Security Health Checks
Find the gaps before attackers do. Continuous vulnerability scanning, configuration review, and patch tracking — with prioritised fixes done by our team, not just a PDF for you to read.
Why Annual Audits Aren't Enough
The classic SMB security posture is the annual audit: an external firm runs a one-week engagement, produces a thick PDF, and the business spends three months not getting around to the findings. By the time the next audit rolls around, half the gaps are still open and a dozen new ones have appeared.
Continuous health checks invert this. New vulnerabilities are disclosed publicly every day — Microsoft patches monthly, but CVEs appear weekly. A scan that ran six months ago is useless against threats that became exploitable six weeks ago.
The discipline isn't scanning. It's the cycle of scan → prioritise → fix → verify, run continuously, with human judgement applied to triage what matters first.
Weekly
external scans, continuously running
Monthly
authenticated internal scans
Quarterly
configuration review + reporting
What's Included
Scanning, configuration review, prioritisation, remediation, reporting.
How It Works
Five steps, run on a cycle, not a one-off.
Discover
We build a complete inventory of your environment: endpoints, servers, cloud assets, SaaS tenants, network devices. You can't protect what you don't know exists.
Scan
Continuous external scans plus scheduled internal authenticated scans. The two complementary views catch different gaps.
Prioritise
Findings get ranked by exploitability (is anyone actively using this CVE?), exposure (is it internet-facing?), and impact (what would compromise look like?).
Fix
Critical findings get fixed within agreed SLAs by our team or yours. Each fix is verified by re-scanning.
Report
Quarterly report shows current posture, what we found, what we fixed, the trend over time, and the top three priorities for the next quarter.
Common Findings We Catch
Eight categories that show up in nearly every SMB environment.
Missing patches
Critical CVE on edge VPN appliance, exploit available in the wild
Misconfigurations
M365 mailbox forwarding to external addresses allowed by default
Weak controls
MFA enabled but only soft-enforced for half the user base
Exposed services
RDP / SMB / database port reachable from the internet
Stale accounts
Departed-employee accounts still active 90+ days after exit
Cloud drift
Public S3 bucket created for a one-off project, never made private
Certificate / DNS issues
Expiring cert, SPF/DKIM/DMARC misconfigurations
End-of-life software
Windows Server 2012, end-of-life hardware still in service
Annual Audit vs Continuous Health Checks
Why the same money produces more security when spread across the year.
| Dimension | Annual Audit | Kapacyber Health Checks |
|---|---|---|
| Cadence | Annual | Continuous + monthly + quarterly |
| Findings actioned | PDF report; you act on it | We action high-priority items directly |
| Trend visibility | Year-over-year only | Quarter-over-quarter with charts |
| Compliance evidence | Snapshot, not continuous | Continuous control evidence |
| Cost vs value | $5k–$25k per engagement | Spread over the year, more value |
| Detection of new threats | Months after they appear | Within days of disclosure |
Built For
- • SMBs with any internet-facing infrastructure
- • Companies operating in cloud environments
- • Regulated industries with scanning obligations
- • Cyber-insured businesses (most carriers require it)
- • Companies preparing for SOC 2, HIPAA, PCI, CMMC audits
Not Built For
- • Businesses needing a one-time pen test (different service)
- • Specialised OT / ICS environments (requires specialist tooling)
Related Reading
Compliance
The Complete SMB Cybersecurity Checklist
25 controls grouped into 4 priority tiers.
Email Security
M365 Security: 10 Settings to Enable Today
Configuration gaps health checks regularly find.
Network Security
Cloud Security Essentials for SMBs
The misconfigurations that breach the cloud.
Network Security
Network Segmentation for Small Businesses
The architectural gap most SMBs skip.
Frequently Asked Questions
Is this the same as a penetration test?
No. A pen test is a one-time engagement where ethical hackers attempt to break in. A health check is a recurring discipline: continuous vulnerability scanning, configuration review, patch tracking, and prioritised remediation. Health checks find gaps; pen tests prove they're exploitable. Most SMBs need health checks regularly and a pen test annually at most.
How often should health checks run?
Vulnerability scans: weekly for external, monthly for internal. Configuration review: quarterly. Patch verification: continuous, with a monthly recap. This cadence catches new gaps quickly without overwhelming your team with noise.
Will the scans disrupt our systems?
Modern scanners are non-intrusive on standard configurations. We schedule deeper authenticated scans for low-traffic windows and tune the scan profile to your environment. Disruptions are rare and disclosed.
What do you do with the findings?
We prioritise by exploitability and exposure (not raw CVSS score). High-priority items get fixed by our team or escalated to you with clear remediation guidance. We track time-to-fix and report on the trend over time.
Do health checks satisfy compliance scanning requirements?
For most frameworks — HIPAA, PCI, NIST CSF, CMMC L1 — yes. For PCI DSS internal/external scans we use ASV-approved scanners. For CMMC L2 and SOC 2, we map findings to the relevant control families and document everything for the auditor.
See What's Exposed — Before Someone Else Does
Free assessment includes a one-time external scan. We'll show you what's visible from the public internet.
Book Free Assessment