What to expect from a cybersecurity audit: what vendors rarely explain

The word 'audit' covers very different services. An automated vulnerability scan is not the same as a manual penetration test, and neither is the same as an architecture review. Knowing what you are buying before signing avoids wrong expectations and poorly sized budgets.

• Automated vulnerability analysis: network and systems scanner that identifies outdated versions, weak configurations and exposed ports. Low cost, fast, but no manual validation. Ideal as an annual starting point.
• Manual penetration test: an analyst attempts to exploit findings to demonstrate real attack chains. More time, more cost, but with demonstrated business impact. Recommended for critical systems every 1-2 years.
• Architecture review: analysis of the security design of systems and applications. No exploits, design-focused. Useful for new projects or before major migrations.
• Compliance audit: verifies whether existing controls meet ISO 27001, ENS, GDPR or other applicable regulatory frameworks for the sector.

The real timeline for a company of 50–200 employees is typically: two days of information gathering, three to five days of active analysis depending on scope, and two days of report writing. Total: one to two weeks. If a vendor promises less, it is likely an automated analysis with little or no manual work.

• Executive section: three to five priority risks explained in business language, not technical jargon
• Classification of findings by real business impact, not just technical CVSS score
• Attached evidence: screenshots, logs or proof of concept that demonstrate each finding
• Prioritised remediation plan with realistic time windows by finding type
• Distinction between mitigate (technical fix), transfer (insurance or third party) and accept (documented residual risk)

The value of an audit is realised in the weeks after delivery: when findings enter the security backlog, owners are assigned and fixes are verified. Without that follow-through, even the best technical report becomes a forgotten document in a shared folder.