Vulnerability scanning is a critical part of securing an organization's digital systems and applications. Different scan types target different IT environments, and understanding their differences helps teams strengthen defenses and prioritize remediation. The following describes 12 common vulnerability scan types, their main characteristics, and typical use cases.
01 Host-based scanning
Host-based vulnerability scanning evaluates security issues on specific hosts within a network. Typical deployment modes include agent-based, agentless, and standalone scanners.
- Agent-based: An agent is installed on the target host to collect data and report to a central server for management, analysis, and remediation. Agents usually collect data in real time and forward it to the central management system. A drawback is that agents are constrained by the target operating system.
- Agentless: No software is installed on the target machine. Instead, scanners gather information via network protocols and remote interaction. Centralized scans or scheduled scans usually require authenticated administrator access. Agentless mode can cover more networked systems, but it depends on reliable network connectivity and may not be as thorough as agent-based scanning.
- Standalone: Standalone scanners run locally on the scanned system and do not require network connectivity. They inspect the host's system and applications for vulnerabilities but are time-consuming and must be installed on every host, making them impractical for environments with hundreds or thousands of endpoints.
Key capabilities:
- Identify vulnerabilities in host operating systems, software, and configurations
- Provide deep visibility into the security posture of individual hosts
- Support patch management and rapid remediation
- Detect unauthorized software or configuration changes
- Reduce the attack surface and improve host security
Use cases: When detailed information about host configuration, patches, and installed software is required; when assessing the security of individual systems or servers in complex infrastructures.
02 Port scanning
Port scanning sends network probes to different ports on a target device or system to determine which ports are open, closed, or filtered. Open ports indicate potentially exposed services that could be exploited.
Key capabilities:
- Detect open ports and services on target systems, revealing potential attack vectors
- Identify misconfigured or exposed services
- Assist network mapping and topology discovery
- Detect unknown or unauthorized services on network devices
- Support hardening by closing unnecessary open ports and services
Use cases: When organizations want to evaluate external attack surface exposure; to find open ports and services attackers might use; as an initial step in network security assessment.
03 Web application scanning
Web application scanners identify vulnerabilities in web applications by analyzing application structure, code, configuration, and functionality. They can automate many attack scenarios to detect common issues such as cross-site scripting (XSS), SQL injection, cross-site request forgery (CSRF), and authentication weaknesses. Scanners often use predefined vulnerability signatures or patterns.
Key capabilities:
- Detect web-specific vulnerabilities like SQL injection, XSS, and weak authentication
- Identify issues that could lead to unauthorized data access or modification
- Help enforce compliance with standards and regulations
- Support secure development by finding coding defects and configuration errors
- Reduce the likelihood of data breaches and protect user data
Use cases: For organizations running web applications, sites, or online services; to find XSS, SQL injection, or authentication flaws; recommended throughout the development lifecycle and as part of regular security audits.
04 Network scanning
Network scanning assesses security by looking for known network vulnerabilities, misconfigurations, and outdated application versions. It typically employs port scanning, network mapping, and service identification to find vulnerabilities across the network, including routers, switches, firewalls, and other infrastructure.
Key capabilities:
- Detect issues in network infrastructure components like routers, switches, and firewalls
- Identify configuration errors, weak passwords, and obsolete software
- Support maintenance of a secure and reliable network environment
- Enable risk management and prioritization based on severity
- Help meet security standards and regulatory requirements
Use cases: Protecting network boundaries, preventing unauthorized access, and evaluating network device security; analyzing overall network architecture security; recommended as part of routine security evaluations and before network upgrades or changes.
05 Database scanning
Database scanning evaluates the security of database systems by identifying issues in database configuration, access control, and stored data. It looks for insecure privileges, injection vulnerabilities, and improper settings, and provides information to protect sensitive data.
Key capabilities:
- Detect database-specific vulnerabilities such as poor access controls, injection issues, and misconfigurations
- Help protect sensitive data from unauthorized access or disclosure
- Support compliance with data protection requirements
- Identify issues that may impact performance
- Improve overall database security and integrity
Use cases: Assessing DBMS security and protecting sensitive data; organizations that store sensitive information in databases; identifying database misconfigurations and lax access controls; recommended for compliance-focused environments.
06 Source code scanning
Source code scanning finds security vulnerabilities early in the software development lifecycle, reducing remediation cost and risk. It detects coding errors, insecure practices, improper input validation, and risky third-party libraries. Source code scanning helps developers identify and fix issues before deployment.
Key capabilities:
- Detect security defects and vulnerabilities in source code
- Enable early detection and correction during development
- Support secure coding practices and adherence to standards
- Reduce the risk of software vulnerabilities reaching production
- Improve overall software security and reliability
Use cases: Integrated into the software development lifecycle; ensuring code quality and security; suitable for organizations developing their own applications; used to prevent security issues in production.
07 Cloud application scanning
Cloud application scanning assesses security across IaaS, PaaS, and SaaS environments by examining cloud configurations, access controls, and services. It identifies misconfigurations, insecure practices, and cloud-specific vulnerabilities to improve cloud deployment security.
Key capabilities:
- Identify cloud-specific issues such as misconfigurations, excessive permissions, and insecure services
- Support secure and compliant cloud infrastructure
- Improve visibility and control of cloud assets
- Help implement cloud security best practices and regulatory requirements
- Reduce the likelihood of unauthorized access and data exposure in the cloud
Use cases: Assessing security of cloud-based servers, storage, and applications; organizations using cloud services; evaluating cloud resources, configurations, and permissions; ensuring appropriate cloud security configurations and management.
08 Internal scanning
Internal scanning targets an organization's internal network to identify vulnerabilities within servers, workstations, databases, and other systems inside the network perimeter. It can detect privilege escalation opportunities and other weaknesses that are not visible from the outside.
Key capabilities:
- Identify internal vulnerabilities on systems, servers, and endpoints
- Maintain a secure internal network environment and reduce insider risk
- Detect issues that could be exploited by internal users
- Support enforcement of internal security policies
- Provide visibility into the internal security posture
Use cases: Identifying vulnerabilities that external scans cannot find; assessing internal infrastructure security and configurations; recommended as a proactive security measure.
09 External scanning
External scanning identifies vulnerabilities in internet-facing assets such as public services, portals, and websites. It inspects all externally accessible assets, including employee login pages, remote access ports, and corporate websites, to understand exposure to external attackers.
Key capabilities:
- Detect vulnerabilities in internet-facing components such as applications, websites, and portals
- Identify potential entry points for external attackers
- Help maintain the organization's external security boundary
- Support compliance with external security assessment requirements
- Reduce risks of unauthorized external access and data breaches
Use cases: Evaluating and preventing unauthorized access to public systems and services; assessing exposure from an external attacker perspective; used in standard security assessments and regulatory compliance.
10 Assessment scanning
Assessment scanning performs a comprehensive review of systems, networks, applications, and infrastructure to identify potential vulnerabilities and evaluate their risk. It provides analysis and prioritized findings with recommendations for risk reduction.
Key capabilities:
- Comprehensive analysis of vulnerabilities across systems, networks, and applications
- Assess the organization's overall security posture
- Prioritize vulnerabilities by severity and impact
- Inform rational decisions about remediation
- Help satisfy security standards and regulatory requirements
Use cases: Organizations seeking a broad evaluation of their security posture; assessments spanning many systems and environments; recommended for regular reviews or when a full security check is needed.
11 Discovery scanning
Discovery scanning focuses on identifying and inventorying all digital assets on a network, including devices, systems, applications, and services. It provides accurate visibility into IP addresses, operating systems, installed applications, and other asset details.
Key capabilities:
- Support risk management and security governance by inventorying assets
- Identify and catalog devices and systems on the network
- Maintain visibility and control over infrastructure
- Detect unauthorized or unmanaged devices
- Assist in scoping vulnerability assessments
Use cases: Inventorying connected devices, detecting unauthorized systems, and ensuring network visibility; recommended during initial vulnerability program deployment or as part of ongoing network monitoring.
12 Compliance scanning
Compliance scanning compares an organization's digital systems against regulatory frameworks, industry standards, and best practices to identify gaps and risks. It verifies that security controls and configurations meet legal and regulatory requirements.
Key capabilities:
- Help organizations meet regulatory and industry standards
- Identify vulnerabilities and misconfigurations that could lead to noncompliance
- Support deployment of controls to achieve compliance
- Assist in producing compliance documentation and audit reports
- Help build a secure and compliant digital environment
Use cases: Ensuring that security practices meet regulatory and industry requirements.
