🛡️ Sherlocked Security – Automated Vulnerability Scanning
Scale Your Security: Detect Threats Early, Fix Fast
📄 1. Statement of Work (SOW)
Service Name: Automated Vulnerability Scanning
Client Type: SMEs, SaaS Startups, Enterprises, Compliance-Driven Teams
Service Model: Scheduled & On-Demand Scanning + Alerting + Reporting
Compliance Coverage: PCI-DSS, ISO 27001, SOC 2, NIST 800-53
Testing Types:
- Web Application Vulnerability Scans
- Network Perimeter Scanning
- Cloud Asset Exposure Scan
- Authenticated Scanning (optional)
- CVE Correlation & Patch Management Guidance
🧠 2. Our Approach
⚙️ Fast | Repeatable | Integrated
[Asset Discovery] → [Target Inventory] → [Scan Configuration] → [Automated Vulnerability Scan] → [False Positive Validation] → [Prioritization Engine] → [Remediation Guidance] → [Re-Scan & Compliance Report]
🧪 3. Methodology
[Kickoff & Scope] → [Target Discovery] → [Credential Setup (optional)] → [Scan Tuning] → [Run Automated Scans] → [Manual False Positive Validation] → [Report Generation] → [Remediation Retesting]
📦 4. Deliverables to the Client
- ✅ Asset Risk Dashboard
- 📘 Technical Report:
- Vulnerability Name (CVE)
- Severity (CVSS v3.1)
- Affected System / URL / Port
- Detection Method
- Exploitability (where applicable)
- Fix Recommendation
- Links to Patch / CVE DB
- 🗂️ Exportable Scan Logs
- 📊 Executive Summary PDF
- 🔁 Retesting (within 15 days)
- 🎓 Vulnerability Closure Certificate
🤝 5. What We Need from You (Client Requirements)
- ✅ List of IPs, domains, or cloud assets
- ✅ Scan window (low-traffic hours preferred)
- ✅ Auth credentials (if authenticated scan needed)
- ✅ Tech stack overview
- ✅ Whitelisting scanner IPs (if behind firewall)
🧰 6. Tools & Technology Stack
- 🔍 Nessus / OpenVAS / Qualys / Nexpose
- 🌐 Nikto / Nmap / SSLyze
- 📦 Custom scripts for exposed services
- 🧠 Internal prioritization engine (CVSS + Exploit DB + Asset Value)
- 💡 Alert integrations (Slack, Jira, Email – optional)
🚀 7. Engagement Lifecycle (Lead → Closure)
1. Scoping → 2. Asset Intake → 3. NDA + Access Setup → 4. Initial Scan → 5. Result Validation → 6. Fix Support → 7. Re-Scan → 8. Reporting & Certificate
🌟 8. Why Sherlocked Security? (Our USP)
| Feature | Sherlocked Advantage |
|---|---|
| ⚙️ Scalable Scanning Engine | Web, network, cloud targets supported |
| 📌 False Positive Filtering | Manual validation before delivery |
| 📊 Executive Reporting | Board-ready summary and visuals |
| 🔁 Re-Scan & Certificate | Compliance support post-fix |
| 📡 Passive Asset Discovery | Scan what others forget |
📚 9. Real-World Case Studies
🌐 Forgotten Subdomain with CVE Exposure
Issue: Old staging site with CVE-2022-1388 (F5 BIG-IP)
Impact: RCE vulnerability exposed to internet
Fix: DNS cleanup + WAF rules + infrastructure hardening
🛡️ Critical WebApp CVE in CMS Plugin
Client: Media SaaS Company
Findings: Outdated CMS plugin with known XSS
Our Role:
- Delivered CVE-based patch guidance
- Helped client set up automated patch checks
Outcome: - Eliminated top 5 exploitable CVEs from surface
- Achieved ISO 27001 remediation SLAs
🛡️ 10. SOP – Standard Operating Procedure
- Kickoff & scoping
- Asset inventory collection
- Configure scan engine
- Run web/network/cloud scans
- Triage results
- Validate critical issues
- Deliver report & fix guidance
- Retest and verify
- Final report and security badge
📋 11. Sample Scan Checklist (Preview)
- Define scan scope and targets.
- Select appropriate scanning tools (Nessus, Qualys).
- Configure scan depth and sensitivity.
- Schedule scans during appropriate time windows.
- Exclude authorized IPs and whitelisted services.
- Interpret scan results for false positives.
- Verify critical vulnerabilities manually.
- Generate and validate compliance reports.
- Integrate with ticketing systems for remediation.
- Perform re-scans post-fix validation.
📬 Contact Us or 📅 Book a Consultation