diff --git a/util/secscan/api.py b/util/secscan/api.py
index 48b5d84f2..918c3fd23 100644
--- a/util/secscan/api.py
+++ b/util/secscan/api.py
@@ -387,18 +387,27 @@ class ImplementedSecurityScannerAPI(SecurityScannerAPIInterface):
       response = self._call('GET', _API_METHOD_GET_LAYER % layer_id, params=params)
       logger.debug('Got response %s for vulnerabilities for layer %s',
                    response.status_code, layer_id)
+      try:
+        return response.json()
+      except ValueError:
+        logger.exception('Failed to decode response JSON')
+        return None
+
     except Non200ResponseException as ex:
       logger.debug('Got failed response %s for vulnerabilities for layer %s',
                    ex.response.status_code, layer_id)
       if ex.response.status_code == 404:
         return None
-      elif ex.response.status_code // 100 == 5:
+      else:
         logger.error(
           'downstream security service failure: status %d, text: %s',
           ex.response.status_code,
           ex.response.text,
         )
-        raise APIRequestFailure('Downstream service returned 5xx')
+        if ex.response.status_code // 100 == 5:
+          raise APIRequestFailure('Downstream service returned 5xx')
+        else:
+          raise APIRequestFailure('Downstream service returned non-200')
     except requests.exceptions.Timeout:
       raise APIRequestFailure('API call timed out')
     except requests.exceptions.ConnectionError:
@@ -407,11 +416,6 @@ class ImplementedSecurityScannerAPI(SecurityScannerAPIInterface):
       logger.exception('Failed to get layer data response for %s', layer_id)
       raise APIRequestFailure()
 
-    try:
-      return response.json()
-    except ValueError:
-      logger.exception('Failed to decode response JSON')
-
 
   def _request(self, method, endpoint, path, body, params, timeout):
     """ Issues an HTTP request to the security endpoint. """