Cybersecurity · Vancouver, BC
Vulnerability Scanning & Attack Surface Management
Hexafusion runs continuous external attack-surface scanning and internal vulnerability assessments for Vancouver and Lower Mainland businesses. Tenable, Qualys, Microsoft Defender Vulnerability Management, and Nuclei. Prioritised by exploitability, not just severity. SOC 2, PIPEDA, and cyber-insurance ready. Remediation tracked to closure.
Written by Alex Barari, founder of Hexafusion and a former PCI DSS Internal Security Assessor (ISA). The patterns here come from running scans on Vancouver dental, legal, accounting, manufacturing, and professional-services clients.
Why this matters
Three converging forces make vulnerability scanning a baseline 2026 control:
- Public exploits weaponise faster. A critical vulnerability published on a Tuesday is being scanned for by attackers by Wednesday afternoon. The window between disclosure and mass exploitation is now measured in hours, not weeks. Annual or quarterly scans miss this window entirely.
- Compliance frameworks require it. SOC 2, PCI DSS, ISO 27001 Annex A, PIPEDA reasonable safeguards, BC PIPA, and FINTRAC all either require or strongly recommend regular vulnerability assessment with documented remediation.
- Cyber insurance demands evidence. 2026 questionnaires ask for scan frequency, critical-vulnerability remediation SLA, evidence of prioritisation methodology, and a tracking system. Without all four, your premium goes up or coverage is reduced.
Vulnerability scan vs penetration test (they are not the same)
This confusion costs businesses money. Some BC firms pay for annual pen tests and skip scanning. Others do scans and call it pen testing. They serve different purposes.
| Attribute | Vulnerability scan | Penetration test |
|---|---|---|
| Method | Automated tool | Manual, human attacker |
| Frequency | Weekly or continuous | Annual |
| Goal | Find known vulnerabilities at scale | Demonstrate real-world exploit chains |
| Output | Prioritised finding list | Narrative report with proof of compromise |
| Catches zero-days? | Rarely (relies on signatures) | Sometimes |
| Required for | All compliance frameworks, cyber insurance | SOC 2, PCI DSS, higher-tier cyber insurance |
Both are needed. Hexafusion delivers scanning in-house. Penetration testing for higher-tier requirements we coordinate with vetted third-party firms.
What we scan
External attack surface
Every public DNS record, certificate, IP address, exposed port, web application, and cloud asset associated with your organisation. Continuous discovery via certificate transparency logs and DNS enumeration. Daily probes against the inventory.
Internal network
Servers, workstations, network equipment, printers, point-of-sale terminals, Internet of Things (IoT) devices, building automation, voice over IP (VoIP) phones. Monthly authenticated scans. Reports by segment and risk tier.
Cloud posture
Microsoft 365, Azure, AWS, Google Workspace, Google Cloud. Misconfigurations, over-permissive access, exposed storage, unencrypted data, and identity weaknesses. Continuous through cloud-native posture management tools.
Endpoints
Patch level, software inventory, configuration baseline, EDR agent health. Surfaced through Microsoft Defender Vulnerability Management or Tenable Agent, depending on platform mix. Per-endpoint reporting.
Web applications
Public-facing web apps and APIs scanned weekly for OWASP Top 10 patterns (injection, broken auth, insecure deserialization). Authenticated where possible.
Identity and access
Dormant accounts, over-privileged users, stale service accounts, password-policy gaps, multi-factor authentication (MFA) coverage gaps, conditional-access policy weaknesses. Surfaced through Microsoft Entra ID secure score and equivalents.
How we prioritise findings
The single biggest mistake in vulnerability management: treating Common Vulnerability Scoring System (CVSS) scores as priority. A site can have 50 "critical" CVSS findings, only 3 of which an attacker can actually exploit today. Treating all 50 as critical produces alert fatigue, decisions get made by guesswork, and the 3 real ones get lost in the noise.
Our priority formula combines four signals:
- Exploit availability. Is the vulnerability in the CISA Known Exploited Vulnerabilities (KEV) catalogue? Is there a working public exploit (Metasploit, ExploitDB)? If yes, escalate.
- Exposure. Internet-facing, internal but reachable from the network, internal but segmented, or airgapped. Internet-facing escalates two tiers.
- Business criticality. Production payment system, customer data store, executive workstation, or test environment. Production data systems escalate one tier.
- Patch availability. Vendor patch released and tested, vendor patch released but breaks compatibility, or no patch yet. No patch means compensating controls are deployed instead.
The result: a typical client gets 5 to 15 truly urgent findings per month, not 200. Real findings get resolved inside the cyber-insurance SLA of 30 days for critical and 90 days for high.
Our remediation playbook
New findings pulled from scanners. Deduplicated against known-accepted risks. Priority assigned using the four-signal formula above.
Critical and high findings get an owner and a target close date. Findings on managed infrastructure are owned by Hexafusion. Findings on client-managed systems (line-of-business apps, vendor-controlled) are routed to the right business owner.
Patch, configuration change, compensating control, or accepted risk with a documented justification. Compensating controls (such as web-application firewall rule) are time-limited and tracked.
Re-scan confirms the finding is closed. Verified-closed findings move to the historical log. Findings that recur (config drift) trigger a root-cause investigation.
Monthly report: open findings by priority, mean time to remediate, trend lines, top recurring root causes. Annual report: full controls statement for auditors and cyber-insurance carriers.
The 8 metrics on our monthly report
The same metrics insurers and auditors ask for, delivered automatically each month:
- Open findings by priority (critical, high, medium, low) with trend versus last month
- Mean time to remediate (MTTR) for critical and high findings
- SLA compliance rate (percentage of critical findings closed within 30 days)
- Coverage (percentage of assets actually scanned in the last 30 days)
- External attack surface size with month-over-month delta (new exposures and retired ones)
- Top 5 recurring vulnerabilities by root cause (often: missing patches, weak configuration baseline, end-of-life software)
- Identity hygiene score (dormant accounts, over-privileged users, MFA gaps)
- Compliance posture against your active framework (SOC 2, PIPEDA, PCI DSS, custom)
Frequently asked questions
What is a vulnerability scan vs a penetration test?
Scan is automated, runs weekly or continuously, finds known vulnerabilities at scale. Pen test is manual, runs annually, demonstrates real exploit chains. Both are required by most compliance frameworks.
What is external attack surface management?
Continuous discovery of everything your organisation exposes to the public internet, including forgotten assets. Public DNS data, certificate transparency logs, and active scanning find these. Flags assets running outdated or exposed software.
How often should we scan?
External attack surface continuous or weekly. Internal infrastructure monthly minimum. Endpoints via EDR posture management. Web applications weekly plus annual pen test. Cloud assets continuous via cloud-native posture management.
What platforms do you use?
Tenable Nessus (internal infrastructure), Qualys (cloud and hybrid), Microsoft Defender Vulnerability Management (Microsoft 365 E5 and Defender for Servers), Nuclei (continuous external attack surface). Choice depends on licensing, asset mix, compliance.
How do you prioritise what to fix?
Four-signal formula: exploit availability (CISA KEV catalogue, public exploits), exposure (internet-facing escalates), business criticality (production escalates), patch availability. Typical client: 5 to 15 truly urgent findings per month, not 200.
Authenticated vs unauthenticated scans?
Unauthenticated probes from outside (attacker view). Authenticated uses credentials to inspect from inside (patch level, config). Authenticated finds 10 to 50 times more issues. Most compliance frameworks require both.
Does cyber insurance require this?
Yes. 2026 questionnaires ask scan frequency, critical-vulnerability remediation SLA, prioritisation methodology, and tracking system. Carriers expect monthly at minimum. We bundle scanning, remediation, and renewal-ready documentation in our managed-IT plans.
Will scanning break things?
Modern scanners are safe by default but not zero-risk. Industrial control systems, medical devices, and legacy network equipment can crash under aggressive scanning. We pilot in low-risk segments first. Sensitive segments get credentialed read-only scans with rate-limiting.
Get an external attack-surface scan
Free one-time external attack-surface scan of your public-facing assets. Findings, severity, and recommended remediation in a written report. No commitment.
Run a free external scanRelated cybersecurity topics
Part of our broader cybersecurity coverage for Vancouver and the Lower Mainland.