What is vulnerability scanning?
Vulnerability scanning is the automated examination of systems, networks, and applications that compares what is installed against a database of known flaws (CVEs) and returns a prioritized list of what needs fixing. It is how you see, at scale and without checking machine by machine, what is exposed in your environment. Think of it as a recurring X-ray of your attack surface.
How vulnerability scanning works
A vulnerability scanner does not break in; it inspects. It queries each system, identifies versions and configurations, and cross-references it all with an up-to-date database of known flaws. The result is a picture of what is open, ready to become a fix priority.
Inventory the targets
The scan starts by discovering what is on the network: addresses, services, open ports, software versions. Without that map, blind spots are left out and become the very gap no one saw.
Scan and compare
Each asset is compared against a database of thousands of known flaws (CVEs). The scanner flags where the installed version, the configuration, or the open port matches a cataloged vulnerability.
Correlate and score
Findings get a severity score (the CVSS standard) and are grouped. This is also where false positives enter: not every alert is real, which is why a scan needs a human look afterward.
Report and retest
The result becomes a prioritized report of what to fix first. After the fix, a fresh scan confirms the flaw is truly gone, closing the loop.
Source: NIST (SP 800-115 security testing and assessment guide) and the CVE Program, the public catalog of vulnerabilities.
Types of vulnerability scanning
- Authenticated and unauthenticated The unauthenticated scan looks at the system from outside, like a stranger. The authenticated scan logs in with credentials and sees what only a logged-in user would, finding far more. The authenticated one is more thorough; both complement each other.
- Internal and external The external scan covers what is exposed to the internet, the storefront the attacker sees first. The internal scan sweeps the network from inside, revealing how far someone would get after breaking in.
- Network Examines servers, routers, firewalls, and devices for exposed services, open ports, and vulnerable versions. It is the classic infrastructure scan.
- Web application Focuses on sites and in-house systems, looking for code-level flaws such as injection and session hijacking that a network scan cannot see.
- Agent-based A lightweight agent installed on each device reports flaws from within, continuously, without needing to reach the machine over the network. Ideal for mobile gear and distributed environments.
What is at stake for the business
With more than 48,000 new vulnerabilities a year (CVE Program / NVD), keeping track of what is exposed by hand is simply impossible. Scanning solves the scale problem: in hours, it examines the whole environment and returns the list of what needs attention. But there is an important limit that separates a scan from a full test. The scanner delivers raw data: it points out where a flaw might exist, does not prove it is truly exploitable, and sometimes flags problems that are not real (false positives). That is why scanning is the first step, not the last. It shows the surface; confirming the risk for real takes human validation, which leads to penetration testing. Even so, without continuous scanning a company is blind: vulnerability exploitation already accounts for 20% of breaches (Verizon DBIR 2025), and you cannot fix what you never looked at.
How to get the most out of vulnerability scanning
Having a scanner is not enough; the value is in how it is used. A few practices make all the difference:
- Scan everything, not just the perimeterServers, workstations, cloud, mobile devices. The flaw is usually in the forgotten asset, the one no one remembered was still running.
- Prefer authenticated scanningLogging in with credentials reveals far more than looking from outside. The unauthenticated scan shows the facade; the authenticated one shows the inside.
- Make scanning continuousA once-a-year scan leaves the environment without visibility most of the time. The ideal is recurring, to keep up with flaws that surface every week.
- Prioritize by real exploitationThe raw list is far too long to fix in full. Combine severity (CVSS) with the chance of exploitation (EPSS) and the list of actively exploited flaws (CISA's KEV catalog).
- Validate the findingsTreat the report as a starting point, not a final truth. Confirm the top findings, discard false positives, and for the critical ones, use a penetration test to prove the risk.
In practice
A scan report with 500 red alerts is not a plan; it is a scare. The value of scanning is not in the length of the list but in the answer to one question: of these 500, which would an attacker actually use tomorrow? Prioritizing that answer is what separates scanning from protecting.
How Zamak uses scanning in your favor
Zamak Technologies keeps vulnerability scanning running continuously in your environment, backed by a vulnerability testing platform and remote monitoring and management. But it does not stop at the report: it prioritizes findings by real risk to your business, discards false positives, and follows each fix through to the retest, alongside your team. Scanning becomes the start of a loop, not a pile of alerts. It is part of the managed cybersecurity in the Zamak Method, and you can measure your starting point with the cybersecurity diagnosis.