Skip to Content
Vulnerabilities and Security Testing

What is vulnerability scanning?

Vulnerability scanning is the automated examination of systems, networks, and applications that compares what is installed against a database of known flaws (CVEs) and returns a prioritized list of what needs fixing. It is how you see, at scale and without checking machine by machine, what is exposed in your environment. Think of it as a recurring X-ray of your attack surface.

Zamak TechnologiesUpdated on July 12, 2026

How vulnerability scanning works

A vulnerability scanner does not break in; it inspects. It queries each system, identifies versions and configurations, and cross-references it all with an up-to-date database of known flaws. The result is a picture of what is open, ready to become a fix priority.

1

Inventory the targets

The scan starts by discovering what is on the network: addresses, services, open ports, software versions. Without that map, blind spots are left out and become the very gap no one saw.

2

Scan and compare

Each asset is compared against a database of thousands of known flaws (CVEs). The scanner flags where the installed version, the configuration, or the open port matches a cataloged vulnerability.

3

Correlate and score

Findings get a severity score (the CVSS standard) and are grouped. This is also where false positives enter: not every alert is real, which is why a scan needs a human look afterward.

4

Report and retest

The result becomes a prioritized report of what to fix first. After the fix, a fresh scan confirms the flaw is truly gone, closing the loop.

Source: NIST (SP 800-115 security testing and assessment guide) and the CVE Program, the public catalog of vulnerabilities.

Types of vulnerability scanning

  • Authenticated and unauthenticated The unauthenticated scan looks at the system from outside, like a stranger. The authenticated scan logs in with credentials and sees what only a logged-in user would, finding far more. The authenticated one is more thorough; both complement each other.
  • Internal and external The external scan covers what is exposed to the internet, the storefront the attacker sees first. The internal scan sweeps the network from inside, revealing how far someone would get after breaking in.
  • Network Examines servers, routers, firewalls, and devices for exposed services, open ports, and vulnerable versions. It is the classic infrastructure scan.
  • Web application Focuses on sites and in-house systems, looking for code-level flaws such as injection and session hijacking that a network scan cannot see.
  • Agent-based A lightweight agent installed on each device reports flaws from within, continuously, without needing to reach the machine over the network. Ideal for mobile gear and distributed environments.

What is at stake for the business

48K+
new vulnerabilities a year; keeping up by hand is impossible, and scanning is the only way to do it at scale (CVE Program / NVD)
20%
of breaches start with the exploitation of a vulnerability, a 34% jump in a single year (Verizon DBIR 2025)
32 days
median time to fix edge flaws; what is never scanned does not even make the list (Verizon DBIR 2025)

With more than 48,000 new vulnerabilities a year (CVE Program / NVD), keeping track of what is exposed by hand is simply impossible. Scanning solves the scale problem: in hours, it examines the whole environment and returns the list of what needs attention. But there is an important limit that separates a scan from a full test. The scanner delivers raw data: it points out where a flaw might exist, does not prove it is truly exploitable, and sometimes flags problems that are not real (false positives). That is why scanning is the first step, not the last. It shows the surface; confirming the risk for real takes human validation, which leads to penetration testing. Even so, without continuous scanning a company is blind: vulnerability exploitation already accounts for 20% of breaches (Verizon DBIR 2025), and you cannot fix what you never looked at.

How to get the most out of vulnerability scanning

Having a scanner is not enough; the value is in how it is used. A few practices make all the difference:

  1. Scan everything, not just the perimeterServers, workstations, cloud, mobile devices. The flaw is usually in the forgotten asset, the one no one remembered was still running.
  2. Prefer authenticated scanningLogging in with credentials reveals far more than looking from outside. The unauthenticated scan shows the facade; the authenticated one shows the inside.
  3. Make scanning continuousA once-a-year scan leaves the environment without visibility most of the time. The ideal is recurring, to keep up with flaws that surface every week.
  4. Prioritize by real exploitationThe raw list is far too long to fix in full. Combine severity (CVSS) with the chance of exploitation (EPSS) and the list of actively exploited flaws (CISA's KEV catalog).
  5. Validate the findingsTreat the report as a starting point, not a final truth. Confirm the top findings, discard false positives, and for the critical ones, use a penetration test to prove the risk.

In practice

A scan report with 500 red alerts is not a plan; it is a scare. The value of scanning is not in the length of the list but in the answer to one question: of these 500, which would an attacker actually use tomorrow? Prioritizing that answer is what separates scanning from protecting.

How Zamak uses scanning in your favor

Zamak Technologies keeps vulnerability scanning running continuously in your environment, backed by a vulnerability testing platform and remote monitoring and management. But it does not stop at the report: it prioritizes findings by real risk to your business, discards false positives, and follows each fix through to the retest, alongside your team. Scanning becomes the start of a loop, not a pile of alerts. It is part of the managed cybersecurity in the Zamak Method, and you can measure your starting point with the cybersecurity diagnosis.

Frequently asked questions about vulnerability scanning

What is vulnerability scanning?
It is an automated examination that sweeps systems, networks, and applications, comparing what is installed against a database of known flaws (CVEs), and returns a prioritized list of what needs fixing. It is how you see, at scale, what is exposed.
What is the difference between vulnerability scanning and penetration testing (pentest)?
A scan is automated and broad: it points out where flaws might exist but does not exploit them. A penetration test is run by specialists who exploit the flaws for real, proving the actual impact. The scan shows the surface; the pentest measures the depth. The two complement each other.
Authenticated or unauthenticated scan, which to use?
Both, for different purposes. The unauthenticated scan shows what a stranger would see from outside. The authenticated one logs in with credentials and finds far more, because it sees the system from within. Mature programs combine the two.
Can a scan take down my systems?
When properly configured, the risk is low: most scans are light and non-intrusive. In sensitive environments, authenticated scanning and low-usage windows are used to reduce any impact. The risk of not scanning is far greater.
Does the scanner find every vulnerability?
No. It finds known, cataloged flaws, and it still produces false positives and some false negatives. That is why scanning needs human validation and, for the critical points, a penetration test to confirm what is truly exploitable.
How often should I scan?
Continuously, or monthly at the very least, plus a fresh scan after each major fix. Since thousands of flaws surface every month, scanning once a year leaves almost the entire period without visibility.