The most important in brief

  • Vulnerability scanners are designed to detect and assess known vulnerabilities in IT infrastructure and web applications.
  • When performing vulnerability scans, the various open-source and commercial tools available have very different focuses.
Beitrag teilen

Reading time 5 minutes

What is a Vulnerability Scanner?

The goal of Vulnerability Scans is that vulnerabilities in the IT infrastructure can be detected at an early stage. The detected vulnerabilities are then prioritised (vulnerability management) and should then also be patched (patch management).

Tools for performing vulnerability scans can simplify this process by automatically finding and even patching vulnerabilities. This can reduce the burden on the IT security team and IT operations.

Scans can be performed by the IT department or via an external service provider.

Typically, the scan compares the details of the target's attack surface against a database. This contains information about known vulnerabilities.

Types of vulnerability scans and vulnerability scanners.

  • Anonymous or authenticated scans: Authenticated vulnerability scans are performed by the scanner logging into the application or IT system as a user over the network before starting the scan. In an anonymous scan, the scanner corresponds to an unauthenticated user.
  • Network scans: Network scans try to find out the services accessible via the network with version information or unwanted directory shares. The findings are checked against an internal database of known vulnerabilities.
  • Host-based scans: Vulnerability scanners with internal access (either agent-based or authenticated scans) can go much deeper and also reveal vulnerabilities not visible over the network.
  • Web application scans: Web application vulnerability scans look for vulnerabilities of an application offered over the HTTP protocol. There are quite powerful web vulnerability scanners that can cope with modern single-page applications. On the other hand, many web scanners are quite focused (for example Nikto) and only look at one aspect. These are therefore more suitable as a targeted tool in the context of a web penetration test.
  • On-Premises vs. Cloud: Many vulnerability scanners are available as an on-prem solution or directly read-to-go in the cloud.

TOP Vulnerability Scanners

1. OpenVAS (Open Source)

The Open Vulnerability Assessment System ([Ext:|OpenVAS]]) is a vulnerability scanner developed by Greenbone Networks since 2006. It is a vulnerability scanner with a variety of different integrated tests with a web interface for setting up and running vulnerability scans.

Regular updates of the databases take place.

OpenVAS is part of a commercial vulnerability management product family.

Screenshot OpenVAS after installation

2. Nmap (Open Source)

Nmap, as an abbreviation for Network Mapper, is a free and open source command line tool. Nmap is used for scanning ports, checking for known vulnerabilities and mapping networks. It is a standard tool that is not missing in any Linux distribution. Versions for are also available.

Through its scripting engine (NSE), NMAP is flexible and can not only detect open ports, operating systems and network services, but also perform concrete vulnerability checks.

Nmap has its pre-eminence thanks to the large community of developers and programmers who have been constantly maintaining and developing it since 1997.

Nmap is a port scanner that is popular for penetration testing.

NMAP Screenshot, Command line port scanner

3. Nessus

Nessus is a paid product, but offers some basic tools for free. A cloud solution based on it is available (

However, Nessus offers some features that are not always included in other commercial vulnerability scanners. One of these features is pre-configured scans that meet specific compliance requirements.

The solution is client-server based with a central management instance and scanner agents that can be distributed across the network. is a cloud solution for vulnerability management and detection based on Nessus.

NMAP Screenshot, Command line port scanner

4. Qualys Vulnerability Management Scanner

Qualys is a commercial scanner for network and web application vulnerabilities. The comprehensive solution has powerful components that cover the network, host and web applications.

For example, the Qualys Web Application Scanner attempts to cover these OWSASP top 10 vulnerabilities for web applications, including SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF).

A limited Community Edition is also available.

Screenshot of Qualys Scanner as a cloud service

5. Rapid7 InsightVM (formerly Nexpose).

Rapid7 Nexpose is a vulnerability scanner that also supports the vulnerability management lifecycle, including identification, testing, auditing and reporting.

Nexpose is sold as standalone software, as a hardware appliance, as a virtual machine, as a managed service or as a private cloud deployment. User interaction is via a web browser. There is a free but limited community edition as well as commercial versions.

Screenshot InsightVM

TOP Web Application Vulnerability Scanners

In contrast to the vulnerability scanners listed above, specialised scanners for web applications are designed to accompany the development process.

Many commercial tools like

  • 6. Invicti (formerly Netssparker),
  • 7. Acunetix
  • 8. AppSpider,
  • 9. WebInspect or
  • 10. IBM AppScan

are used by development teams as part of their DevSecOps processes.

These tools are very comprehensive scanners for web applications that support DAST (Dynamic Application Security Testing) , IAST (Interactive Application Security Testing) and SCA (Software Composition Analysis). These can scan for security issues on websites and in web APIs.

The focus is on the OWASP top 10 as well as the general identification of security problems in web applications such as SQL injections (SQLi) or cross-site scripting (XSS).

The Software Composition Analysis helps to make the "supply chain" of the developed software more visible and can generate a list of the technologies used in the software.

Further scanners

It should be noted that the above lists and examples do not claim to be exhaustive. Nevertheless, in our experience, they cover many of the vulnerability scanners found in practice.

There are now a huge number of service providers who offer their vulnerability scanners online. Often one or more of the tools listed above are technically behind them. These can then be operated via a more or less comfortable web interface.

There are also very many special tools such as Metasploit, Burp Suite, Nikto and others. These are often used as tools in the context of penetration tests or for other special use cases. However, they are not useful as a stand-alone vulnerability scanner.

Frequently asked questions

What are vulnerability scanners?

Vulnerability scanners are software that scans, identifies and assesses networks and network resources for known vulnerabilities. They document all network access points and connected devices and then compare the results of the scans with known vulnerabilities in a database.

What are the key features of vulnerability scanners?

The main features of vulnerability scanning software can be divided into two main groups: identification and correlation and assessment.

What is the difference between identification and correlation?

Vulnerability scanners identify and classify devices, open ports, operating systems and software connected to a network and then correlate this information to the latest known vulnerabilities. They can also detect misconfigurations.

Why are vulnerabilities assessed?

After identifying a vulnerability, these tools also assess and evaluate the level of risk for each vulnerability. They can also perform a root cause analysis to find the cause of the problem. This information informs which vulnerabilities need to be prioritised.

External vs. internal vulnerability scanning.

External scans are performed from outside the network to identify vulnerabilities in servers and applications that are directly accessible via the Internet. Internal scans, on the other hand, identify vulnerabilities that could allow attackers to move laterally on the network.

Authenticated or not - authenticated scanning

Authenticated scans are performed by authenticated users with legitimate credentials. These scans are often more comprehensive than non-authenticated scans because more internal information is available.

Non-authenticated scans do not use credentials. This is because they are only a surface scan. They identify backdoors, expired certificates, unpatched software, weak passwords and poor encryption protocols.

Penetration tests or vulnerability scans?

Penetration tests and vulnerability scans serve similar purposes, but use different methods. Penetration testing is used to actually exploit vulnerabilities. Scanning is used to identify potential vulnerabilities before penetration testing is performed. Logic errors and errors in the area of authentication or authorisation are hardly ever detected by vulnerability scanners.

Releated Content

Have we sparked your interest?

Just give us a call or write us a message!

Erfolgreich! We have received your request. Thank you very much.
Fehler! An error occurred while sending. Please use another way to contact us!

We use cookies to improve user experience and analyze website traffic. Read about how we use cookies and how you can control them by clicking "Privacy Preferences".

Privacy Preferences I Agree

Privacy Preferences

When you visit any website, it may store or retrieve information through your browser, usually in the form of cookies. Since we respect your right to privacy, you can choose not to permit data collection from certain types of services. However, not allowing these services may impact your experience.