Understanding common attacks, use vulnerability tools, updates n patches, create a list, check open ports common configuration errors, assess risk vs cost time money assets.
Vulnerability scans will identify vulnerability, not what actually could be exploited.