What is a vulnerability scanner?

Rachel Bishop
Rachel Bishop|April 10, 2024
Security lightBlue
Security lightBlue

A vulnerability scanner is a tool that searches for and flags vulnerabilities in your environment. For example, a vulnerability scanner might flag software that’s vulnerable to a known exploit.

Here’s a real-world example from recent history. Remember PrintNightmare? Up-to-date vulnerability scanners lit up like Christmas trees in environments with the Print Spooler service — AKA every single Windows environment. 😅

What is a vulnerability?

A vulnerability is a weakness or error in software, hardware, a network, or a system. Vulnerabilities pose a threat to businesses because threat actors often leverage them to launch cyberattacks. For example, in 2023, cybercriminals found and exploited a vulnerability (CVE-2023-27350) in the print management software PaperCut. As a result, hackers could execute malicious code remotely on vulnerable, unpatched systems. 

In 2022, the National Institute of Standards and Technology (NIST) reported more than 13,000 vulnerabilities in their National Vulnerability Database, and 85% of those vulnerabilities were classified as medium or high severity.

What a vulnerability scanner does

At the risk of oversimplifying the process, vulnerability scanners search for vulnerable components — software, hardware, drivers, configurations, etc. — in your environment. Then, they flag them for review. But how vulnerability scanners scan depends on the tool you use. Some tools use signature-based scanning, while others rely on heuristic scanning. More on those in a bit.

Vulnerability scan methodologies

Here are some of the most common types of vulnerability scans.

Network vulnerability scans

Vulnerability scanners that offer network scans examine your network — including network devices, such as servers and connected endpoints — to find and flag vulnerabilities. Depending on your environment, network vulnerability scans may also encompass cloud- or web-based application scans (think WordPress) and wireless network scans (think open ports). Remediating these vulnerabilities reduces your digital attack surface.

Agent-based vulnerability scans

Agent-based vulnerability scans occur directly on your endpoints. These scans sift through each machine to look for unpatched and vulnerable components, flagging them for review.

Unauthenticated vulnerability scans

Unauthenticated vulnerability scans take place in a non-elevated and non-privileged context. They flag weak spots and security risks that a hacker without credentials could potentially exploit. These scans are important because they identify vulnerabilities that a hacker could use to gain initial access.

Authenticated vulnerability scans

But what about those hackers who have weaseled their way into your environment? That’s where authenticated vulnerability scans come in. Authenticated vulnerability scans focus on what a hacker could potentially do once they gain initial access to your environment.

Signature-based vulnerability scanning

If you’ve ever nerded out over how antivirus software works (I can't be alone in that, right?), you’re already familiar with signature-based scanning. Signature-based vulnerability scanners compare what’s in your environment to a database (or multiple databases) of known vulnerabilities.

Using our old enemy PrintNightmare as an example, signature-based vulnerability scanners would have searched for an enabled Print Spooler service — and if it were found (it would have been), an up-to-date signature-based vulnerability scanner would have flagged it.

Notice I said “up-to-date." That’s because just like with antivirus software, signature-based vulnerability scanners are only as good as the databases they rely on to function. When PrintNightmare was a brand-new vulnerability, signature-based vulnerability scanners wouldn’t have caught it — at least not right away. Once the back-end databases were updated to include the signature, these vulnerability scanners could flag the service as a critical vulnerability.

Heuristic vulnerability scanning

Heuristic scanning is a more advanced solution that’s much easier to understand if you know what heuristic means. Do you? If not, no worries — I write for a living, yet I had to turn to a dictionary for an assist. 😅

Merriam-Webster defines heuristic this way:

Involving or serving as an aid to learning, discovery, or problem-solving by experimental and especially trial-and-error methods.

In the context of a vulnerability scanner, a heuristic scanner uses various approaches — machine learning, behavioral analysis, activity patterns, and our frenemy, AI — to predict and flag vulnerabilities. That means that heuristic scanners can find critical vulnerabilities on the fly — even those that have yet to be discovered.

This method, while fascinating, has its cons. As DALL-E taught us not too long ago, AI and machine learning can seldom fully replace humans. Heuristic scanners may flag more false positives than signature-based scanners, which rely on databases that humans compile. Plus, heuristic scanners may very well be a bit too robust for your needs — and with that robustness comes the increased time it takes for heuristic scanners to do their jobs.

Sometimes, you just want to see which known vulnerabilities are lurking in your environment, ripe and ready for threat actors to exploit. No more, no less.

The benefits of a vulnerability scanner

Vulnerability scanners are nifty tools that can help you prioritize and address weak spots in your environment. They offer a host of benefits, including reducing your cyber risk, saving you time and money, and keeping a pulse on your security posture.

It reduces your cyber risk

Whenever a new vulnerability is announced, hackers hide around the corner as they figure out how to exploit it. (And sometimes, well-intentioned security researchers inadvertently spell out how to exploit these vulnerabilities for hackers, but that’s a topic for another day.) In fact, Verizon’s 2023 Data Breach Investigations Report notes that vulnerabilities rank as one of the top three ways that hackers gain access to an organization. Hackers love vulnerabilities with the same fervor that I love pizza — and believe me, that’s a lot.

Addressing vulnerabilities makes it that much harder for hackers to have a good day. And I don’t know about you, but it brings the biggest smile to my face knowing I’ve ruined a threat actor’s day.

It saves you time and money

Vulnerability scanners are automated. That means you won’t have to manually seek out and remediate potential vulnerabilities. Good vulnerability scanners can do half the work by flagging the vulnerabilities present in your environment. Then, you can work to prioritize the vulnerabilities that pose the biggest risk to your unique business. And once you remediate those vulnerabilities, you’ve instantly made it harder for hackers to conduct their malicious — and often, expensive-to-you — activities.

*Smart* automation doesn’t have to be an oxymoron

Some vulnerability scanners, like PDQ Detect, take automation to the next level. PDQ Detect uses proprietary, AI-powered technology to contextualize and prioritize the vulnerabilities that would have the most impact on your business if they were exploited. See how PDQ Detect works.

How to choose the right vulnerability scanner for your business

Wondering how to pick a vulnerability scanner for your organization? Keep these considerations in mind as you evaluate your options.


Who in your business will manage the vulnerability scanner? Do you have a dedicated security team that can sift through the vulnerabilities and remediate the ones that matter? Or do you work in a small shop where contextualizing vulnerabilities would be too big of a time sink?


As we talked about earlier, vulnerability scanners come in all levels of functionality. Some merely scan your environment for vulnerabilities. Others scan, organize, and prioritize those vulnerabilities so you can remediate them. Consider how involved you want to be with your vulnerability scanner and find a tool that matches those needs.


Consider the features you want your vulnerability scanner to have. Do you need your vulnerability scanner to cover your endpoints and your network? Do you need the scanner to help you prioritize which alerts threaten your business operations? Is it easy for one person to manage the scanner, or does it require a lift from an entire team?

Sources of information

Just like antivirus software, a vulnerability scanner is only as good as the databases it checks against. If your vulnerability scanner points to an outdated database, the scanner won’t do you much good when it comes to finding more recent vulnerabilities.

As you evaluate your options, research where each scanner pulls information from. See how often those databases receive updates. And be sure to ask each vendor how their software ranks vulnerabilities in terms of severity.


The cost of vulnerability scanners greatly varies between products. Some vulnerability scanners are free (such as the well-known Burp Scanner) or open source — but, as you might assume, they often come with limitations. Free vulnerability scanners may not perform the thorough scans paid tools do — and they may rely on more outdated databases to discover vulnerabilities. On the other end of the spectrum, other tools cost more but offer myriad features — some that you may not even need.

Let the features you’re willing to pay for help you determine how much you spend on a vulnerability scanner.

Vulnerability scanner FAQ

What’s the difference between a vulnerability scanner and penetration testing?

Vulnerability scans are part of penetration testing. Comprehensive pentests seek to discover and flag existing vulnerabilities in your environment — often with assistance from a vulnerability scanner. But pentests encompass much more than vulnerability scanning, including offensive security exercises designed to mimic skilled threat actors.

What are the limitations of traditional vulnerability scanners?

Traditional vulnerability scanners tend to perform one task: scanning for vulnerabilities. More advanced and modern vulnerability scanners contextualize the vulnerabilities they find, giving you additional information to filter out the vulnerabilities that are less important to address.

For example, many vulnerability scanners urgently flag vulnerabilities with high Common Vulnerability Scoring System (CVSS) scores. But what ranks as an 8 using that scoring system may be far less critical in your specific environment. This is why that context is so important.

What is vulnerability management?

Vulnerability management is the process of identifying, remediating, and monitoring vulnerabilities that impact your environment.

Do hackers use vulnerability scanners?

Yes, hackers absolutely use vulnerability scanners! In fact, hackers often rely on the same tools as defenders to spot security risks — but for a much different purpose than how we use them. Threat actors use vulnerability scanners, proof of concepts, and other defensive tools for nefarious purposes.

A good vulnerability scanner helps cut down on the noise in your environment. PDQ Detect does that by using machine learning to flag the highest-risk vulnerabilities to your on-prem, remote, and internet-facing assets. Try PDQ Detect for 14 days.

Rachel Bishop
Rachel Bishop

A professional writer turned cybersecurity nerd, Rachel enjoys making technical concepts accessible through writing. When she’s not solving her Rubik’s cube, she’s likely playing a video game or getting wrapped up in a true crime series. She enjoys spending time with her husband (a former sysadmin now in cybersecurity) as well as her two cats and two birds.

Related articles