool detail.
Where do we book CE Plus?
Book a Cyber Essentials Plus assessment with Net Sec Group.