1. Home
  2. /Security Fundamentals
  3. /Vulnerability Scanning
Feeling StupidKeyboard Layout

Vulnerability Scanning Techniques

Learn how vulnerability scanners discover weaknesses across infrastructure, applications, and cloud workloads, and how to operationalise scan results.

Why Vulnerability Scanning Matters

Vulnerability scanning identifies known weaknesses in systems, applications, and network infrastructure. It is a foundational control for security programmes, feeding patch management, exposure management, and risk reporting.

  • Supports compliance mandates (PCI DSS, ISO 27001, CIS Controls).
  • Enables prioritisation using CVSS scores, exploitability, and asset criticality.
  • Feeds into security operations (SOAR, ITSM, patch orchestration).

Types of Vulnerability Scans

Network / Infrastructure
  • Unauthenticated perimeter scans (identify exposed services).
  • Authenticated internal scans (credentialed) for OS and middleware.
  • Agent-based scans for offline/remote endpoints.
  • Wireless scans for rogue APs and weak encryption.
Application Scans
  • Dynamic Application Security Testing (DAST) for web apps/APIs.
  • Static Application Security Testing (SAST) for source/binaries.
  • Software Composition Analysis (SCA) for third-party dependencies.
  • Mobile app scanning (static/dynamic on Android/iOS).
Cloud & Container Scans
  • Cloud Security Posture Management (CSPM) for misconfigurations.
  • Container image scanning (CVE detection, policy checks).
  • Infrastructure as Code (IaC) scanning (Terraform, ARM templates).
  • Serverless function assessments (permissions, libraries).

Credentialed vs. Non-Credentialed Scanning

Credentialed (Authenticated)
  • Uses SSH, WinRM, SMB, WMI, or agents to log in.
  • Provides accurate patch and configuration state.
  • Enables compliance checks (CIS benchmarks, STIGs).
  • Requires secure credential management (vault integration, least privilege).
Non-Credentialed
  • Simulates external attacker perspective.
  • Limited visibility into installed software/patch level.
  • Useful for rapid perimeter sweeps and change detection.
  • May generate false positives/negatives; follow-up validation needed.

Agent-Based vs Agentless Scanning

Agent-Based
  • Lightweight agent installed on endpoints or servers collects inventory, patch status, configuration, and vulnerability data.
  • Continuously reports even when devices are remote, offline on VPN, or intermittently connected.
  • Lower network impact; provides deeper insight (running processes, local configuration, application versions).
  • Requires deployment pipeline, version management, tamper protection, and integration with endpoint security.
Agentless
  • Central scanner connects over network protocols (SSH, WinRM, SMB, WMI, SNMP) without installing software.
  • Rapid deployment; good for infrastructure where agents are disallowed (network devices, OT/ICS equipment).
  • Limited visibility on roaming devices; requires connectivity and firewall rules.
  • May need credential vaults and scanning windows to manage resource usage.
Hybrid Approach: Many programmes combine agent-based coverage for endpoints and cloud workloads with agentless scanning for networks, servers, and OT systems to maximise visibility.

Scanning Cadence & Governance

  • External scans: weekly or monthly; internal scans: at least monthly or after significant changes.
  • Continuous scanning via agents or cloud APIs for dynamic environments.
  • Integration with change management to scan pre/post deployment.
  • Document schedule, scope, and maintenance windows (avoid production impact).
  • Track scan coverage: % assets scanned, % authenticated, exception list.

Prioritising and Remediating Findings

Prioritisation Inputs
  • CVSS base/environmental scores; exploit maturity (Exploit Prediction Scoring System, EPSS).
  • Asset criticality and data classification.
  • Exposure (external vs internal), compensating controls.
  • Threat intelligence (active exploitation, ransomware campaigns).
Remediation Workflow
  • Create tickets in ITSM (ServiceNow, Jira) with severity-based SLAs.
  • Coordinate with patch management, configuration management, DevSecOps pipelines.
  • Track remediation progress & verify via rescans.
  • Document risk acceptance for deferred items, with business approval.

Popular Tools & Platforms

Commercial
  • Tenable Nessus / Tenable.io
  • Qualys VMDR
  • Rapid7 InsightVM
  • Microsoft Defender Vulnerability Management
Open Source
  • OpenVAS / Greenbone
  • Nmap NSE scripts
  • Trivy (container/IaC scanning)
  • OSQuery for configuration and patch status
Specialist
  • Burp Suite / OWASP ZAP for web applications
  • Cloud provider native scanners (AWS Inspector, Azure Defender, GCP Security Command Center)
  • Snyk, GitHub Advanced Security for DevSecOps pipelines

Reporting & Metrics

  • Mean time to remediate (MTTR) per severity tier.
  • Open vulnerabilities over time (trend, backlog age).
  • % of critical assets with authenticated scans in last 7/30 days.
  • Patch compliance vs defined SLAs (e.g., critical resolved within 14 days).
  • Exceptions/risk acceptance backlog with review dates.

Best Practices

  • Maintain accurate asset inventory and tagging for scan scoping.
  • Integrate with CMDB and CI/CD pipelines to scan new assets automatically.
  • Use risk-based prioritisation (CVSS + EPSS + business context).
  • Coordinate with penetration testing and red teams for validation.
  • Secure scanning infrastructure (least privilege credentials, multi-factor authentication).

Further Reading & Standards