Vulnerability assessment
An external vulnerability assessment scans your internet-facing systems - ports, services, email, and web apps - and maps known weaknesses by CVSS severity, without exploiting them (that is what separates it from a penetration test). CyberCerber delivers it as CyberAudyt: a flat $900, plain-English report in 5 business days.
Methodology you already know from the standards
What it is
You do not need all three at once. Each level answers a different question about your infrastructure - and each has a different price and depth. The compliance bridge is in the guide on US data-security compliance.
“What can the internet already see about you?”
A passive scan of your attack surface - DNS, certificates, open ports, breached passwords. No login to your systems, nothing installed. Free, results in 24 hours.
“Which weaknesses do you actually have, and what to fix first?”
An active scan combined with manual OWASP Top 10 verification. The result is a vulnerability map with CVSS priorities and a remediation plan. We map the weaknesses - we do not exploit them.
“Will your defenses hold against a real attack?”
Controlled exploitation of selected vulnerabilities. For regulated entities, or when a corporate client explicitly requires proof. Usually only after two assessment cycles.
Assessment scope
We map what your business publishes to the internet: subdomains, open ports, remote-access services (RDP, VPN, admin panels), and software versions. Exposed remote desktop and an unpatched service are the two most common ransomware entry points.
We manually verify your sites and web apps against the OWASP Top 10 - outdated CMS and plugins, misconfigurations, exposed login panels. An automated scan alone does not settle this; a vulnerability assessment pairs the scan with human verification.
We check the SPF, DKIM and DMARC configuration of your domain. Without them, anyone can impersonate your address and send a client or your bookkeeper an email about a “changed account number.” It is the first move in wire-transfer fraud (BEC).
We check your company addresses against breach feeds (Have I Been Pwned and dark-web sources). One leaked password, reused across services, is usually the open path into your system, email, or booking tool.
We verify certificate validity, weak ciphers, and HTTPS configuration. An expired certificate or an old protocol is not just a browser warning - it is a real window for eavesdropping and impersonation.
We check whether your backup is directly reachable from the internet - and therefore exposed to being encrypted along with everything else. A backup nobody has tested for restore is not a backup, just hope.
Deliverables
A fixed scope - you know exactly what you get before you pay. See a sample report.
The process
You give us the domain and scope (website, email, infrastructure). We agree on a scan window. We do not need access to your systems.
We combine an automated scan with manual verification of priority findings against the OWASP Top 10. No exploitation attempts, no load on your network.
You get the report: an executive summary, a CVSS-prioritized vulnerability list, and a remediation plan. No jargon in the parts written for you.
We walk through the findings point by point - what to fix first and how much effort it takes. Your IT person does the fixing. No lock-in.
Once vulnerabilities are remediated, we re-check that the fixes actually worked - for half the price of CyberAudyt. Proof for you, your client, and your auditor.
Compliance
The HIPAA Security Rule already requires a risk analysis of vulnerabilities to ePHI. The proposed 2025 update would make six-monthly vulnerability scans and annual penetration testing explicit - no small-practice exemption. An external assessment is the simplest way to evidence it. Context: US data-security compliance.
For accountants, CPAs and tax preparers, the FTC Safeguards Rule requires annual penetration testing plus vulnerability assessments at least every six months - unless you run continuous monitoring. CyberAudyt covers the vulnerability-assessment half. More for accounting firms.
Pricing
You start for free. You pay only if there is something to fix. The CyberAudyt price is flat - regardless of how many online services, subdomains, or locations you have. Full pricing.
results in 24 h
A passive external scan. We show what the internet can see - with no access on your side. It answers the question “is there anything to worry about at all.”
report in 5 business days
A full vulnerability assessment with manual OWASP Top 10 verification, a CVSS list, a plain-English report, and a 30-minute call. Flat price regardless of how many online services and subdomains you run.
after remediation
Half the price of CyberAudyt for businesses that have already had one. We confirm the fixes actually closed the gaps - proof for you, a corporate client, or an auditor.
A flat price - no hourly rates, no surprises. Regulated entity or an explicit corporate-client requirement: a full pentest is available ($4,900).
Guarantee: if CyberAudyt does not surface at least 3 actionable findings to fix - you pay nothing.
For your industry
The CyberAudyt report includes a section tailored to your systems. Run a dental practice, an accounting firm, or a med-spa? There is a dedicated service page.
Practice-management software (Dentrix, Eaglesoft, Open Dental), imaging/PACS, and email - under HIPAA. View →
FTC Safeguards Rule, IRS Pub 4557 WISP, wire-transfer fraud, and accounting software exposure. View →
Online booking, patient photos, and ePHI under HIPAA. View →
Questions we hear most
You send us just your domain name. Within 24 hours we show what an attacker sees. If nothing serious - you keep the report and we step away. If there are problems - the next step is a full vulnerability assessment (CyberAudyt) at a flat price. No pressure, no subscription.
No card. No access to your systems. No monthly fees.