Vulnerability scanners are software that automatically compare known vulnerabilities against the technologies on a network. These tools scan systems to find misconfigurations or flaws.

They analyze each of the five attack surfaces:

• Perimeter layer: like authentication systems that validate user access
• Network layer: firewalls, websites, etc
• Endpoint layer: devices on the network, laptops, desktops, phones, etc
• Application layer: software that is users interact with
• Data layer: any information that is stored, in transit, or in use

When a scan of a layer beings, the tool compares its findings with security databases, flagging any vulnerabilities then adding them to its reference database. Each scan adds more information to the data base, increasing the accuracy of the analysis. Vulnerability databases are also routinely updated by the companies that make the scanning software.

Scanners are meant to be non-intrusive. They do not behave like attackers would and don’t break or take advantage of anything. They simply scan a surface looking for unlocked doors.

external vs. internal

External scans simulate an attacker’s approach. They test the perimeter layer outside of the internal network. They analyze outward facing systems, like websites and firewalls. These scans can uncover vulnerabilities like network ports and servers.

Internal scans start from the opposite end and examine an organizations internal systems. These would scan application software for vulnerabilites.

authenticated vs. unauthenticated

Authenticated and unauthenticated scans simulate whether or not a user has access to a system.

Authenticated scans might test a system by logging in with a suer or admin account, testing for broken access controls.

Unauthenticated scans simulate external threat actors that do not have access to internal resources. These scans are checking that access denied responses would be sent to unauthorized users.

limited vs. comprehensive

These scans focus on particular devices that are accessed by both internal and external users.

Limited scans analyze particular devices on a network, searching for misconfigured firewalss, etc.

Comprehensive scans analyze all devices connected to a network, EG: Operating Systems, user databases, etc.