To identify security risks in an enterprise network environment, e.g., a corporate network, various vulnerability assessment techniques may be employed. However, only one targeting and assessment mechanism is typically utilized, such as periodically assessing a client computer's security mechanisms (e.g., antivirus software) and security patches when that client computer is connected to the corporate network. This allows for “risk assessment” savvy malware to possibly avoid detection by responding in a pre-described way to the assessment challenges.
Moreover, some machines are not always connected, whereby externally-initiated assessments are not feasible when machines are disconnected. While a client computer's security mechanisms and security patches can be assessed before the client computer is allowed to log onto the corporate network, the transient nature of connections for remote and mobile computers makes external assessment less than reliable.