Vulnerabilities and patches
Almost every attack takes advantage of something that was already known: a known vulnerability, an unpatched system, a weak configuration. Vulnerability management and patching deals with that continuously: it scans your systems looking for holes, ranks them by the risk they actually pose and closes them with the right patches and settings. It is not looking once a year, it is not leaving the door open the rest of the time.
Continuous management of vulnerabilities and patches, across all of Spain.
Why
Most breaches use nothing sophisticated: they take advantage of a known flaw that had a fix and that nobody applied in time.
A large share of attacks use vulnerabilities with a patch available for months. The flaw was there, all that was missing was to cover it.
Dozens of systems and applications, new security patches without a break. Without a method, they pile up and the important one is always missing.
Loads of vulnerabilities appear, but not all of them expose you. Without prioritizing, you drown in a list that never goes down.
It is not just unpatched software: a weak setting or a default option leaves an equally exploitable gap.
What is included
The complete cycle, run by us: see what holes there are, decide which ones matter and close them before they pile up.
Continuous scanning of your systems and applications to see what flaws they have at any given moment.
We sort by what actually exposes you, not by an endless list nobody can work through in full.
We apply patches for the system and for third-party applications, so none of them fall behind.
We detect weak configurations and default options that leave a gap, not just unpatched software.
We check that what was patched is truly closed, not just marked as done.
We keep the asset inventory up to date and apply patches and changes through remote management, without setting foot in your office.
The approach
Finding vulnerabilities is the easy part; any vulnerability scanning tool spits out a huge list, full of CVE that on their own do not say much. The value is in what comes next: separating what truly exposes you from what is noise, and resolving it. That is why each flaw is sorted by the real risk it poses in your case and resolved with the right patch or configuration change, without leaving the important things half done.
And it is not once and done. New vulnerabilities appear daily, so the scanning is continuous and is part of the same watch run by our SOC, Sondriva. Everything relies on the remote monitoring and management of your machines, known as RMM, which is what makes it possible to reach all of them at once and apply changes at scale without a single trip. The idea is not to leave the door open between one review and the next.
The scan or the pentest
They are often confused, but they answer different questions. And ideally you have both.
An in-depth test, at a given moment, in which a real attack is carried out to see how far it could get. It gives depth and validation, but it is a snapshot of one day. It is our complement, not this page.
Scanning of the whole inventory, all the time, sorting and closing known holes without a break. It gives breadth and consistency: so that what has a fix does not pile up. This is what this page is about.
More than patching
Many people think this is just applying updates, and it is quite a bit more. A good part of the weak points are not covered with a patch, but by changing a configuration: a service exposed that should not be, an extra permission, an insecure option that came switched on out of the box. Watching that is security posture management, and it goes hand in hand with patch management.
On top of that, when a critical vulnerability or an incident comes up, patching fast is part of the response. That is why this is coordinated with incident response and with detection and response: closing the hole they got in through, and fast.
When
Your fleet of machines, servers and applications has grown and keeping it all up to date by hand is no longer possible.
Nobody has the time or the method to review vulnerabilities and apply patches consistently.
NIS2 or the ENS require you to manage vulnerabilities and to prove your systems are up to date.
A breach got in through something that was not patched and you want there never to be an open gap again.
Method
We map through remote management which systems and applications you have, because you cannot protect what you do not know.
We run a continuous vulnerability assessment and sort them by the real risk they pose to you.
We apply the patches and fix the configurations remotely, testing first so as not to break anything.
We check that each flaw was resolved, tell you clearly what there was and what was closed, and start over, because new ones always appear.
Fits with
Keeping the gaps covered is the foundation everything else rests on, and it is operated by the continuous watch of our SOC, Sondriva. The pentest is its one-off complement, the one that tests in depth where someone could really get in, and what does not get updated in time is watched by detection and response on the endpoint.
And it stands up for compliance: it covers the vulnerability management required by NIS2 and ENS compliance, with the evidence that it is genuinely being done.
Questions
They answer different questions. Vulnerability management continuously scans all your systems to find and close known holes. The pentest is a one-off, in-depth test in which a real attack is carried out to see how far it gets. One covers breadth and continuity, the other depth. They complement each other.
It means watching not only the unpatched software, but also the weak configurations and default options that leave a gap: a service exposed that should not be, an extra permission, an insecure setting. It is part of closing holes, because many are not fixed with a patch, but by changing a configuration.
Continuously. It is not a one-off review that you do and forget, but permanent watch: new vulnerabilities appear every day and the goal is not to leave the door open between one review and the next.
Yes. Patching covers security updates for both the operating system and third-party applications, which tend to be exactly where many attacks get in because nobody updates them.
Yes. Both NIS2 and the ENS require managing vulnerabilities and keeping systems up to date, and this service covers that directly, with the evidence that it is being done.
That is why patching is done with care: patches are tested before being rolled out and applied in stages, so as not to blindly change something your operation depends on. If something fails, it can be rolled back.
Shall we close your holes?
Tell us what systems you have and how you maintain them today, and we will propose how to find and close the vulnerabilities before they pile up on you.
Get in touch