Reminder: The method for ordering VITA services has changed. Please follow the revised instructions in the "How to Order" section, below.

Web Application Vulnerability Scanning Services

generic network product image

Price: No Cost

Unit of Measure: Per Service

Pricing Type: Fixed

Billing Cycle: Usage-Based

Service Lead: Bill Freda


This service provides 

your agency with a method to help identify web application vulnerabilities and secure your web applications while maintaining compliance with Commonwealth of Virginia information security standards. The service is able to identify over 600 web application vulnerabilities including the OWASP Top 10, configuration errors and many others. This service is intended to provide guidance for agencies with limited or advanced web application security expertise in house.

  • Provides cybersecurity expertise with a diverse knowledge base
  • Helps secure web applications and web services
  • Eliminates cost of purchasing, implementing, maintaining and mastering web application vulnerability assessment tools
  • Offers scanning and reporting for public-facing and internal web applications and services
  • Delivers a platform-independent assessment with specific results
  • Produces easy-to-read and interpret reports
  • Delivers automated and manual scanning with manual results verification
  • Provides remediation guidance and finding resolution validation

Web Application Vulnerability Scan and Reporting
The service includes an automated web application vulnerability scan, with manual crawl if required, a manual review of findings and a default report. The URL is then added to a scheduler for automated quarterly scanning and reporting. This enables your agency to identify vulnerabilities and focus remediation efforts, gauging the results and identifying new findings every 90 days from the reports. The commonwealth security and risk management (CSRM) web application vulnerability team will assist with interpreting scan results. Your agency is responsible for verifying and remediating the vulnerabilities that are identified.

The service, including the initial and quarterly scans and reports, is provided to all executive branch agencies and non-exempt institutions of higher education at no direct charge.

Additional scans and reporting may be requested.


Executive branch agencies and non-exempt institutions of higher education may request scans of non-production applications for $250/scan. In addition, judicial and legislative branch agencies and localities may request scans for $250/scan.

Additional vulnerability remediation resources are available through the contract labor agreements (rate is $125/hour).

The CSRM web application and vulnerability testing team is continually monitoring the internet for new vulnerabilities. The team has significant cybersecurity experience and extensive training in securing web applications and IT infrastructure. This diverse knowledge base provides CSRM with the background needed to evaluate your agency's system for security vulnerabilities and to provide guidance on remediation. By addressing security vulnerabilities before an incident occurs, we can lessen the risk of compromise and costly post event remediation.

How to Order

Effective 12/15/18, this service can be ordered from the VITA Service Catalog in the new VITA Service Portal. To submit your request:

  • Customers who have Commonwealth of Virginia (COV) accounts (including executive branch agencies) should access the VITA Service Catalog via the VITA Service Portal to place service requests using the automated form provided in the catalog.
  • Customers who do not have COV accounts (including some local government customers) or customers who are unable to gain access to the portal may order the service by sending an e-mail to the VITA Customer Care Center (VCCC) services desk at Please include the following information:
    • The words "Service request" in the "Subject" line
    • The name of the service being ordered
    • The quantity desired (if applicable)
    • Any other information you deem relevant

If you are uncertain as to whether you have a COV account, start by trying to access the VITA Service Portal. If you are unable to do so, then use the email-to-the-VCCC method.

If you need additional assistance, you may check with your agency information technology resource (AITR) or call the VCCC at 866-637-8482.

You will be contacted to confirm that your request has been received and to obtain any additional required information.