Scanning the network

Every day, security researchers and hackers discover new vulnerabilities, augmenting the tens of thousands of known holes in applications, services, operating systems, and firmware. A vulnerability scanner provides automated assistance for tracking known vulnerabilities and detecting your exposure to them. We’ll review several of the best free network vulnerability scanners.

>>>Jump to the list of the best network vulnerability scanners below<<<

Who needs a network vulnerability scanner?

Any network beyond the smallest office has an attack surface too large and complex for purely manual monitoring. Even if you are only responsible for a few hosts and devices, you need automated assistance to efficiently and thoroughly track the burgeoning list of known vulnerabilities and ensure that your network is not exposed.

Nowadays most operating systems provide automated software updates. For a small organization, that may be sufficient. But how much of your installed software does that cover? And what of misconfigured services or unauthorized software that has popped up in your network?

The “hack yourself first” adage suggests that any host or device exposed to the internet should be penetration tested, and the “defense in depth” principle says that even “internal” hosts and devices must be audited regularly.

A vulnerability scanner provides automated assistance with this. Like many network administration tools, a vulnerability scanner has both legitimate and illegitimate uses. It can be helpful to the system administrator, developer, security researcher, penetration tester, or black-hat hacker. It can be used for assessing exposure in order to secure your network, or for seeking viable exploits to enable breaking into it.

How does a network vulnerability scanner work?

A vulnerability scanner relies on a database of known vulnerabilities and automated tests for them. A limited scanner will only address a single host or set of hosts running a single operating system platform. A comprehensive scanner scans a wide range of devices and hosts on one or more networks, identifying the device type and operating system, and probing for relevant vulnerabilities with lesser or greater intrusiveness.

A scan may be purely network based, conducted from the wider internet (external scan) or from inside your local intranet (internal scan). It may be a deep inspection that is possible when the scanner has been provided with credentials to authenticate itself as a legitimate user of the host or device.

Vulnerability management

Vulnerability scanning is only one part of the vulnerability management process. Once the scanner discovers a vulnerability, it must be reported, verified (is it a false positive?), prioritized and classified for risk and impact, remediated, and monitored to prevent regression.

Your organization needs a process – more or less formal – for addressing vulnerabilities. A vulnerability management process includes scheduled scans, prioritization guidance, change management for software versions, and process assurance. Most vulnerability scanners can be part of a full vulnerability management solution, so larger organizations need to look at that context when selecting a scanner.

Many vulnerabilities can be addressed by patching, but not all. A cost/benefit analysis should be part of the process because not all vulnerabilities are risks in every environment, and there may be business reasons why you can’t install a given patch. Thus it’s useful when remediation guidance from the tool includes alternative means (eg, disabling a service or blocking a port via firewall).

Features to consider

When choosing a vulnerability scanner there are many features to evaluate.

  • Is the scanner network-based, doing host/device discovery and target profiling?
  • What is the range of assets it can scan – hosts, network devices, web servers, virtual machine environments, mobile devices, databases? Does that fit your organization’s needs?
  • Is its vulnerability database comprehensive and a good match for your network’s platforms? Does the database automatically receive a regular feed of updates?
  • Is the scanner accurate in your environment? Does it swamp you with uninformative low-level results? What is the incidence of false positives and false negatives? (A false positive entails wasted effort to investigate, and a false negative means an undetected risk.)
  • Is the scanner reliable and scalable?
  • Are the scanner’s tests unnecessarily intrusive? Does scanning impact hosts/devices thereby slowing performance and potentially crashing poorly-configured devices?
  • Can you set up scheduled scans and automated alerts?
  • Does it provide canned policies (e,g. for particular compliance regimes)? Can you define your own policies?
  • Are scan results easy to understand? Can you sort and filter? Can you visualize trends over time? Does it provide useful guidance about prioritization?
  • Does it help with remediation? Are the instructions clear? How about automated remediation through scripting? Does it provide, or integrate with, automated software updating services to install service packs and patches?
  • What is the range of canned reports it provides, and what is their quality? Does it provide any compliance reports you need? Can you easily define your own report formats?


The vulnerability scanner is only one source of information and is not a replacement for having knowledgeable staff.

Like many network administration tools targeted at enterprises, a high-end vulnerability scanner tends to be expensive. Good no-cost options are available, but many are limited in the size of the network they’ll handle, and all entail the cost of paying staff to learn the tool, install and configure it, and interpret its results. Thus, you should evaluate whether paying for more automation and support may be cheaper in the long run.

Installing a scanner can be complex, and likely the scanner will initially grind for a few hours to fetch updates to its vulnerability database and preprocess them. Also, depending on the number of hosts and the depth of the scan selected, a given scan can also take hours.

Here’s a list of the 6 best network vulnerability scanners:

  1. SolarWinds Network Configuration Manager (FREE TRIAL)
  2. OpenVAS
  3. Microsoft Baseline Security Analyzer (MBSA)
  4. Retina Network Scanner Community Edition
  5. Nexpose Community Edition
  6. Flexera Personal Software Inspector

1. SolarWinds Network Configuration Manager (FREE TRIAL)

SolarWinds Network Configuration Manager (NCM) is an outlier in our list; it is only free for an evaluation period and covers a particular (but important) subset of vulnerabilities. NCM handles both vulnerability scanning and management for the domain of vulnerabilities arising from router and switch misconfiguration. It focuses on remediation, monitoring for unexpected changes, and compliance auditing. NCM is only free during a fully-functional trial of 30 days.

NCM scans for vulnerabilities in the configurations of Cisco Adaptive Security Appliance (ASA) and Internetwork Operating System (IOS®)-based devices.

SolarWinds Network Configuration Manager user interface
Figure 1: SolarWinds NCM.

For vulnerabilities due to configuration errors, it provides the ability to run remediation scripts automatically upon detection of a violation, and automatically deploy standardized configuration updates to hundreds of devices.

To address unauthorized changes including regressions, it provides configuration change monitoring and alerting. It can continuously audit routers and switches for compliance. It performs National Institute of Standards and Technology (NIST®) Federal Information Security Management Act (FISMA) and Defense Information Systems Agency (DISA®) Security Technical Implementation Guide (STIG) compliance reporting out-of-the-box.

For the trial, a lightweight install can install and use SQL Server Express, but the database is limited to 10 gigabytes.


SolarWinds Network Configuration ManagerDownload FREE 30-Day Trial at

2. OpenVAS

The Open Vulnerability Assessment System OpenVAS is a comprehensive vulnerability scanning and vulnerability management system. It’s free of cost, and its components are free software, most licensed under the GNU GPL. It was forked off the renowned (and costly) vulnerability scanner Nessus when Nessus became a proprietary product. OpenVAS is also part of Greenbone Network’s for-cost vulnerability management solution.

OpenVAS uses an automatically-updated community feed of Network Vulnerability Tests (NVTs), over 50,000 and growing. Greenbone’s for-cost product provides an alternative commercial feed of vulnerability tests that updates more regularly and has service guarantees, along with support.

OpenVAS is available as packages in multiple Linux distros, in source code form, and as a virtual appliance that can be loaded into a VM on Windows. It is also part of Kali Linux.

OpenVAS has a web-based GUI, the Greenbone Security Assistant, a Qt-based GUI, the Greenbone Security Desktop, and a CLI.

Main dashboard of OpenVAS
Figure 2: OpenVAS web GUI dashboard.

Once you are logged in on the web-based GUI you can run your first scan via the Scans menu item: Scans > Tasks. then on the Tasks page use the Task Wizard button near the upper left.

Task wizard to do simple tasks quickly
Figure 3: OpenVAS task wizard.

When you’ve run a scan task, the Scans > Results page lists the vulnerabilities found.

After a scan, the results page summarizes vulnerabilities found.
Figure 4: OpenVAS Results page summarizes vulnerabilities found.

You can drill down to a particular vulnerability for an explanation and remediation help.

Clicking on a vulnerability provides details about it and remediation.
Figure 5: Details on a particular vulnerability.

Reports can be exported in various formats, and delta reports can be generated to look at trends.

Reports can be generated.
Figure 6: OpenVAS reports.

Installing and using OpenVAS has a significant learning curve. Although free, OpenVAS is not simply a vulnerability scanner but a full-up free vulnerability management platform.

3. Microsoft Baseline Security Analyzer (MBSA)

Microsoft Baseline Security Analyzer (MBSA) is an old staple, an on-host vulnerability scanner restricted to the domain of vulnerabilities in Microsoft products. It’s getting long in the tooth but is still useful for smaller businesses primarily running Windows.

MBSA is a straightforward tool that only scans Windows machines for particular Microsoft-specific issues and basic vulnerabilities and misconfigurations. MBSA can scan the local host, a domain, or an IP address range.

MBSA main screen lets you select which hosts to scan.
Figure 8. MBSA can scan one or multiple Windows computers.

MBSA scans for missing service packs or security updates. It also scans for administrative issues in Windows, Windows Firewall, IIS, SQL Server, and Office applications.

Selecting what items to scan for -- missing update, simple administrative issues.
Figure 9: MBSA checks for missing updates and simple administrative issues.

MBSA generates a report for each host scanned, with issues labeled by priority.

MBSA's report includes missing updates and misconfigurations in Microsoft products and services.
Figure 10: Report of vulnerabilities in Microsoft products and services like SQL Server.

MBSA has not yet been updated for Windows 10, but version 2.3 largely works. Some tweaking is required to clean up false positives and fix checks that cannot be completed. For instance, it will give a false-positive complaint about Windows Update not being enabled.

MBSA does not deal with non-Microsoft vulnerabilities or complex vulnerabilities, but it is simple to use and still handy for small Microsoft-oriented shops.

4. Retina Network Scanner Community Edition

Retina Network Security Scanner Community Edition (RNSS) is a comprehensive vulnerability scanner and can be paired with a for-cost full-lifecycle vulnerability management system. RNSS is free for scans of up to 256 IP addresses. It was developed by eEye, which is now part of BeyondTrust.

The Retina scanner’s extensive vulnerability database is automatically updated and identifies network vulnerabilities, configuration issues, and missing patches, covering a range of operating systems, devices, virtual environments, and applications.

Installation is straightforward and the user interface is intuitive.

Retina's user interface has three key tabs.
Figure 11: Retina user interface.

Once a scan has been run via the Audit tab, you can inspect the vulnerabilities on the Remediate tab.

Go to the Remediate tab to see the vulnerabilities found by a scan.
Figure 12: Retina Remediate tab lists vulnerabilities found.

Vulnerabilities can be sorted and filtered, and you can drill down to individual vulnerabilities.

Selecting one vulnerability leads to guidance on how to remediate it.
Figure 13: Drilling down to a vulnerability for guidance.

You can generate various kinds of reports to access scan results outside the tool.

The generated report in PDF summaries findings.
Figure 14: Start of Retina scan report in PDF.

The Retina Network Security Scanner is the scan engine for Retina CS Enterprise Vulnerability Management, a full vulnerability assessment and remediation solution which can perform scheduled scans, alerts, historical trend tracking, configuration compliance, patch management, and compliance reporting.

5. Nexpose Community Edition

Nexpose Community Edition is a comprehensive vulnerability scanner by Rapid7, the owners of the Metasploit exploit framework. The free version of Nexpose is limited to 32 IP addresses at a time, and you must reapply after a year.

Nexpose runs in Windows, Linux, and VM appliances. It scans networks, OSes, web apps, databases, and virtual environments. Nexpose can be paired with Rapid7’s for-cost InsightVM vulnerability management system for a comprehensive vulnerability management lifecycle solution.

The Community Edition comes with a trial of Rapid7’s web-based console. The online help, behind the “?” icon, is your most helpful asset when getting started.

In the web GUI, you define one or more “sites” – networks of interest – for instance, by providing a CIDR address range. You can then choose from one of several predefined scan templates.

Nexpose has "scan templates" for selecting different types of scans.
Figure 15: Nexpose web GUI has multiple predefined scan templates.

Discovery Scan identifies all the devices and hosts in your specified address range.

Use a discover scan to find hosts and devices.
Figure 16: Nexpose Discovery Scan finds assets on the network.

After that, running a Full audit enhanced logging without Web Spider gives you a good initial look at vulnerabilities on your site.

The vulnerabilities list starts with a graphical roll-up.
Figure 17: Analysis of vulnerabilities found.

You can drill down to find details of vulnerabilities.

Selecting a vulnerability to view details.
Figure 18: Drilling down to details on a vulnerability.

You can look at the vulnerabilities status of a particular host or device. Each vulnerability includes guidance for remediation.

A vulnerability's details includes access to remediation guidance.
Figure 19: Guidance for remediating.

The web console provides multiple predefined reports.

Reports roll up vulnerability status.
Figure 20: Nexpose’s report analyzes vulnerabilities found.

You can also set up scheduled scans, enable compliance policies, and track the history of the site’s exposure to vulnerabilities.

6. Flexera Personal Software Inspector

Secunia Personal Software Inspector (PSI), now Flexera PSI, is a classic tool that is still useful for smaller businesses. PSI is an on-host vulnerability scanner restricted to the domain of vulnerabilities due to unpatched and out-of-date software.

PSI lists unpatched programs it has found.
Figure 21: PSI checks for unpatched programs on Windows.

Flexera PSI scans for vulnerable software packages, it does not do network scanning. PSI tracks vulnerabilities and patches for thousands of programs running on Windows. It scans the Windows machine it’s running on to identify insecure programs that need to be patched. Where possible it will download required patches and install them without user interaction. For updates requiring human intervention, it will notify you and provide instructions.

Flexera PSI is a per-machine solution, so it is only practical for small businesses, but growing businesses can graduate to the for-cost Corporate Software Inspector (Flexera CSI).

4 more network vulnerability scanners

If the six best network scanners in our list don’t quite fit your needs, you might consider one of these alternatives, which are “bubbling under” the leaders.

Tripwire Enterprise

The Tripwire Enterprise package of security vulnerability checks is not free but you can try a demo. However, you can get it on a free trial. This service not only scans your network for anomalies on demand, but runs in real-time, alerting you to any configuration or data changes on your network and enforcing change control.

Qualys FreeScan

Qualys FreeScan is an online service that examines a server or network for security weaknesses. It will identify your server software and check that they are up to the latest patches. The scan will also search for infection or intruder activity. This service is not free forever, after 10 scans you have to pay.


High-Tech Bridge offers a range of network vulnerability scanning services under the brand ImmuniWeb. This is a very sophisticated AI-based system that can be used as a one-time service or contracted in on an SLA for continuous monitoring, consultancy, and advice. This solution is very pricey, but you can ask for a free trial.


Netsparker is available as an on-premises application or as a cloud service. This is a very expensive option, which is the main reason that it does not appear in the main list of this guide. The vulnerability scanner is aimed at web servers and authenticates the activities of all applications that operate to support a web-based enterprise.


Vulnerability scanning – and in fact, vulnerability management – is one aspect of protecting your network. Scanners can only detect vulnerabilities that already have tests implemented. You also need to develop a sense of your network’s normal behaviors, via bandwidth monitoring and analysis tools, particularly tools that let you specify automated alerts. When you sense an anomaly and must investigate, network analyzers and packet sniffers are key tools. And there are many other kinds of security tools for the network administrator.

Vulnerability scanning is an important tool to help defend your network. There are multiple free options to try out; the right one for your organization is based on your needs, funding, and expertise – or willingness to learn.

Image from “Coast Guard cyber experts aim to delete computer hacking”,  labeled for reuse with modification.