For budget-constrained organizations with high technical capabilities, open source vulnerability scanning tools can provide low-cost options for organizations of all sizes. However, most non-technical organizations cannot afford to retain the experienced IT talent necessary to effectively use and maintain open source tools that don’t come with formal technical support.
Several vendors offer low and no-cost tiers for their scanning tools that enable the smallest organizations to gain the benefits of commercial network scanning products. These commercial products typically deploy more user-friendly interfaces and offer basic technical support.
|IT Infrastructure Scanner||Web / App Scanner||Free Tier||Limitations|
|Manage Engine Vulnerability Manager Plus||Yes||n/a||Yes||25 Devices|
|Tenable Nessus Essentials||Yes||n/a||Yes||16 IP Addresses|
|Dastardly||n/a||Yes||Yes||7 key vulnerabilities|
Low and No Cost IT Infrastructure Scanners
Tools in this category scan endpoints, servers, and networking equipment found in many smaller organizations.
GFI Languard: Low-Cost Endpoint Vulnerability Scanner
GFI Software’s Languard vulnerability scanning tool discovers and scans devices for missing patches in OS and third-party software. The tool also can perform security and compliance audits, generate reports, track changes to the network, and locate common gaps in security.
- Automatic discovery of devices: computers, mobile devices, printers, servers, virtual machines, routers, and switches
- Identifies non-patch vulnerabilities from a constantly updated list of 60k+ known issues
- Provides missing patch detection and patch management for Microsoft, Mac, and Linux operating systems
- Scans networks automatically or on-demand
- Auto-download of missing or roll-back patches
- Scans devices, identifies and categorizes vulnerabilities with recommended actions
- Automatic patching for web browsers
- Web-based reporting, can consolidate multiple instances
- Integrates with 4,000+ security applications
- Tracks devices connected to the network
- Runs in and supports virtualization technologies
- Runs in agentless or agent-based mode
- Overly basic user interface
- Servers may need periodic restarts to avoid crashes
- Agents can use significant local resources
GFI licenses Languard on an annual basis per node in three tiers:
- Small Businesses 10-49 users, $26.33
- Medium Businesses 50-249 users, $11.48
- Large Businesses 250+ users, $8.10
ManageEngine Vulnerability Manager Plus: Best for SMB with Under 25 Devices
ManageEngine offers a wide variety of identity, security, and IT management solutions. Their Vulnerability Manager Plus product scans devices and web servers to detect vulnerabilities, misconfigurations, and high-risk software. For small businesses with under 25 devices, ManageEngine offers a free license.
- Scans devices for vulnerabilities in operating systems and third-party software, end-of-life software, peer-to-peer software, as well as zero-day vulnerabilities
- Scans for default credentials, firewall misconfigurations, open shares, and user privilege issues (unused users or groups, elevated privileges, etc.)
- Can scan web servers for unused web pages, misconfigured HTTP headers/options, expired certificates, and more
- Combines vulnerability assessment, compliance, patch management, and system security configuration into one tool
- Open port detection on all devices
- Easy to set up
- Does not support AIX OS
- Not Cloud native and does not support automatic deployment of agents on the cloud
- Immediate patch deployment may be limited
Free trials are available for three editions of the software licensed annually:
- Free (SMB up to 25 devices)
- Professional: starts at $695 for 100 workstations / 1 technician
- Enterprise: starts at $1,195 for 100 workstations / 1 technician and adds
- Audit compliance with CIS benchmarks
- View, upload and deploy firmware patches
- Manage and monitor deployment
- Patch Management
- Distribution server
- Schedule remote shutdown
- Schedule Wake on LAN
Management of network devices requires additional licenses.
Tenable Nessus Essentials: Best Option to Learn a Market-Leading IT Infrastructure Vulnerability Scanning Tool
Tenable originally developed Nessus as an open source and free Unix vulnerability-scanning tool and later evolved Nessus into an agentless vulnerability assessment tool with coverage for more than 47,000 unique IT, IoT, OT, operating systems, and applications. The free Nessus Essentials (formerly known as Nessus Home) continues the tradition of providing support for smaller organizations with a tool that delivers the abilities of the broader Nessus platform on a reduced scale.
- Quick, agentless scans
- Checks for vulnerabilities as well as compliance configurations
- Installs on Linux, Windows, and Windows Server or in Docker images
- On-demand course available to learn Nessus
- 3rd Easiest to Use in Vulnerability Scanner software rankings on G2
- Agentless Scanning
- False positive rate is lowest published rate with better than six-sigma accuracy (~0.32 defects per 1 million scans)
- Steep learning curve for new users
- Some users complain of false negatives
- Some users complain about limited API integration
- Essentials license can only be used for up to 16 IP Addresses per scanner
- It isn’t clear if Nessus Essentials can scan for the full range of vulnerabilities in the full-fledged enterprise product
Nessus Essentials can be downloaded and registered for a one-time activation. The registration does not expire, but a new installation requires a new activation code.
For more information about the broader suite of Tenable vulnerability scanners, read Best Enterprise Vulnerability Scanning Vendors.
Low and No Cost IT Website and Application Scanners
Tools in this category scan websites and applications for common vulnerabilities such as cross-site scripting (XSS), cross-origin resource sharing (CORS) issues, SQL injection, and more. For more information on a broader selection of application vulnerability scanners see: Best DevOps, Website, and Application Vulnerability Scanning Tools.
Portswigger Dastardly: Best for Basic DAST Testing
Portswigger’s popular Burp Suite Enterprise Edition is reasonably priced, but can be out of reach for the smallest organizations. Fortunately, the feature-limited Dastardly web application scanner can be used for free to help developers get started.
- Directly integrates with the Jenkins, TeamCity, and GitHub Actions Continuous Integration/Continuous Development (CI/CD) platforms and bug tracking systems
- Integrates with other CI/CD platforms, but does not provide platform-specific integration instructions
- Checks apps automatically when pushed to CI/CD
- Dynamic Application Software Testing (DAST) with reduced false positives
- Scan results feed directly into CI/CD tool so no additional software is required to see or analyze results
- Free Web Security Academy for help to fix bugs
- Even works on heavily-stateful single page applications (SPAs)
- Language-agnostic scanning
- Does not detect SQL injection, DOM-based XSS, HTTP request smuggling, client-side prototype pollution and many other issues detected by the commercial enterprise version of Burp Suite
Dastardly is offered for free. For more on the Burp Suite, see Getting Started with the Burp Suite: A Pentesting Tutorial
StackHawk: Best Option for Single-App Vulnerability Testing
Founded by DevOps engineers for DevOps engineers who write and push out code every day, StackHawk seeks to simplify the process of building secure software. THeir DAST scanner integrates with CI/CD Automation and Slack to help triage findings and enable rapid correction.
- CI/CD and Slack Integration
- REST, GraphQL and SOAP support
- Custom scan discovery and historical scan data
- cURL-based reproduction criteria
- Unlimited scans for one application
- Unlimited scans and environments
- Docker-based application security scanner
- Continues to add features to the free tool (gRPC support in development)
- Requires use and knowledge of Docker infrastructure
- Only provides email based support for the free version
- Requires a paid license for more than one application
Stack Hawk offers three levels of licensing. Paid versions are based on a price of per developer per month and can be billed monthly. Annual billing results in a discount for the paid tiers.
- Free Tier – Only one application
- $49 / developer per month Pro Tier
- Minimum 5 developers, volume discounts available
- Unlimited application scanning
- Free Tier features plus: Applications dashboard, Snyk integration, GitHub CodeQl and Repo integration, Custom Test Data for REST, HawkScan ReScan, and custom Test Data for GraphQL
- Support via email and Slack
- $69 / developer per month Enterprise Tier
- Volume discounting available
- Pro Tier features plus many other features, including: Single Sign-on, MS Teams, Webhooks integration, role-based permissions, executive summary reports, API access for scan results, policy management
- Support via email, Slack (dedicated support), and an option for Premier Zoom support
Best Small and Medium-sized Business (SMB) Vulnerability Scanning Tool Criteria
To curate this list of SMB-friendly tools, we surveyed a broad array of websites, vendor materials, and customer reviews to create a pool of qualified candidates based upon capabilities and reputation. We then filtered the list specifically for vendors that provide an unlimited free or low-cost tier available for smaller customers.
- Vendors that provide a limited free-trial
- Free services using tools created by other vendors
- Open-source tools
As with other categories within the vulnerability scanning market, the addition of features, new pricing tiers, and other product changes will force this list to evolve over time. The best products will change over time and an organization will always need to compare available features against existing needs.
Bottom Line: Prevent Expenses Breaches With Low-Cost Scans
Even the smallest businesses should examine their security stack and applications using vulnerability scanners. Most vendors offer free trials, and the vendors in this list provide entry-level tiers to enable organizations of all sizes to catch vulnerabilities within their organization before a hostile attacker can exploit them.
While still time- and resource-consuming, implementing intentional, planned security measures will always be far less than emergency incident response, forensic investigation, and remediating damages. With low-cost solutions easily available, organizations have no excuse to remain vulnerable, so pick a tool and get started!
For more information on Vulnerability Scanning Options see: