Loading...
Loading...
Continuous vulnerability scanning, prioritisation, and remediation tracking — delivered as a monthly retainer for Malaysian enterprises.
Managed vulnerability management — sometimes called VMaaS — is the ongoing programme of discovering vulnerabilities across your technology estate, prioritising them by actual risk, tracking remediation through to closure, and reporting your exposure trend over time.
The critical distinction from a one-shot vulnerability assessment is continuity. A traditional VA is point-in-time: it tells you what was wrong on the day of the scan. By the time the report lands in your inbox, new CVEs have been published, patches have slipped, and configuration drift has introduced fresh exposure. Most Malaysian enterprises commission a VA annually — meaning their findings are up to twelve months stale before the next review.
Managed vulnerability management closes that gap. Scans run on a weekly or daily cadence. Every new finding is immediately risk-scored and pushed into your remediation workflow. Monthly reports show whether your exposure is trending down — or up. Quarterly reviews let your CISO or IT director interrogate the programme and adjust priorities.
This service is particularly suited to organisations whose internal IT team has the capability to patch but cannot keep pace with the volume of incoming findings, or who need a defensible compliance record for RMiT, PCI DSS, or ISO 27001 auditors.
Six core capabilities spanning the full vulnerability lifecycle — from scanning through to trend reporting.
Full coverage across your internal and external estate. Authenticated scans surface misconfigurations and privilege-escalation paths that unauthenticated scanning misses entirely. Both modes run on a configurable cadence.
Every finding is scored using CVSS base metrics, EPSS (exploit prediction), asset criticality weighting, and real-time exploit availability data. Your team gets a ranked remediation queue — not a raw 800-item spreadsheet.
Confirmed findings are pushed directly into your ITSM as tickets — Jira, ServiceNow, or Freshservice. Each ticket carries CVE reference, CVSS score, affected asset, remediation steps, and SLA deadline. No copy-paste, no lost findings.
When a critical patch cannot be applied immediately — legacy systems, operational constraints, vendor lock-in — nCrypt documents an accepted compensating control and tracks it against the open finding until the root cause is resolved.
RMiT-ready exception logs with risk-owner sign-off fields. PCI DSS quarterly external scans conducted under an ASV partner arrangement. ISO 27001 A.12.6.1 evidence packs generated automatically each cycle.
Month-over-month exposure score charts show whether your remediation programme is winning or losing ground. Presented at each monthly report and exportable for board packs, RMiT audits, and internal risk committees.
RMiT requires regulated financial institutions to maintain an ongoing vulnerability management programme, not merely an annual scan. Annex 1 audit walk-throughs expect evidence of continuous monitoring and a documented remediation workflow with escalation timelines. A managed VM retainer generates that evidence automatically — scan logs, finding history, exception sign-offs, and trend data — in a format auditors can consume directly.
Organisations processing cardholder data are required under PCI DSS Requirement 11.3.2 to conduct quarterly external vulnerability scans using an Approved Scanning Vendor (ASV). nCrypt's Enterprise tier includes this as part of the retainer — scans are conducted quarterly, results are delivered in the ASV-prescribed format, and remediation cycles are tracked through to passing-scan status.
The 2024 PDPA amendments introduce mandatory breach notification obligations. Continuous vulnerability management compresses the gap between exposure introduction and detection — meaning your notification clock starts as early as legally required, not as late as your last annual scan.
ISO 27001 Annex A control A.12.6.1 (Management of Technical Vulnerabilities) requires a documented, operational process for identifying, assessing, and addressing technical vulnerabilities in a timely manner. A managed VM retainer with formal reporting is the most straightforward way to evidence this control during certification audits.
A structured four-phase engagement from onboarding through to ongoing quarterly review.
We document your asset inventory, network segments, scan exclusions, ITSM integration endpoints, and escalation contacts. Scanner credentials are provisioned. Scope is signed off before any scanning begins.
A comprehensive authenticated and unauthenticated scan of the full agreed scope. Findings are triaged, false positives filtered, and a baseline remediation queue is delivered within five business days.
Ongoing scanning at the cadence defined by your tier — weekly or daily delta. Each month, a consolidated report covers new findings, remediated items, trending exposure score, and open exceptions.
A structured review session with your CISO or IT director. We walk through quarter-on-quarter exposure trends, remediation velocity, compliance posture, and programme adjustments for the next quarter.
Scanner flexibility: nCrypt's managed VM service is vendor-neutral. We can deliver via our managed scanner platform for organisations without existing tooling, or operate your current deployment under a co-managed arrangement — preserving your Tenable, Qualys, or Rapid7 licensing investment while adding the triage, workflow integration, and reporting layer on top.
Indicative monthly starting prices. Final scope and cost depend on asset count, scan frequency, ITSM integration complexity, and whether co-managed scanner mode applies.
Monthly scan + monthly report
From RM3,500/mo
Weekly scan + ITSM integration
From RM7,500/mo
Daily delta + dedicated analyst
From RM15,000/mo
One-shot deep scan for organisations starting their VM journey or satisfying a specific audit requirement.
Continuous discovery of assets you didn't know you owned — the upstream feed that keeps your VM scope complete.
Validate exploitability of the highest-risk findings your managed VM programme surfaces each quarter.
Common questions about managed vulnerability management in Malaysia.
A vulnerability assessment (VA) is a point-in-time exercise. You get a finding report — typically once a year — that reflects your exposure on the day of the scan. Managed vulnerability management (or VMaaS) is a continuous programme: scanning runs on a weekly or daily cadence, new findings are tracked from discovery through to remediation, and you receive monthly reports showing whether your exposure is trending up or down. The practical gap matters because new CVEs are published daily, systems change, and patches slip. An annual VA report is already stale the moment it is delivered. A managed programme closes that gap.
Yes — they serve different functions. A SIEM aggregates logs and alerts on suspicious activity: it tells you when something is happening. Managed vulnerability management tells you what weaknesses exist before something happens. The two are complementary: a good VM programme reduces the number of exploitable conditions your SIEM needs to detect. Many RMiT-regulated organisations run both, as the controls address different clauses of the framework.
Yes. nCrypt offers a co-managed mode where we operate your existing scanner platform rather than deploying our own. This preserves your licensing investment and keeps scan credentials within your environment. We add the triage layer, remediation workflow integration, compliance reporting, and analyst coverage on top of your scanner's output. Our delivery is vendor-neutral — the service deliverable is the prioritised, tracked, reported programme, not the scanner brand.
On the Standard and Enterprise tiers, findings scored CVSS 9.0 or above with active exploit code in the wild are escalated by email and phone within four business hours of scan completion. On the Enterprise tier, this extends to same-day notification for any critical finding affecting internet-facing assets. SLA terms are documented in the engagement letter and reported against monthly.
Yes. The Enterprise tier supports multi-entity scoping — a single programme can cover the parent company plus named subsidiaries, each with their own asset scope, findings view, and compliance reporting. This is particularly relevant for Malaysian holding companies with RMiT obligations across multiple licensed entities, or for conglomerates seeking a unified vulnerability posture view without running separate retainers per entity.
Penetration testing is a deep, time-boxed adversarial exercise: a skilled tester attempts to compromise a defined target within an agreed window. It answers the question 'can an attacker get in here, right now?' Managed vulnerability management is a continuous breadth-first programme: it scans all in-scope assets on a regular cadence and tracks every known vulnerability through remediation. They address different risk questions. Best practice for regulated Malaysian organisations is to run both — managed VM as the ongoing hygiene baseline, and penetration testing at least annually to validate the effectiveness of your remediation programme.
A managed VM retainer can be scoped and onboarded within two weeks. Book a 30-minute discovery call to size your asset count and discuss ITSM integration.