This involves scanning organizational networks, devices, and systems to discover their vulnerabilities. The scans are ideally done both outside and within the organization's network to give a well-rounded report. The identified threats must then be mediated to prevent possible exploitation.