- What ports are open on the system?
- What Services are running on those open ports?
- What version of the service is running?
- Are there known vulnerabilities in any of the detected services?
- Are there misconfigurations in any of the detected services?
- Are we assuming all open ports have been discovered?
- Are we sure the service detected on an open port is actually the service running?