Vulnerability Scans

A vulnerability scan is a security assessment that searches for weaknesses in computer systems and networks to help protect them from potential threats and attacks.

Vulnerability scans can help identify vulnerabilities, prioritize areas for improvement, and support audits and compliance requirements. Vulnerability scans are updated regularly and frequently to ensure we are using the latest intelligence to scan for emerging threats.

Vulnerability scans are conducted in accordance with UCSC ITS Routine System Monitoring Practices

UC Santa Cruz Scanning Services

UC Santa Cruz’s Information Technology Services (ITS) team assists UC Santa Cruz service providers in securing their systems and applications and minimizing risk. Vulnerability scans and reports are available on request for systems and applications.

Vulnerability scans are funded by ITS. All university owned, managed, or affiliated systems are eligible, and there is no direct charge to the department requesting the scan.

Scanning Options

An authenticated vulnerability scan is recommended. This kind of scan mimics an authorized user, enabling it to collect detailed and accurate information about potential weaknesses in a system. A CruzID is required to request an authenticated vulnerability scan. Accounts can be issued to people affiliated with UC Santa Cruz who need a CruzID and are not faculty, staff, or students. These accounts, often referred to as “sponsored” or “sundry” accounts, require an active staff or faculty member to sponsor the account. A sponsor can submit a request for a sundry account to SlugHub via New/Reactivation Sponsored (Sundry) Account. An unauthenticated vulnerability scan, which only reviews externally visible services, is also available. This scan has a higher rate of false positives.

Requesting a Scanning Service

Different vulnerability scans are available for different situations

Your SlugHub ticket will be assigned within 8 working hours. You will be contacted for additional information if needed (a consultation is necessary for scheduling a web application scan and for closed network scans).

To access UCSC’s vulnerability scanning tool, you must be connected to the UCSC network via campus VPN and log in with your CruzID Gold credentials. System admins and custodians/managers can learn more at Using UCSC's Scanning Service.

Scan Results

Reports: Results of a scan are provided to the requester and the Service Manager, who must then work with their service providers to confirm false positives and resolve confirmed vulnerabilities.

Consultation: A Service Manager and/or service providers may request consultation with ITS to discuss the scan results and determine whether false positives exist. Consultations may include a simulated cyberattack and are handled using the ITS Project Management Methodology. Consultations are first-come, first-served unless prioritized otherwise by management.

Requirement to Re-Scan: Systems or applications with high-risk vulnerabilities, and systems showing evidence of a data breach, must be re-scanned after the vulnerability or breach has been addressed to demonstrate that it has been eliminated. Re-scans of other systems and applications are available on request. 

Get Help

Support for vulnerability scanning service is available Monday through Friday, from 8am-5pm, and scans can be performed during off hours to avoid interfering with business operations. To request support, open a SlugHub ticket.