Vulnerability scans play a critical role in protecting assets from attacker exploitation by identifying missing updates, misconfigurations, and other common security issues. Originally designed to test local networks and devices, vulnerability scanning tools have evolved to encompass the modern IT environment as well as specialized tools for specific vulnerabilities, assets, and applications.
This overview of top vulnerability scanning tools categorizes tools to help guide buyers towards the tools that may fit their needs the best. In many cases, the best solution may be a combination of tools so a security team can perform multiple scans.
Where a tool differentiates itself, we will point out what role it may be best suited for; however, this is a fairly mature market so the category leaders tend to be very close in capabilities. The categories are:
- Best Enterprise Options – Solutions for the larger organizations with sophisticated and diverse needs.
- Best DevOps Options – Solutions for testing websites and applications.
- Best SMB Options – Solutions for smaller organizations with limited needs and resources.
- Best MSP / MSSP Options – Solutions for service providers that need tools they can use to protect their clients.
- Best Specialty Options – Specific solutions for specific needs.
For those who need a quick refresher of Vulnerability Scanning consider reading this article first: What is Vulnerability Scanning? Definition, Types & Guide.
Intruder is the top-rated vulnerability scanner. It saves you time by helping prioritize the most critical vulnerabilities, to avoid exposing your systems. Intruder has direct integrations with cloud providers and runs thousands of thorough checks. It will proactively scan your systems for new threats, such as Spring4Shell, giving you peace of mind. Intruder makes it easy to find and fix issues such as misconfigurations, missing patches, application bugs, and more. Try a 14-day free trial.
SanerNow Vulnerability Management Tool is an all-in-one, continuous, and automated vulnerability management solution. Our advanced vulnerability management solution allows you to, -
• Run the industry’s fastest scans to discover all risks
• Get more than 160,000+ vulnerability checks
• Remediate vulnerabilities on all OSs like Windows, macOS, Linux, and 300+ third-party apps
• Monitor and control endpoints centrally
With SanerNow, you can manage multiple use cases from a single console.
Astra’s Pentest suite is a complete vulnerability assessment and penetration testing solution for web and mobile applications. The users get an intuitive dashboard to monitor vulnerabilities, assign them to the developers, and collaborate with security experts from Astra.
Notable features include:
Scan behind logged-in pages,
Zero false positives.
Astra’s clientele range across industries and include the likes of Gillette, Ford, Dream 11, and GoDaddy.
Vulnerability Manager Plus, a prioritization-focused vulnerability management solution, comes packed with security-enhancing features like comprehensive vulnerability assessment, built-in patching, system configuration management, CIS compliance, web server hardening, high-risk software audit & port audit. Suitable for enterprises of all sizes and modes of operation, Vulnerability Manager Plus is a lightweight agent-based solution that fits seamlessly into any organization. Try free for 30 days!
Best Enterprise Options: Integrated Vulnerability Scanning Tools
Integrated vulnerability scanning tools can examine a wider variety of assets and connections than other tools. These tools also integrate with a wider variety of tools to better support vulnerability management, remediation, and related tasks; however, multiple modules or licenses may be required to realize the full capabilities.
These expansive tools offered by leaders in the security market tend to be fairly comparable in capabilities although Rapid7, Qualys, and Tenable have the more prominent brand names. Security teams choosing between tool options will frequently decide based upon the need for optional integrations needed such as security tools or automation capabilities.
Insight VM (Rapid7)
The Rapid7 Insight platform provides a suite of security, vulnerability management, penetration testing, web and app scanning, orchestration and automation tools to enable organizations of all sizes to secure their sprawling IT environment. Insight VM provides the vulnerability management platform to automatically scan and assess physical, cloud and virtual infrastructures. The tool provides live and interactive dashboards, solution-based remediation and risk scoring and prioritization.
Insight VM builds on the local network vulnerability tool, Nexpose, and automatically detects and scans all new devices connected to a network to provide real time vulnerability identification. It also offers a lightweight endpoint agent for processing information while consuming minimal bandwidth.
- Unlimited user accounts
- 24/7 technical support
- Customizable dashboards
- Extensive vulnerabilities list scanned
- Policy assessment
- Attack surface monitoring
- Integrates with Splunk, ServiceNow, AWS and more.
- Integrates with Rapid7 Detection & Response, Web Application, and Cloud security products as well as automation and orchestration products.
- Includes remediation workflow
- Constant scanning and real time data availability
- Uses a risk scale of 1,000 to help IT managers prioritize more effectively and efficiently
- Create custom asset groups to direct remediation to designated IT teams
- Can scan temporary assets such as containers and other virtual assets.
- Requires an agent
- Limited PAM integration
- Requires SSH access to scan ESXi environments
- Challenging to scale
- Limited options for database instances
Insight VM pricing depends upon volume. Published prices start at $2.19 / month / asset for 250 assets and decrease with volume discounts. For example, with 1,000 assets, the price drops to $1.71 / month / asset. Annual payment pricing discounts and free trials are available and Insight VM is also available within the AWS marketplace.
Qualys Vulnerability Scanning
The Qualys Cloud Platform provides options for a wide variety of integrated security, vulnerability, compliance, asset management, and patch management tools. Organizations seeking vulnerability scanning can select from the modules related to vulnerability detection and management:
- Container Security
- Cloud Security Assessment
- Vulnerability Management Detection and Response (VMDR 2.0)
- Web Application Scanning
Although the features and capabilities will vary depending upon the modules selected, Qualys provides a one-stop shop for enterprise-scale security and vulnerability management for an entire IT environment.
- Scans and detects IT devices, web applications, Operational Technology (OT), and Internet of Things (IoT)
- Scans all applications within the perimeter including cloud instances and APIs for mobile devices
- Qualys TruRisk provides proprietary risk ratings that combine CVSS scores, real-time threat indicators, exploit code maturity, assessments of active malware, threat actors, trending risk, and applied mitigation controls
- Can combine scans for vulnerabilities, compliance, and malware
- Consolidated user interface, reporting, and dashboards for all modules
- Deploys from a public or private cloud, fully managed by Qualys
- Options for one-click remediation of some vulnerabilities
- No code workflows
- Huge number of options
- Very effective when fully integrating asset management, vulnerability management, and security
- Rule-based integrations generates automatic tickets for remediation through tools such as ServiceNow and JIRA
- Requires an agent
- Steep learning curve for new users
- Many modules can often lead to excessive and repetitive menu options
- Not all options perform at equally high levels – especially without training
- Modules sometimes update separately resulting in inconsistent user interfaces
- Can be slow in scanning endpoints
Customers license the Qualys Cloud Platform on an annual basis based upon the number of Cloud Platform Apps selected, the number of IP addresses, the number of web applications, and the number of user licenses. Customers describe three tiers of pricing: Express Lite (max 256 IP addresses, 25 web apps, 2 scanners, 3 users), Express (Max 3072 IP addresses, 100 web applications, 5 scanners), Enterprise (unlimited use).
Qualys does not publish prices, but customers have reported pricing packages from below $300 for small businesses and up to $2,000 for larger packages. Free trials subscriptions are available.
Tenable originally developed Nessus as an open source and free unix vulnerability-scanning tool and then evolved Nessus into an agentless vulnerability assessment tool with coverage for more than 47,000 unique IT, IoT, OT, operating systems, and applications.
Nessus integrates with the broader Tenable One platform which includes tenable.io for vulnerability management and web app scanning as well as the tenable.sc security center. Tenable conducts regular research and discovers zero-day vulnerabilities that it adds to the Nessus tool for early detection.
- Preconfigured templates to enable quick starts
- Automatically performs full scans as soon as new vulnerability plugins are added
- Checks for vulnerabilities as well as compliance configurations
- Report templates provide quick snapshots
- Customizable templates enable branded reports for consultants and service providers
- Automated vulnerability and misconfiguration alerts for Security Incident and Event Management (SIEM) tools
- 3rd Easiest to Use in Vulnerability Scanner software rankings on G2
- Executive dashboards and powerful filtering to dig into findings
- Can assess modern infrastructure as code (IaC)
- Agentless Scanning
- Steep learning curve for new users
- Some users complain of false negatives
- Some users complain about limited API integration
Tenable provides Nessus with an annual subscription with multi-year discounts for three versions:
- Unlimited IT and configuration assessments
- $3,390 / year with options for advanced support and on-demand training
- Expert: The capabilities of Nessus Pro plus
- External attack surface scanning
- Cloud infrastructure scanning
- 500 prebuilt scanning policies
- Ability to add domains.
- $7,490 / year with options for advanced support and on-demand training
- Essentials edition:
- Free, but limited capabilities
- Up to 16 IP addresses per scanner
- No compliance checks or content audits
- No technical support
- One-time use. New installations require a new license.
Free trial versions are available for the commercial products.
Tripwire IP360 (Fortra)
Fortra offers several vulnerability detection and management solutions that integrate with their security and automation solutions. Tripwire IP360 provides a focused vulnerability detection tool for both on-premises and cloud networks including all devices and their associated operating systems and applications.
The other Fortra tools include beSECURE (available as a hosted service, an appliance, or a hybrid solution) and the Frontline Vulnerability Manager which is part of the Frontline Cloud SaaS vulnerability management solution. Tripwire IP360 offers the most flexibility and focused capabilities of the three solutions, but organizations should select the option most appropriate for their needs.
- Uses both agent and agentless scans
- Scan online, offline and non-running cloud and local containers
- Scans IT, IoT, and OT
- Proprietary Tripwire VERT vulnerability ranking score that builds off of CVSS scores, but also considers active attacks, difficulty of exploitation, and other factors.
- Integration with Fortra security and automation tools.
- Asset discovery and profile
- Scans on-premises, cloud, and containers
- Scalable architecture & application-specific reporting
- Scan reports stored in a database
- Attempts to minimize false positives and offers a ‘ bounty’ for confirmed false positives
- Customers note that some scans can slow down performance
- Reporting can be inflexible and limited
- Port scans can take significant time to complete
Fortra does not publish prices on their website, but provides a form to obtain a price quote for their tool and a managed service.
Intruder is a cloud-based vulnerability scanner that performs over 10,000 security checks. Intruder uses an enterprise-grade scanning engine to run emerging threat scans for newly discovered vulnerabilities. Results are then emailed to IT and available on the dashboard.
Intruder can perform perimeter scanning, internal scanning, cloud resource scanning, and web application vulnerability scanning.
- Scans publicly and privately accessible servers, cloud systems, websites, and endpoint devices
- Finds vulnerabilities such as misconfigurations, missing patches, encryption weaknesses, and application bugs in unauthenticated areas
- Automatically scans systems for new threats
- Automatic IP and DNS tracking
- 1st Easiest to Use in Vulnerability Scanner software rankings on G2
- Provides alerts when exposed ports and services change
- Reduces the noise generated by constant log entries and warnings
- Prioritizes issues based on context and focuses on perimeter vulnerabilities
- Easy to set up, easy to maintain
- Can require manual work in tasks such as agent deployment
- Lacks a comprehensive GUI
- Does not use proprietary detection engine. Uses OpenVAS and Nessus scanning engines.
Customers license Intruder at one of three levels and pricing is based upon the number of targets to scan. Annual discounts are available and for more than 250 targets, customers cannot use the calculator and must obtain a quote.
- Powered by OpenVAS scanning engine
- 1 scheduled monthly scan, unlimited ad hoc scan, 2 users
- External scanning only
- Pricing starts at $101 / month (1 target) and at 250 targets hits $689 / month
- Pro (free trial available)
- Uses Tenable’s Nessus scanning engine
- Unlimited scheduled and hoc scans, unlimited users
- External and Internal scanning
- Syn AWS, Google Cloud, Azure targets
- API & developer integrations
- SSL/ TLS certificate monitoring
- Pricing starts at $163 / month (1 target) and at 250 targets hits $983 / month
- Add triage from certified penetration testing
- Enhanced accuracy
- Extended vulnerability discovery
- Requires contacting Intruder for a quote.
Best DevOps Options: Website and Application Vulnerability Scanning Tools
Although related to network, cloud, and other IT infrastructure vulnerability scanning tools, website and application vulnerability scanning tools apply specialized algorithms to search for programming vulnerabilities. Application scanners typically will be classified as:
- Dynamic Application Security Testing (DAST) that scans running code
- Static Application Security Testing (SAST) that scans code at rest
- Interactive Application Security Testing (IAST) that operates inside of running code and monitors for performance and issues
- Software Composition Analysis (SCA) tools analyze open source components
- Fuzzing tools intentionally use unexpected characters, special characters, incorrect formats and other data input variations to test the resilience of the software to bad inputs
Most tools will detect common, but critical vulnerabilities listed in the OWASP top 10 such as SQL Injections (SQLi) or Cross-site Scripting (XSS), so most organizations will make purchasing decisions based upon deployment flexibility, scanning speed, scanning accuracy, connections to other tools, and price. This section focuses on tools primarily designed for web and application scanning and does not list web application scanning modules of enterprise vulnerability scanners developed by Rapid7, Qualys, etc.
Acunetix Vulnerability Scanner (Invicti) – Recommended for WordPress Sites
Invicti’s Acunetix tool provides enhanced DAST vulnerability detection with options for IAST and network security scanning. Acunetix focuses on speed and accuracy, but is not designed to scale in the same manner as the enterprise-designed Invicti tool (see below).
Heavy WordPress developers with many pages often select Acunetix because of the concurrent crawling and scanning features that work well with large WordPress sites.
- Deploys locally on Linux, macOS, and Microsoft Windows or on the cloud.
- Optional IAST scanning for PHP, Java, or .NET code
- Added value integrated OpenVAS (see below) to perform network security scanning of IP address ranges to detect open ports and other network-specific vulnerabilities
- Ranks vulnerabilities as high confidence (100% verified), medium confidence (likely there, cannot be verified automatically), and low confidence (suspected possibility, requires penetration testing or source code examination)
- Built for speed and efficiency
- Written in C++ for speed
- Coded to test code with reduced number of requests to reduce bandwidth and server load
- Concurrent crawling and scanning to deliver results quickly and efficiently
- Dynamically prioritizes scans to return up to 80% of the vulnerabilities in the first 20% of the scan
- Can detect changes to web applications and perform incremental scanning only on the changes to the code
- Actively reduces false positives and can verify vulnerabilities and provide proof of exploit
- Integrates with pipeline tools and issue trackers such as Jenkins, Jira, and GitHub for developer workflow integration
- Not as accurate as Invicti’s flagship scanning tool in testing
- Vulnerabilities proof of concept is sometimes complex and hard to follow
- Customers complain about the target app licensing model
Invicti does not publish prices for Acunetix on their website and encourages interested parties to fill in a form to request a quote or a demo. Acunetix is offered as an annual subscription based upon the number of websites or web applications scanned and length of the contract. Invicti offers three versions:
- Standard – single user, on-premises
- Premium – standard version + continuous scanning, role-based access controls, compliance reports, network vulnerability scanning, issue tracker integration, multiple users, multiple scan engines, hosted or on-premises.
- Acunetix 360 – Premium without network vulnerability scanning, but with customizable workflows, single-sign-on, and hybrid environment installation options
AppScan (HCLTech) – Best for Many Programming Languages
In 2018, IBM sold iconic software brands, including AppScan, to HCLTech of India. HCLTech continues to develop the AppScan software which now offers five different versions: AppScan CodeSweep (free), AppScan Standard (DAST), AppScan Source (SAST), AppScan Enterprise (SAST, DAST, IAST, and risk management), and AppScan on Cloud (SAST, DAST, IAST, and SCA).
- Highlights vulnerabilities and can educate programmers on mitigation strategies
- Can review uncompiled code, GitHub pulls, web apps, web services, and mobile back-ends
- Can track and identify vulnerabilities in open source supply chain code
- Can compare against compliance benchmarks from PCI DSS, OWASP top 10 and more
- Scalable and automatable security testing
- Scans and analyzes API
- Monitors active code for runtime issues without scan requests
- Offers a variety of tools to suit developing needs
- Can handle complex use cases and application flows
- Can integrate with DevOps Continuous Integration/Continuous Delivery (CI/CD) pipelines
- Some default DAST scans can take too long or error out
- Can suffer false positives from strict definitions
- Plugins can affect score results
- Customers note that some licenses can be quite expensive
HCLTech does not list prices for the AppScan products on their website, but does disclose that customers can obtain node-locked licenses (single license, single machine) or floating licenses. Customers can contact HCLTech for a quote or go through partners. Licenses are for 12 months of subscription and support..
Burp Suite Enterprise Edition (Portswigger)
Portswigger’s popular Burp Suite can be licensed in four ways. The Burp Suite Community Edition and Dastardly web application scanners provide free, but feature-limited tools to help developers get started. Burp Suite Professional provides manual penetration testing capabilities and the Burp Suite Enterprise Edition provides automated dynamic web vulnerability scanning.
- Pioneered Out-of-band application security testing (OAST) to use external servers to find bugs difficult to detect with DAST such as blind and asynchronous bugs. OAST also reduces the false positives of SAST
- API security testing
- Easy setup and scanning
- Integrates with all major CI/CD platforms and bug tracking systems
- Role-based, multi-user access control
- Multiple deployment options
- Aggregated issue reporting, intuitive dashboards, graphs, and reports
- Compliance-specific reports available
- Uses embedded chromium browser for scanning
- Easy scheduling for recurring scanning
- Scalable scanning
- Custom and out-of-box configurations
- Deploys as a standard software or in Kubernetes using a Helm chart.
- Some customers complain of complex and time consuming configurations
- Some false positives and false negative results have been reported
For the Enterprise edition of Burp, Portswigger does not have any limit to the number of users or distinct applications that can be scanned. The solution is licensed based on the number of concurrent scans to be performed:
- Starter plan – 5 concurrent scans = $8,395 / year
- Grow plan – 20 concurrent scans = $17,380 / year
- Accelerate plan – for 50+ concurrent scans, starts at $35,350 / year
For more on the Burp Suite, see Getting Started with the Burp Suite: A Pentesting Tutorial
Detectify seeks to use crowd-sourced vulnerability research to power External Attack Surface Management (EASM) tools for asset discovery and vulnerability assessments. Currently, Detectify offers two solutions, Surface Monitoring and Web Application Scanning.
Surface Monitoring examines the internet-facing subdomains of an application to detect exposed files, vulnerabilities, and other non-coding misconfigurations. The Webapp scanning tests the code of custom-built apps for security vulnerabilities.
- Continuous and automated discovery, inventory and monitoring of internet-facing assets
- Unique and optimized engine to crawl code
- Performs fuzzing testing
- Vulnerabilities can be filtered and tagged for remediation prioritization
- Flexible API to integrate with Slack, Jira, Splunk and other tools
- Will detect open ports, DNS record types, and hosted technologies on each asset
- Options to set custom policies
- Can protect against subdomain takeovers
- Will detect unintentional information disclosures
- System tracks vulnerabilities in history, but does not recognize or include recently fixed vulnerabilities in reports
- Marked false positives can continue to appear in subsequent reports
- Does not always note the likelihood a vulnerability is exploitable
Detectify provides a 2-week free trial and licenses their software based upon the number of web applications, domains, and subdomains scanned. For smaller organizations, Detectify offers package deals that start at:
- $289 / month surface monitoring for up to 25 subdomains, billed annually
- $89 / month per scan profile, billed annually.
Invicti (Formerly Netsparker)
Invicti, formerly known as Netsparker, is an application vulnerability scanner designed for enterprise-scale and automation. Invicti intends this product to be the tool a company grows into after using the Acunetix product aimed at small businesses.
- Automatic and continuous scans to update website, application and API inventories
- Avoids scanning queues by allowing multiple concurrent scans and scanners that feed into a centralized repository for reporting
- Deploys on-premise, in the cloud, within Docker images, or as a hybrid solution. Cloud agents launch for scans then self-delete when the scan is completed.
- Dynamic and automatable DAST, IAST, and SCA scanning
- Out-of-band testing and asynchronous vulnerability testing
- IAST sensors can often provide file name and programming line number for vulnerabilities
- Crawls pages authenticated by form submission, OAuth2, NTLM/Kerberos and more.
- Scans hidden files
- Detects misconfigured configuration files
- Industry leading detection and false positive rates from independent tests
- Will track security posture for applications over time and identify vulnerability trends
- Actively reduces false positives and can verify vulnerabilities and provide proof of exploit
- Integrates with pipeline tools and issue trackers such as Jenkins, Jira, and GitHub for developer workflow integration
- Can have a steep learning curve
- Customers complain about ineffective multi-factor authentication testing.
- Users notice slowness in the scans on larger web applications
- Only available with a Windows software installation
- Standard on-premises desktop scanner
- Team scanner (hosted) adds additional features over desktop scanner:
- Multi-user platform
- Built-in workflow tool
- PCI Compliance scanner
- Asset Discovery
- Enterprise (hosted or on-premises) adds custom workflow and dedicated tech support
ZAP (OWASP Zed Attack Proxy) – Best for Budget-Minded Experts
The Open Web Application Security Project (OWASP) foundation and an open-source community created the Zed Attack Proxy, or ZAP as a free web app scan tool. ZAP is supported by dedicated open source volunteer programmers and additional capabilities can be obtained through the ZAP marketplace.
- Available for major operating systems and Docker
- Docker packaged scans available for quick starts
- Automation framework available
- Comprehensive API available
- Manual and automated exploration available
- Free tool
- Huge support community
- ZAP is commonly used by penetration testers, so using ZAP provides an excellent idea of what vulnerabilities casual attackers might locate
- Open source community support is not as responsive or directly helpful as paid support
- Requires some expertise to use
ZAP is a free, open source tool.
Best SMB Options: SaaS, Open Source, and Free Tools
Vulnerability scanning tools in this category focus on scanning systems and networks. This category represents the original focus for vulnerability scanning before IT systems evolved to include a broader range of cloud-based resources, virtualization, and applications. Organizations that maintain simple IT networks will find these tools well suited for scanning traditional servers, workstations, and other connected devices.
For budget constrained organizations with high technical capabilities, Open Source Vulnerability Scanning tools can provide low-cost options. While we will cover a few key open source tools as options here, organizations need to also consider that these tools often require expertise and extra time to use correctly.
Languard (GFI Software)
GFI Software’s Languard vulnerability scanning tool discovers and scans devices for missing patches in OS and third-party software. The tool also can perform security and compliance audits, generate reports, track changes to the network, and locate common gaps in security.
- Automatic discovery of devices: computers, mobile devices, printers, servers, virtual machines, routers, and switches
- Identifies non-patch vulnerabilities from a constantly updated list of 60k+ known issues
- Provides missing patch detection and patch management for Microsoft, Mac, and Linux operating systems
- Scans networks automatically or on-demand
- Auto-download of missing or roll-back patches
- Scans devices, identifies and categorizes vulnerabilities with recommended actions
- Automatic patching for web browsers
- Web-based reporting, can consolidate multiple instances
- Integrates with 4,000+ security applications
- Tracks devices connected to the network
- Runs in and supports virtualization technologies
- Runs in agentless or agent-based mode
- Overly basic user interface
- Servers may need periodic restarts to avoid crashes
- Agents can use significant local resources
GFI licenses Languard on an annual basis per node in three tiers:
- Small Businesses 10-49 users, $26.33
- Medium Businesses 50-249 users, $11.48
- Large Businesses 250+ users, $8.10
Before Tenable stopped offering the open-source Nessus tool, developers forked the code and created the OpenVAS (Open Vulnerability Assessment Scanner) tool. Greenbone Networks began supporting development of this open-source tool in 2006. Although developed as a Unix/Linux scanner, OpenVAS can scan for a broader range of vulnerabilities, including Windows OS vulnerabilities.
- Scans systems for known vulnerabilities and missing patches
- Web-based management console
- Can be installed on any local or cloud-based machine
- Provides insights on the vulnerability such as how to eliminate the vulnerability or how attackers might exploit the vulnerability
- Free, open source tool
- Large community for peer support
- Source code available for review
- Regularly updated and features added periodically
- Not as user-friendly as commercial tools; better for experts
- Large numbers of concurrent scans may crash the program
- Very technical, no frills reporting
OpenVAS is available for free.
Vulnerability Manager Plus (ManageEngine) – Best for SMB with Under 25 Devices
ManageEngine offers a wide variety of identity, security, and IT management solutions. Their Vulnerability Manager Plus product scans devices and web servers to detect vulnerabilities, misconfigurations, and high-risk software. For small businesses with under 25 devices, ManageEngine offers a free license.
- Scans devices for vulnerabilities in operating systems and third-party software, end-of-life software, peer-to-peer software, as well as zero-day vulnerabilities
- Scans for default credentials, firewall misconfigurations, open shares, and user privilege issues (unused users or groups, elevated privileges, etc.)
- Can scan web servers for unused web pages, misconfigured HTTP headers/options, expired certificates, and more
- Combines vulnerability assessment, compliance, patch management, and system security configuration into one tool
- Open port detection on all devices
- Easy to set up
- Does not support AIX OS
- Not Cloud native and does not support automatic deployment of agents on the cloud
- Immediate patch deployment may be limited
Free trials are available for three editions of the software licensed annually:
- Free (SMB up to 25 devices)
- Professional: starts at $695 for 100 workstations / 1 technician
- Enterprise: starts at $1,195 for 100 workstations / 1 technician and adds
- Audit compliance with CIS benchmarks
- View, upload and deploy firmware patches
- Manage and monitor deployment
- Patch Management
- Distribution server
- Schedule remote shutdown
- Schedule Wake on LAN
Management of network devices requires additional licenses.
Best MSP / MSSP Options
Some vulnerability scanning tool providers recognize the key role managed IT service providers (MSPs) and managed IT security service providers (MSSPs) play for many organizations. These tools actively court and cultivate relationships with service providers, resellers, and other partnerships.
Carson & SAINT
Developed in the 1990’s as a free UNIX tool, the SAINT tool has evolved into a broad array of configurations and capabilities related to vulnerability management, incident response, compliance reporting, and penetration testing.
- MSP- and MSSP-tailored solutions for service providers
- Single user or multi-user options
- Scalability options for distributed scanners and secure tunneling
- Integrated AWS vulnerability scanning
- Finds, prioritizes, and manages vulnerabilities
- Scans network devices and cloud infrastructure
- Provides APIs for custom integration; existing integration for Continuum GRC, Splunk and more
- Also available as
- Multiple capabilities: asset management, configuration monitoring, compliance reporting, incident response ticketing, vulnerability scanning, penetration testing, and social engineering
- Multiple configurations to meet a variety of needs (cloud-based, on-prem, appliance)
- Scans for vulnerabilities, misconfigurations, and malware exposure
- Integrated testing of vulnerabilities and misconfiguration with penetration testing
- Customers report constant updates to improve scanning and assessment capabilities
- Some customers complain of excessive false positives
- Not a specialized tool. If only vulnerability scanning is needed, the other features will overly complicate the process and the solution will seem bloated
Carson & SAINT does not list pricing on their website, but they have a form to obtain pricing information and register for a free trial. Customers online note annual licenses starting at $1,500 / year / user and the AWS marketplace includes a price calculator for SAINT based upon cost / host / hour.
Network Configuration Manager (Solarwinds)
Solarwinds’ Network Configuration Manager provides a package of solutions for network compliance, network automation, network configuration backup, and vulnerability assessment. The tool also integrates with a family of other Solarwinds products to enable a spectrum of capabilities to manage, monitor and secure networks, systems, databases, and applications.
- Scans network devices for reported Common Vulnerabilities and Exposures (CVEs)
- Prevents unauthorized network configuration changes
- Audits network routers and switches for compliance
- Build and test configuration changes to run against targeted devices to accelerate updates to configurations, eliminate errors, and improve consistency
- Backed by the Transform, the Solarwinds partner program
- Part of a much larger family of tools
- A bit bloated for those that only need a vulnerability scanner
- Can report a higher rate of false positives
- May not be suitable for complex IT environments with cloud, IoT, OT, and virtual assets
A license for Solarwinds’ network configuration manager starts at $1,738 with options for subscriptions and Perpetual Licensing. Perpetual licenses include support and updates for one year, but will continue to function at the end of a year. Subscriptions cost much less, but will cease to function once the subscription expires.
RapidFire Tool’s VulScan product performs internal and external network vulnerabilities. This tool can be combined with their Network Detective Pro and Cyber Hawk tools to enable MSPs and MSSPs to deliver a broad range of IT and security services.
- Automate internal vulnerability scans
- Multiple scanners can be scheduled independently, but results consolidate to one dashboard
- Automatically generate service tickets for discovered issues and vulnerabilities
- Multi-tenant dashboards
- Automated email alerting, filtered by desired IP ranges or severity
- Use custom scans for specific needs or quickly set up the scanner and use preset scans for “Low Impact,” “Standard,” and “Comprehensive”
- More thorough scans can be enabled using authenticated or credentialed scanning from internal endpoints
- Built to enable working with multiple clients effectively
- External and internal vulnerability scanners enable MSPs and MSSPs to deliver vulnerability management and remediation services
- The brandable and customizable report generator enables MSPs and MSSPs to create branded reports or to help customers provide customer-branded compliance reports.
- Service-provider-specific training resources
- Optional workflow to outsource alerts to RocketCyber SOC
- For-pay onboarding can be too short for effective training
- Virtual appliance requires expertise to set up correctly
RapidFire Tools does not post pricing on the web, but instead requests that interested customers fill out a form for a quote. Customers have reported prices in the range of $500 per scanner for a multi-year commitment.
Best Specialist Vulnerability Scanning Tools
Sometimes, an organization needs a specialty tool to scan for vulnerabilities in specific ways. Specialty tools fill that need and can provide quick scans of specific assets to provide quick scans and verify other tools.
Amazon Inspector – AWS Scanning Tool
Organizations using Amazon Web Services can consider using Amazon Inspector as a specialty tool to scan their AWS workloads.
- Ongoing automated and continual vulnerability scanning for AWS Elastic Compute Cloud (EC2), Lambda functions, and container images
- Discovers and scans workloads
- Checks for vulnerabilities and network exposure
- Assigns a highly accurate risk score to help prioritize remediation
- Integrates with Amazon EventBridge and AWS Security Hub
- One consolidated scan for an entire AWS infrastructure
- Easy to implement and use
- Does not enable users to ignore findings
- Billing can become tricky when integrated with other AWS tools
- Does not aggregate findings across accounts
- Does not scan other cloud instances
New accounts can try Amazon Inspector for 15 days to evaluate the service and estimate ongoing costs. AWS also provides a cost calculator and potential customers will need to know their region (US East (Ohio), etc.) and the number of instances. As a representative cost, in US East (Ohio):
- $1.2528 / instance for Amazon EC2 instances scanned per month
- $0.09 / image for Amazon ECR container images per month
- $0.01 / rescan for automated rescans of Amazon ECR containers per month
- $0.30 / Lambda function scanned per month
AWS bases the cost on the number of workloads scanned in a given month with no minimum fees and no upfront commitments. Many instances and functions will be intermittent and AWS prorates the price based on the total time for that month. Container pricing is based on the initial number of containers in the month and the number of rescans made on those images.
Nmap – Port Scanner
Developed originally for Linux, the Nmap Security Scanner supports binary packages for Windows, macOS, and Linux. Nmap uses IP packets as a port scanner to determine what hosts, services, and operating systems are available from a device. Penetration testers and IT teams value nmap as a quick, effective, and light-weight tool to list open ports on a system.
For more information, see also: Nmap Vulnerability Scanning Made Easy: Tutorial
- Host discovery quickly determines IP addresses up and available on a network.
- Uses TCP/IP stack characteristics to guess device operating systems
- Growing library of 500 scripts for enhanced network discovery and vulnerability assessment
- Quickly scans open ports on a system and determines available TCP/UDP services
- Interrogates ports to determine running protocols, applications and version numbers
- Large user base and open source community
- No formal support for customers
- Requires some expertise and IT knowledge to use effectively
- Does not natively rank vulnerabilities, verify vulnerabilities, or integrate with vulnerability management tools and ticketing platforms
Nmap is an open source tool available for free to end users. Companies that want to integrate Nmap into commercial products need to license the software.
Nikto2 – Web Server Scanner
Created as an open source web server scanner, Nikto2 tests web servers for dangerous files, outdated versions and other problems. This tool is designed to work as thoroughly and as fast as possible, but not quietly, so is not recommended for hackers or red teams that need to be stealthy.
- Checks for over 6,700 potentially dangerous files and programs
- Tests for more than 1,250 outdated server versions and 270 version specific problems
- Checks for multiple index files, HTTP server options
- Verifies installed web servers and software
- Can perform credentials guessing
- Techniques available to reduce false-positives
- Outputs to TST, XML, HTML, NBE or CSV file formats
- Scan items and plugins are frequently updated but update automatically
- Free scanner
- Detects and flags many common issues with web servers
- SSL support for Unix and Windows OS, HTTP Proxy Support
- Option to deploy encoding techniques for intrusion detection system (IDS) evasion
- Built into Kali Linux
- Command-line only tool, no GUI interface
- Searches are more limited than some commercial tools
- Thorough scans can take more than 45 minutes to complete
- No commercial support available
Nikto2 can be downloaded or run from a GIT repository for no charge.
IBM Guardium Vulnerability Assessment – Best for Large-Scale Data Storage
IBM developed their portfolio of Guardium products to provide data security for the modern, large-scale data storage environment. Guardium Vulnerability Assessment tool scans the databases, data warehouses, data lakes, and other components of big data infrastructure to detect vulnerabilities based on Security Technical Implementation Guides (STIG), Center for Internet Security (CIS), CVE and other standards.
- Scans for missing patches, weak passwords, unauthorized changes, misconfigured privileges, excessive administrative logins, and behavioral anomalies such as after-hours activities
- Recommends steps to harden database security
- Discovers databases automatically
- Automatically locates vulnerabilities and suggests remediations
- Sends real time alerts and notifications
- Available as part of Guardium Data Protection or as a stand-alone tool
- Complex to deploy and may require expert consulting to implement
- Error logs can be confusing
IBM does not list pricing on their website but notes that the cost will vary depending on the environment and configuration. Potential customers are encouraged to contact IBM or IBM resellers for a formal discussion and quotation.
Wiz – Cloud & Kubernetes Specialist
Wiz developed their cloud-native Cloud Infrastructure Security Platform to docs on the needs of virtualized infrastructure, containers, and the cloud. Wiz scans multi-cloud, Platform-as-a-Service (PaaS), virtual machine, containers, serverless functions, and other cloud infrastructure without affecting business operations or stealing resource from active workloads and processes.
- Native connections to AWS, Azure, Google Cloud, Oracle Cloud and Alibaba Cloud.
- Built-in support for Kubernetes on multiple platforms
- Can scan infrastructure-as-Code and cloud infrastructure entitlement management
- Incorporates zero-day risks sourced from the Wiz research team
- Agentless scanning
- Cloud native solution for cloud infrastructure
- 2nd Easiest to Use in Vulnerability Scanner software rankings on G2
- Users report setup can be cumbersome and tedious
- Integrations can be difficult or incomplete
- Actions must be established for each project for scanning they cannot be cloned
Wiz does not list pricing on their website but does offer custom pricing for customers. A 12-month contract for the Cloud Infrastructure Security Platform is listed on the AWS marketplace as $300,000 for all five product levels (Standard, Essential, Essential Plus, Advanced, Advanced Plus).
How the Top Vulnerability Scanning Tools Were Selected
The writing team at eSecurity Planet researched potential tools for this article and evaluated the tools based upon industry ranking and review sites such as G2 and Gartner Peer Insights. Industry sites such as SecTools.org and the WAVSEP DAST Benchmark were consulted but not weighted heavily since they do not seem to have been updated in several years.
To be included, tools needed to be primarily vulnerability scanning tools so penetration testing, asset management, patch management, vulnerability management, vulnerability management as a service, or security tools (endpoint, network, etc.) that include a vulnerability scanning function were not generally included. We assume the readers are looking for specific tools for vulnerability scanning and we have published other articles on those topics.
Tips on Using Vulnerability Scanning Tools
Different vulnerability scanning tools will have different priorities and capabilities. A typical organization will need to use several different vulnerability scanning tools to obtain a complete picture of their environment.
An organization will also need to select an appropriate tool for their needs and capabilities. Price and reviews only provide appropriate perspective in context.
Using Multiple Vulnerability Scanning Tools
In some cases, an organization can purchase multiple tools from the same vendor, such as a cloud module and a network module from one of the Enterprise Options. Other times, an organization may pick up a network scanner suitable for small businesses and complement it with open source tools for port and application vulnerability scanning.
An organization may also want to use redundant scanning tools to compare results. For example, many hackers use open source tools and an organization can use them to locate vulnerabilities most likely to be detected by external hackers. They can then compare against an enterprise tool to help with their internal prioritization and analysis of false positives.
For more insight into vulnerability assessments, read: How to Conduct a Vulnerability Assessment: 5 Steps toward Better Cybersecurity.
How to Select a Vulnerability Scanning Tool
When evaluating vulnerability scanning tools, there are several key considerations to match the needs of the organization against the potential tool:
- Does the vulnerability assessment team have the technology level required to use the tool with ease? A tool too difficult or too time consuming for the existing team to use will not yield useful results.
- Does the vulnerability assessment tool scan the necessary asset? The best web application scanner in the world cannot effectively scan endpoint operating system vulnerabilities.
- Does the tool deploy flexibly or where needed? A tool delivered as an appliance might not be the best tool to scan a cloud environment when a virtual appliance can be used instead.
- Does the tool provide usable information? The bare minimum tools deliver potential vulnerabilities, more advanced tools verify results to reduce false positives, prioritize vulnerabilities, and provide intuitive dashboards for quick analysis. The best tools integrate with IT or DevOps ticketing systems or a vulnerability management solution so that vulnerabilities can be tracked, addressed, and reported as resolved.
These four questions address the most critical issues, but the details also matter. Some organizations will also need to consider if reports generated by the tool meets compliance needs; if the tool minimizes impact on uses with lightweight agents, distributed scanning, or agentless scanning; if the solution can provide scans from inside and outside of the firewall; and other factors beyond the scope of this article.
Bottom Line: Vulnerability Scanning is the Start of the Process
The security of any organization depends on this process of identifying vulnerabilities and resolving them before attackers can exploit them. Conducting a Vulnerability Scan provides the starting point for the process of addressing vulnerability risk. Once a vulnerability list is generated, the list must be prioritized and addressed.
The first step will be to verify each vulnerability and eliminate the possibility of false positives. A good vulnerability scanner can prioritize the vulnerabilities by their risk of being exploited, but the team addressing vulnerabilities will also need to ensure the priorities include the value of the asset. Penetration testing tools, internal red teams, or hacker consultants can be used to test vulnerabilities, but this expense may only be worth it for high value assets at risk.
A vulnerability management tool or an effective IT or security ticketing tool needs to be deployed to track the progress of the teams addressing the vulnerabilities. To satisfy compliance and internal needs, the management tools or vulnerability scanners will need to be able to provide regular reports on the status of the organization, existing vulnerabilities, and vulnerabilities resolved. For smaller teams, an organization can consider vulnerability-management-as-a-service (VMaaS) to offload the tasks.
Execution of this cycle of vulnerability discovery, remediation, and reporting provides assurance to stakeholders that the risk of the organization is effectively addressed. For those that need help, vulnerability management tools.