Security
Vulnerability Scanning
Automatically probes systems for known security weaknesses — unpatched software, misconfigurations, default credentials — and reports them prioritized for remediation.
A vulnerability scanner connects to your network (or runs as an agent on devices), probes each system it discovers, and compares findings against a database of known vulnerabilities (CVEs) and common misconfigurations. The output is a prioritized list of what needs to be fixed.
Internal vs external scanning
Internal scanning — from inside the network, authenticated. Sees everything: unpatched OS and applications, missing security configurations, weak credentials, open internal services. This is the most comprehensive view of your attack surface.
External scanning — from outside the network, unauthenticated. Sees exactly what an attacker on the internet would see: open ports, exposed services, certificates, web application vulnerabilities. Essential for any organization with internet-facing infrastructure.
Scanning frequency
Vulnerabilities are disclosed continuously. A quarterly scan tells you your posture once a quarter. Continuous scanning (or at minimum monthly) gives you a much more current picture. Most compliance frameworks require regular scanning — PCI-DSS mandates quarterly external scans and scanning after significant infrastructure changes.
Common tools: Tenable Nessus/Tenable.io, Qualys, Rapid7 InsightVM. Most have agent-based options for continuous monitoring.
Scanning finds what exists. Fixing it is a separate — and often harder — process. A vulnerability management program that includes prioritization, remediation tracking, and exception handling is the difference between scanning as a checkbox and scanning as an actual security control.