What Is Vulnerability Scanning?
Vulnerability scanning is the automated process of identifying known security weaknesses in systems, applications, and network infrastructure. A scanner compares a target system's configuration, installed software versions, and open services against a database of known vulnerabilities (CVEs — Common Vulnerabilities and Exposures) and reports which vulnerabilities are present. The scanner identifies the weaknesses; it does not exploit them.
Vulnerability scanning is a core component of an organisation's vulnerability management programme — the ongoing cycle of discover, prioritise, remediate, and verify. Scanners run continuously or on a scheduled basis against all systems in scope, and their reports feed the patching and configuration management processes that keep systems secure over time.
CVE — Common Vulnerabilities and Exposures
CVE is a standardised system for identifying and naming security vulnerabilities, maintained by MITRE and funded by the US Cybersecurity and Infrastructure Security Agency (CISA). Every publicly disclosed vulnerability receives a CVE identifier in the format CVE-YEAR-NUMBER — for example, CVE-2021-44228 is the Log4Shell vulnerability. This standardisation allows security teams, vendors, and tools to refer to the same vulnerability consistently regardless of what different vendors might call it internally.
The CVE database is the foundation of vulnerability scanner signature databases. When a new vulnerability is disclosed, scanner vendors add detection logic for that CVE within hours or days. Keeping scanner signatures up to date is as important as keeping the scanner software itself updated — an outdated signature database misses recently disclosed vulnerabilities.
CVSS — Common Vulnerability Scoring System
| CVSS Score | Severity | Examples | Typical Remediation Timeline |
|---|---|---|---|
| 9.0 – 10.0 | Critical | Remote code execution, no auth required (Log4Shell, EternalBlue) | Immediate / 24–72 hours |
| 7.0 – 8.9 | High | Privilege escalation, auth bypass, significant data exposure | 7–14 days |
| 4.0 – 6.9 | Medium | Limited scope vulnerabilities, requires some user interaction | 30 days |
| 0.1 – 3.9 | Low | Minimal impact, difficult to exploit, requires significant access | 90 days |
| 0.0 | None / Informational | Configuration issues, weak ciphers — not exploitable vulnerabilities | Next maintenance window |
CVSS scores are calculated from base metrics that capture the vulnerability's intrinsic characteristics: Attack Vector (Network, Adjacent, Local, Physical — remote network attacks score higher than those requiring physical access), Attack Complexity (Low or High — no-prerequisite exploits score higher), Privileges Required (None, Low, High — unauthenticated attacks score highest), User Interaction (None or Required — no-click vulnerabilities score higher), and Impact on Confidentiality, Integrity, and Availability (each scored None/Low/High).
CVSS base scores reflect the vulnerability's technical severity in isolation. Organisations also apply temporal scores (is a patch available yet? is exploit code publicly known?) and environmental scores (does our specific deployment increase or decrease risk?) to arrive at a final prioritisation score that's more relevant to their specific context.
Credentialed vs Non-Credentialed Scanning
Non-credentialed scanning (also called unauthenticated scanning) probes the target from the outside without authenticating — exactly as an external attacker would. It discovers open ports, running services, banners, and vulnerabilities that are exposed to unauthenticated users. Non-credentialed scans are good for discovering your externally visible attack surface, but they miss vulnerabilities that only exist on the inside — missing patches on software installed locally, local service misconfigurations, or privilege escalation paths that require initial access.
Credentialed scanning authenticates to the target system using provided credentials (domain admin account, SSH key, API token) and performs a thorough internal assessment. The scanner can check installed software versions, missing patches, local firewall rules, file permissions, registry settings, and running processes. Credentialed scans find significantly more vulnerabilities than non-credentialed scans and produce fewer false positives. They are the preferred scan type for internal vulnerability management.
On the exam: "which scan type provides more thorough coverage of internal vulnerabilities?" → credentialed. "Which scan type simulates an external attacker with no prior access?" → non-credentialed. Both types are needed in a comprehensive vulnerability management programme.
Vulnerability Scanning vs Penetration Testing
| Characteristic | Vulnerability Scanning | Penetration Testing |
|---|---|---|
| Method | Automated, tool-driven | Manual, human-led (with tools) |
| Exploitation | No — identifies vulnerabilities only | Yes — actively exploits to confirm impact |
| Frequency | Continuous or frequent (weekly/monthly) | Periodic (quarterly, annually) |
| Output | Vulnerability list with CVSS scores | Detailed report: exploited vulns, business impact, evidence |
| Purpose | Identify known weaknesses at scale | Validate exploitability and measure real business risk |
| Authorisation | Standard change management approval | Written authorisation ("rules of engagement") required |
The critical exam distinction: vulnerability scanning finds vulnerabilities, penetration testing proves which vulnerabilities are actually exploitable and what an attacker could do with them. A vulnerability scanner might report 500 medium-severity findings; a penetration tester determines which of those 500 can be chained together to achieve domain administrator access — a far more actionable risk assessment.
Penetration testing always requires explicit written authorisation. Performing unauthorised penetration testing — even on systems you believe you own — creates legal liability. Rules of engagement (scope, timing, authorised techniques, emergency contacts) must be defined and signed before testing begins. This is a specific exam point: "what must be obtained before conducting a penetration test?" → written authorisation / rules of engagement.
The Vulnerability Management Lifecycle
Vulnerability scanning is a component of a broader vulnerability management lifecycle — the continuous process that organisations use to systematically identify, prioritise, remediate, and verify security weaknesses. The lifecycle has four phases: Discover — run authenticated scans against all in-scope systems to identify current vulnerabilities. Prioritise — apply CVSS scores, asset criticality, and threat intelligence to determine which vulnerabilities to fix first. Remediate — patch, reconfigure, or implement compensating controls for prioritised vulnerabilities. Verify — rescan after remediation to confirm vulnerabilities were successfully addressed and didn't reappear.
The prioritisation step is where many organisations struggle. A large enterprise might have tens of thousands of vulnerability findings across its fleet at any given time. Treating all medium-severity findings equally is impractical — a medium-severity vulnerability on a database server containing customer PII is far higher priority than the same vulnerability on an isolated test system. Effective prioritisation combines CVSS base score, threat intelligence (is this vulnerability being actively exploited in the wild?), asset criticality (what's the business impact if this system is compromised?), and exposure (is this internet-facing or on an isolated internal network?).
Common Vulnerability Scanning Tools
Nessus (Tenable) is the most widely deployed commercial vulnerability scanner in enterprise environments and is explicitly referenced in CompTIA exam objectives. Nessus supports credentialed and non-credentialed scanning, a large plugin library covering 100,000+ vulnerabilities, compliance auditing against CIS benchmarks and regulatory frameworks, and agent-based scanning for systems that can't be reached by the scanner network. The professional version is subscription-based; Nessus Essentials is free for limited use.
OpenVAS (Open Vulnerability Assessment System) is the leading open-source alternative to Nessus, maintained by Greenbone Networks. It offers comparable scanning capabilities with community-maintained plugins at no cost. OpenVAS is commonly used in smaller organisations and educational environments. It requires more configuration effort than commercial scanners but provides full vulnerability scanning functionality.
Qualys is a cloud-delivered vulnerability management platform that provides continuous scanning, asset inventory, and risk prioritisation in a SaaS model — no on-premises scanner infrastructure required. Enterprise-scale organisations with hybrid cloud environments often use Qualys for its cloud-native architecture and centralised management. Rapid7 InsightVM is another enterprise platform combining vulnerability scanning with remediation workflow management and integration with SIEM and ticketing systems.
Scanning Frequency and Compliance Requirements
PCI-DSS Requirement 11 mandates quarterly internal and external vulnerability scans for all organisations that handle payment card data. External scans must be performed by an Approved Scanning Vendor (ASV). Annual penetration testing is also required by PCI-DSS. These requirements drive a significant portion of enterprise vulnerability scanning activity. HIPAA requires regular security risk assessments that include vulnerability identification, though it doesn't specify scanning frequency. NIST SP 800-53 (used by US federal agencies) recommends continuous scanning or at minimum monthly scans for high-criticality systems.
Beyond compliance, most security frameworks recommend scanning all systems weekly or monthly, with critical internet-facing systems scanned more frequently — some organisations scan their external perimeter daily using lightweight network-based scans to catch newly disclosed vulnerabilities before attackers can exploit them. The gap between vulnerability disclosure and attacker exploitation has compressed dramatically — a newly disclosed critical CVE may be actively exploited within 24–72 hours, making rapid detection and patching essential.