Vulnerability Scanning

Vulnerability scanning is the automated identification of known security vulnerabilities in systems, networks and applications. It gives organisations a continuous overview of their security gaps and is the basis for prioritised remediation.

Back to Dictionary

What is vulnerability scanning?

Vulnerability scanning is an automated process that examines systems for known security vulnerabilities. Scanners match system configurations, software versions and open ports against databases of known vulnerabilities (CVE) and generate a report of findings.

Scanning differs from penetration testing. Scanning finds known vulnerabilities automatically, whereas a pentest involves a human tester who attempts to exploit vulnerabilities and find logic errors. Scanning provides breadth; pentesting provides depth. They complement each other.

Vulnerability scanning is closely linked to patch management (scanning finds missing patches), configuration management (scanning finds misconfigurations) and application security (scanning finds web vulnerabilities).

Scanner types

Several types of vulnerability scanners exist:

Network scanners: Scan IP addresses, ports and services for known vulnerabilities. Used for servers, network equipment and other network-exposed systems.
Web application scanners: Test web applications for vulnerabilities such as SQL injection, XSS and CSRF. Directly related to application security and secure development.
Agent-based scanners: Installed on endpoints and scan locally for missing patches, misconfigurations and insecure software.
Container and cloud scanners: Scan container images, cloud configurations and IaC templates for vulnerabilities and misconfigurations.
Compliance scanners: Verify systems against security baselines such as CIS Benchmarks. Used alongside configuration management.

Authenticated scans (using login credentials) produce significantly better results than unauthenticated ones, as the scanner can see what is installed on the system.

The scanning process

An effective scanning process includes:

Planning: Define scope (which systems are scanned), frequency and scanning window. Internet-facing systems should be scanned more frequently than internal ones. Coordinate with configuration management for an up-to-date inventory.

Scanning: Run the scan and collect results. Use authenticated scans for better results. Schedule outside peak hours to minimise impact.

Analysis: Review results and remove false positives. Prioritise based on CVSS score, system criticality and whether known exploits exist. Threat intelligence can help assess which vulnerabilities are being actively exploited.

Remediation: Critical findings are addressed via patch management or configuration changes. Document all findings and how they were handled.

Verification: Run a new scan to verify that vulnerabilities have actually been closed. Report results to management and compliance functions.

Integrate scanning with SIEM systems to correlate scan results with other security data and prioritise based on the threat landscape.

Regulations and standards

CIS 18 dedicates Control 7 to continuous vulnerability management, requiring regular scanning and prioritised remediation.

ISO 27001 and Annex A include control A.8.8 on the management of technical vulnerabilities. An ISMS should define processes for vulnerability scanning as part of technical and organisational measures.

NIS2 requires proactive vulnerability management. DORA imposes specific requirements on regular vulnerability scanning of financial institutions' ICT systems. Under GDPR, scanning is a method of ensuring that personal data is protected against exploitation of known vulnerabilities.

Frequently Asked Questions about Vulnerability Scanning

What is the difference between vulnerability scanning and penetration testing?

Vulnerability scanning is automated and identifies known vulnerabilities. Penetration testing is manual and attempts to exploit vulnerabilities to assess the real risk. Scanning finds the breadth of problems; pentesting finds the depth.

How often should you scan?

Internet-facing systems should be scanned at least weekly. Internal systems at least monthly. Critical systems and systems with frequent changes should be scanned even more often. Many organisations integrate scanning into the CI/CD pipeline for continuous scanning.

What do you do with scan results?

Prioritise findings based on CVSS score and system criticality. Critical vulnerabilities should be addressed within days, high-risk within a week. Document all findings and how they were handled. Use the results to improve patch management and configuration management.

Can vulnerability scanning disrupt systems?

Yes, aggressive scans can affect system performance or in rare cases cause outages. Schedule scans outside peak hours, and use authenticated scans, which are gentler and produce better results.