TL;DR: A vulnerability scanner finds weaknesses in software, hardware, endpoints, networks, drivers, and configurations so IT teams can prioritize fixes before attackers exploit them. Common scan types include network, agent-based, authenticated, unauthenticated, signature-based, and heuristic scans. The right scanner depends on your environment, staffing, feature needs, data sources, and budget.
A vulnerability scanner is a type of vulnerability management tool that scans software, hardware, and networks for known weaknesses that attackers could exploit. For instance, it might flag outdated software vulnerable to a published exploit.
Here’s a real-world example from recent history. Remember PrintNightmare? Up-to-date vulnerability scanners lit up like Christmas trees in environments with the Print Spooler service (in other words, every single Windows environment).
What is a vulnerability?
A vulnerability is a flaw or misconfiguration in software, hardware, or systems that can be exploited by attackers. Common examples include unpatched software, weak configurations, and exposed services.
For example, in 2023, cybercriminals found and exploited a vulnerability (CVE-2023-27350) in the print management software PaperCut. As a result, hackers could execute malicious code remotely on vulnerable, unpatched systems.
In 2025, the National Institute of Standards and Technology (NIST) reported more than 42,000 vulnerabilities in its National Vulnerability Database, 45% more than any prior year.
What does a vulnerability scanner do?
Vulnerability scanners search for security weaknesses in software, hardware, drivers, and configurations, then flag those findings for review in a vulnerability scan report. Most scanners compare assets against vulnerability databases, detect risky configurations, and help IT teams prioritize remediation.
A vulnerability scanner typically helps IT teams:
Discover vulnerable software, hardware, endpoints, and services
Identify missing patches and risky configurations
Match findings to known CVEs or threat intelligence
Prioritize vulnerabilities by severity, exploitability, and business risk
Track remediation progress over time
A high-quality scanner can help support a vulnerability assessment or full-scale vulnerability management program.
What are the main types of vulnerability scans?
Here are some of the most common types of vulnerability scans.
Scan type | What it checks | Best for | Limitation |
|---|---|---|---|
Network vulnerability scan | Network devices, servers, endpoints, ports, and services | Finding exposed systems and network-level risk | May miss local endpoint details without credentials |
Agent-based scan | Software, patches, configurations, and system details on each endpoint | Continuous endpoint visibility | Requires agent deployment and management |
Unauthenticated scan | Risks visible without credentials | Understanding what an external attacker may see | Provides limited internal system detail |
Authenticated scan | System details available with approved credentials | Finding missing patches, weak configurations, and installed vulnerable software | Requires secure credential management |
Signature-based scan | Known vulnerabilities from vulnerability databases | Detecting documented CVEs and common misconfigurations | Depends on current vulnerability data |
Heuristic scan | Suspicious behavior, patterns, or conditions | Finding potential unknown or emerging risks | May produce more false positives |
What are network vulnerability scans?
Vulnerability scanners that offer network scans examine your network — including network devices, such as servers and connected endpoints — to find and flag vulnerabilities. Depending on your environment, a network vulnerability scanner may also cover cloud- or web-based application scans (think WordPress) and wireless network scans (think open ports). Remediating these vulnerabilities reduces your digital attack surface.
What are agent-based vulnerability scans?
Agent-based vulnerability scans occur directly on your endpoints. These scans sift through each machine to look for unpatched and vulnerable components, flagging them for review.
What are unauthenticated vulnerability scans?
An unauthenticated vulnerability scan takes place in a non-elevated and non-privileged context. Unauthenticated scans flag weak spots and security risks that a hacker without credentials could potentially exploit. These scans are important because they identify vulnerabilities that a hacker could use to gain initial access.
What are authenticated vulnerability scans?
An authenticated vulnerability scan uses approved credentials to inspect systems from the inside. It can uncover risks that unauthenticated scans may miss, such as missing patches, weak local configurations, and vulnerable software installed on endpoints.
What are signature-based vulnerability scans?
Signature-based vulnerability scanning tools compare what’s in your environment to a database (or multiple databases) of known vulnerabilities. If you’ve ever nerded out over how antivirus software works (I can't be alone in that, right?), you’re already familiar with signature-based scanning.
Using our old enemy PrintNightmare as an example, signature-based vulnerability scanners would have searched for an enabled Print Spooler service — and if it were found (it would have been), an up-to-date signature-based vulnerability scanning tool would have flagged it.
Notice I said “up-to-date." That’s because just like with antivirus software, signature-based vulnerability scanners are only as good as the databases they rely on to function. When PrintNightmare was a new vulnerability, signature-based vulnerability scanning software wouldn’t have caught it — at least not right away. Once the back-end databases were updated to include the signature, these vulnerability scanners could flag the service as a critical vulnerability.
What are heuristic vulnerability scans?
Heuristic vulnerability scanning uses behavior analysis, machine learning, and pattern recognition to identify suspicious conditions that may indicate a vulnerability. It can help detect risks that are not yet covered by signature databases, but it may also produce more false positives.
Merriam-Webster defines heuristic this way:
Involving or serving as an aid to learning, discovery, or problem-solving by experimental and especially trial-and-error methods.
In the context of a vulnerability scanner, a heuristic scanner uses various approaches — machine learning, behavioral analysis, activity patterns, and our frenemy, AI — to predict and flag vulnerabilities. That means that heuristic scanners may be able to find critical vulnerabilities on the fly — even those that have yet to be discovered.
This method, while fascinating, has its cons. As DALL-E taught us not too long ago, AI and machine learning can seldom fully replace humans. Heuristic scanners may flag more false positives than signature-based scanners, which rely on databases that humans compile. Plus, heuristic scanners may very well be a bit too robust for your needs — and with that robustness comes the increased time it takes for heuristic scanners to do their jobs.
Sometimes, you just want to see which known vulnerabilities are lurking in your environment, ripe and ready for threat actors to exploit. No more, no less.
What are the benefits of a vulnerability scanner?
Vulnerability scanners help IT teams find, prioritize, and remediate security weaknesses before attackers exploit them. They offer a host of benefits, including reducing your cyber risk, saving you time and money, and keeping a pulse on your security posture.
Vulnerability scanners reduce cyber risk
Whenever a potential vulnerability is announced, hackers hide around the corner as they figure out how to exploit it. (And sometimes, well-intentioned cybersecurity researchers inadvertently spell out how to exploit these vulnerabilities for hackers, but that’s a topic for another day.) In fact, Verizon’s 2026 Data Breach Investigations Report notes that vulnerabilities rank as the top way that hackers gain access to an organization, accounting for 31% of breaches and surpassing stolen credentials for the first time. Hackers love vulnerabilities with the same fervor that I love pizza — and believe me, that’s a lot.
Addressing vulnerabilities makes it that much harder for hackers to have a good day. And I don’t know about you, but it brings the biggest smile to my face knowing I’ve ruined a threat actor’s day.
Vulnerability scanners save IT teams time
Vulnerability scanners are automated. That means you won’t have to manually seek out and remediate potential vulnerabilities. Good vulnerability scanners can do half the work by flagging the vulnerabilities present in your environment. Then, you can work to prioritize the vulnerabilities that pose the biggest risk to your unique business. And once you remediate those vulnerabilities, you’ve instantly made it harder for hackers to conduct their malicious — and often, expensive-to-you — activities.
Find and fix vulnerabilities faster
PDQ helps IT teams simplify vulnerability management from detection to remediation. Spot, prioritize, and remediate CVEs from anywhere. View vulnerabilities by device or software. Then filter by risk, severity, affected software, impacted devices, and more to identify high-priority exposures and patches.
What should you do after a vulnerability scan?
After a vulnerability scan, IT teams should review the findings, prioritize the highest-risk vulnerabilities, remediate affected systems, and rescan to confirm the fixes worked. A scanner helps you find risk, but remediation is what actually reduces your attack surface.
A practical vulnerability remediation workflow looks like this:
Review the scan results for critical and high-severity findings.
Confirm which vulnerabilities affect business-critical systems.
Prioritize fixes based on severity, exploitability, asset importance, and exposure.
Deploy patches or configuration changes to affected endpoints.
Rescan systems to verify the vulnerability is resolved.
Track recurring issues to improve your patching and hardening process.
How to choose the right vulnerability scanner for your business
To choose the right vulnerability scanner, evaluate how well each tool fits your environment, staffing, remediation workflow, data sources, and budget.
Who will manage the vulnerability scanner?
Who in your business will manage the vulnerability scanner? Do you have a dedicated security team that can sift through the vulnerabilities and remediate the ones that matter? Or do you work in a small shop where contextualizing vulnerabilities would be too big of a time sink?
What functionality do you need?
As we talked about earlier, vulnerability scanners come in all levels of functionality. Some merely scan your environment for vulnerabilities. Others scan, organize, and prioritize those vulnerabilities so you can remediate them. Consider how involved you want to be with your vulnerability scanner and find a tool that matches those needs.
What features would you benefit from?
Consider the features you want your vulnerability scanner to have. Do you need your vulnerability scanner to cover your endpoints and your network? Do you need the scanner to help you prioritize which alerts threaten your business operations? Is it easy for one person to manage the scanner, or does it require a lift from an entire team?
What vulnerability data sources does the scanner use?
Just like antivirus software, a vulnerability scanner is only as good as the databases it checks against. If your vulnerability scanner points to an outdated database, the scanner won’t do you much good when it comes to finding more recent vulnerabilities.
As you evaluate your options, research where each scanner pulls information from. See how often those databases receive updates. And be sure to ask each vendor how their software ranks vulnerabilities in terms of severity.
What cost can you afford?
The cost of vulnerability scanners greatly varies between products. Some vulnerability scanners are free or open source, such as OpenVAS — but, as you might assume, they often come with limitations. Free vulnerability scanners may not perform the thorough scans paid tools do — and they may rely on more outdated databases to discover vulnerabilities. On the other end of the spectrum, other tools cost more but offer myriad features — some that you may not even need.
Let the features you’re willing to pay for help you determine how much you spend on a vulnerability scanner.
Vulnerability scanner FAQ
What’s the difference between a vulnerability scanner and penetration testing?
Vulnerability scans are often part of other security testing, including penetration testing. Comprehensive pentests seek to discover and flag existing vulnerabilities in your environment — often with assistance from a vulnerability scanner. But pentests encompass much more than vulnerability scanning, including offensive security exercises designed to mimic skilled threat actors.
What are the limitations of traditional vulnerability scanners?
Traditional vulnerability scanners tend to perform one task: scanning for vulnerabilities. More advanced and modern vulnerability scanners contextualize the vulnerabilities they find, giving you additional information to filter out the vulnerabilities that are less important to address.
For example, many vulnerability scanners urgently flag vulnerabilities with high Common Vulnerability Scoring System (CVSS) scores. But what ranks as an 8 using that scoring system may be far less critical in your specific environment. This is why that context is so important.
What is vulnerability management?
Vulnerability management is the process of identifying, remediating, and monitoring vulnerabilities that impact your environment.
How is vulnerability scanning different from vulnerability management?
Vulnerability scanning is the process of finding security weaknesses. Vulnerability management is the broader process of identifying, prioritizing, remediating, and monitoring vulnerabilities over time.
A vulnerability scanner is one part of a vulnerability management program. The scanner finds the issues, while vulnerability management helps IT teams decide what to fix first, how to fix it, and how to confirm the risk is reduced.
Do hackers use vulnerability scanners?
Yes, hackers absolutely use vulnerability scanners! In fact, hackers often rely on the same tools as defenders to spot a security risk — but for a much different purpose than how we use them. Threat actors use vulnerability scanners, proofs of concept, and other defensive tools for nefarious purposes.
A good vulnerability scanner helps cut down on the noise in your environment. PDQ combines vulnerability scanning, prioritization, and remediation to make vulnerability management quick and easy. Try PDQ for 14 days.
