Every day, security researchers and hackers discover new vulnerabilities, augmenting the tens of thousands of known holes in applications, services, operating systems, and firmware.
Vulnerability scanning tools provide automated assistance for tracking known vulnerabilities and detecting your exposure to them.
Here is our list of the best network vulnerability scanning tools:
- SolarWinds Network Configuration Manager EDITOR’S CHOICE Our top choice as it’s the most comprehensive tool available. NCM has advanced options to create and monitor configuration policies and issues arising from them. On top of that, it offers vulnerability scanning, as well as the ability to run remediation scripts automatically and roll out standardized configurations to hundreds of clients. Start a 30-day free trial.
- Intruder Vulnerability Scanner (FREE TRIAL) A subscription vulnerability scanning service based in the cloud. Plans offer monthly scans, on-demand scans, and human penetration testing.
- SecPod SanerNow Vulnerability Management (FREE TRIAL) A SaaS cyber-hygiene platform that centers on a vulnerability manager and system protection tools that act on the findings of the scanner.
- ManageEngine Vulnerability Manager Plus (FREE TRIAL) Both free and paid versions for Windows and Windows Server environments, includes vulnerability scanning and automated mitigation.
- Domotz (FREE TRIAL) This cloud-based network remote monitoring and management service for networks and endpoints include security scanning and patch management.
- Paessler Network Vulnerability Monitoring with PRTG Part of the PRTG resource monitoring system, this tool checks logs and monitors traffic patterns as well as guarding ports and resource usage. It is free to use for up to 100 sensors.
- CrowdStrike Falcon A cloud-based next-generation AV that protects networks and endpoints. Includes threat-hunting module.
- ImmuniWeb An AI-driven web-based vulnerability scanner with options from free to human expert pen testing.
- OpenVAS The Open Vulnerability Assessment System is a free vulnerability manager for Linux that can be accessed on Windows through a VM.
- Nexpose Community Edition Free for scans of up to 32 IP addresses, this tool discovers and logs your network-connected devices, highlighting any known vulnerabilities in each.
Who needs a network vulnerability scanner?
Any network beyond the smallest office has an attack surface too large and complex for purely manual monitoring. Even if you are only responsible for a few hosts and devices, you need automated assistance to efficiently and thoroughly track the burgeoning list of known vulnerabilities and ensure that your network is not exposed.
Nowadays, most operating systems provide automated software updates. For a small organization, that may be sufficient. But how much of your installed software does that cover? And what of misconfigured services or unauthorized software that has popped up in your network?
The “hack yourself first” adage suggests that any host or device exposed to the internet should be penetration tested, and the “defense in depth” principle says that even “internal” hosts and devices must be audited regularly.
A vulnerability scanner provides automated assistance with this. Like many network administration tools, a vulnerability scanner has both legitimate and illegitimate uses. It can be helpful to the system administrator, developer, security researcher, penetration tester, or black-hat hacker. It can be used for assessing exposure to secure your network, or for seeking viable exploits to enable breaking into it.
How does network vulnerability scanning work?
Vulnerability scanning software relies on a database of known vulnerabilities and automated tests for them. A limited scanner will only address a single host or set of hosts running a single operating system platform. A comprehensive scanner scans a wide range of devices and hosts on one or more networks, identifying the device type and operating system, and probing for relevant vulnerabilities with lesser or greater intrusiveness.
A scan may be purely network-based, conducted from the wider internet (external scan) or from inside your local intranet (internal scan). It may be a deep inspection that is possible when the scanner has been provided with credentials to authenticate itself as a legitimate user of the host or device.
Vulnerability scanning is only one part of the vulnerability management process. Once the scanner discovers a vulnerability, it must be reported, verified (is it a false positive?), prioritized and classified for risk and impact, remediated, and monitored to prevent regression.
Your organization needs a process – more or less formal – for addressing vulnerabilities. A vulnerability management process includes scheduled scans, prioritization guidance, change management for software versions, and process assurance. Most vulnerability scanners can be part of a full vulnerability management solution, so larger organizations need to look at that context when selecting a scanner.
Many vulnerabilities can be addressed by patching, but not all. A cost/benefit analysis should be part of the process because not all vulnerabilities are security risks in every environment, and there may be business reasons why you can’t install a given patch. Thus it’s useful when remediation guidance from the tool includes alternative means (e.g., disabling a service or blocking a port via firewall).
Related post: Alternatives to Microsoft Baseline Security Analyzer
Features to consider
When choosing a vulnerability scanner there are many features to evaluate.
- Is the scanner network-based, doing host/device discovery and target profiling?
- What is the range of assets it can scan – hosts, network devices, web servers, virtual machine environments, mobile devices, databases? Does that fit your organization’s needs?
- Is its vulnerability database comprehensive and a good match for your network’s platforms? Does the database automatically receive a regular feed of updates?
- Is the scanner accurate in your environment? Does it swamp you with uninformative low-level results? What is the incidence of false positives and false negatives? (A false positive entails wasted effort to investigate, and a false negative means an undetected risk.)
- Is the scanner reliable and scalable?
- Are the scanner’s tests unnecessarily intrusive? Does scanning impact hosts/devices thereby slowing performance and potentially crashing poorly-configured devices?
- Can you set up scheduled scans and automated alerts?
- Does it provide canned policies (e,g. for particular compliance regimes)? Can you define your own policies?
- Are scan results easy to understand? Can you sort and filter? Can you visualize trends over time? Does it provide useful guidance about prioritization?
- Does it help with remediation? Are the instructions clear? How about automated remediation through scripting? Does it provide, or integrate with, automated software updating services to install service packs and patches?
- What is the range of canned reports it provides, and what is their quality? Does it provide any compliance reports you need? Can you easily define your own report formats?
The vulnerability scanner is only one source of information and is not a replacement for having knowledgeable staff.
Like many network administration tools targeted at enterprises, a high-end vulnerability scanner tends to be expensive. Good no-cost options are available, but many are limited in the size of the network they’ll handle, and all entail the cost of paying staff to learn the tool, install and configure it, and interpret its results. Thus, you should evaluate whether paying for more automation and support may be cheaper in the long run.
Installing a scanner can be complicated, and likely the scanner will initially grind for a few hours to fetch updates to its vulnerability database and preprocess them. Also, depending on the number of hosts and the depth of the scan selected, a given scan can also take hours.
Network vulnerability scanning and penetration testing
Penetration testing is another method of checking on the security of an IT system. Some data security standards, such as PCI-DSS require both. The definition of the two concepts often gets muddled.
A vulnerability scan is usually automated and searches an IT system for known weak points. These might be browser loopholes that need protection software in place to block attacks such as file-less malware. The network vulnerability scan is like running through a checklist of vulnerabilities and reporting which of those problems exist on the system and need to be addressed.
Penetration testing is usually a manual task. This sets a technician to act like a hacker and try to break into or damage the system. The confusion between the definition of vulnerability scanning and “pen-testing” arises from the increasing sophistication of penetration testing tools. The technician testing the system needs certain tools to implement trial attacks. As software houses compete to sell in the lucrative pen-testing market, they include more and more automation to attract “white hat hackers.”
Similarly, the developers of vulnerability scanners are looking for the same entry points that hackers use and so procedures in the vulnerability detection software use the same techniques that pen-testing tools provide.
It is worth investigating pen-testing tools because you will need to implement this security strategy as well as network vulnerability scanning. Pen-testing for website vulnerabilities is a particularly strong growth area at the moment. However, keep in mind that you will still need a vulnerability scanner.
The best network vulnerability scanning software
When selecting the tools that would make up this list, primary considerations included the reliability and industry reputation of the software vendor, their ability to keep their product maintained and up to date, unique features, ease of setup and use, and scalability options.
Our methodology for selecting a vulnerability scanner
We reviewed the market for vulnerability scanners and analyzed the options based on the following criteria:
- A system that includes threat mitigation processes as well as vulnerability testing
- Nice to have a linked patch manager to update vulnerable software
- Nice to have a configuration manager to protect devices from tampering
- Detection processes for OWASP top 10 threats
- Full activity logging for data protection standards compliance
- A free trial period for a risk-free assessment
- A tool that thoroughly detects all vulnerabilities because a half-fulfilled sweep offers no protection
SolarWinds Network Configuration Manager (NCM) is an outlier in our list; it is only free for an evaluation period and covers a particular (but important) subset of vulnerabilities. NCM handles both vulnerability scanning and management for the domain of vulnerabilities arising from the router and switch misconfiguration. It focuses on remediation, monitoring for unexpected changes, and compliance security auditing. NCM is only free during a fully-functional trial of 30 days.
NCM scans for vulnerabilities in the configurations of Cisco Adaptive Security Appliance (ASA) and Internetwork Operating System (IOS®)-based devices.
For vulnerabilities due to configuration errors, it provides the ability to run remediation scripts automatically upon detection of a violation, and automatically deploy standardized configuration updates to hundreds of devices.
- Protects device configurations
- Rolls back unauthorized set up changes
- Spots malicious activity
- Standardizes network setup
- 30-day free trial
To address unauthorized changes including regressions, it provides configuration change monitoring and alerting. It can continuously audit routers and switches for compliance. It performs the National Institute of Standards and Technology (NIST®), Federal Information Security Management Act (FISMA), and Defense Information Systems Agency (DISA®) Security Technical Implementation Guide (STIG) compliance reporting out-of-the-box.
- Supports vulnerability scanning and lists action steps to correct issues
- Can automatically detect when configuration changes are made or are incorrect based on standards you set
- Can push out firmware updates automatically on a schedule
- Enterprise levels reporting and scalability
- Alerting is flexible, and can be set to notify recipients when configuration changes are made
- Not designed for home users, this tool was designed for businesses environments operated by network professionals
For the trial, a lightweight install can install and use SQL Server Express, but the database is limited to 10 gigabytes.
SolarWinds NCM is more comprehensive than the other tools on the list, NCM has advanced options to create and monitor configuration policies and issues arising from them (issues most commonly arise when configurations are being changed). On top of that, it offers vulnerability scanning, as well a the ability to run remediation scripts automatically for configuration issues and roll out standardized configurations to hundreds of clients. Our choice as it’s the most comprehensive network scanning tool listed.
Get 30 Day Free Trial: https://www.solarwinds.com/network-configuration-manager
OS: Windows Server
Intruder is a cloud-based SaaS product that offers three levels of vulnerability scanning services. The basic service of Intruder launches a monthly scan of the protected system, looking for vulnerabilities. Intruder constantly updates its central database of known attack vectors whenever a new one is discovered. This information leads to an understanding of the system vulnerabilities that make those attacks possible.
The vulnerability might be one that has already been used for other attack strategies. In which case, the system security weakness will already be flagged by Intruder and all of its customers would already have been notified of this problem if the monthly scan revealed its presence.
If a new hacker strategy is found to be using a new vulnerability, then that weakness gets registered in the scanner’s rule base and all customers’ systems get re-scanned.
A typical vulnerability report delivers an itemized list of all system features and whether or not that element needs to be hardened. Problems generally fall into the categories for unpatched systems, software that should be updated, open ports, exposed databases. Content management system security loopholes, usage of default passwords, and configuration weaknesses.
- Continuous scanning for weaknesses and missing patches
- Integrates with most commonly used architectures
Intruder’s vulnerability scans cover all on-premises resources on a client’s site. Higher plans also scan all of the cloud services used by the client. The intruder system, console, being cloud-based, is available from anywhere through a browser.
The Intruder system is offered in three plan levels. Each can be paid for either monthly or annually. However, all of the selected subscription period has to be paid for upfront. The three plans are Essential, Pro, and Vanguard. Apart from the emergency scans that are performed when a new vulnerability is discovered, all plans also get a routine, scheduled monthly scan. The Pro plan has an additional on-demand scanning facility and the Vanguard plan includes the services of human penetration testers.
- Sleek, highly visual with an excellent interface
- Can perform schedule vulnerability scans automatically
- Can scan all new devices for vulnerabilities and recommended patches for outdated machines
- Operates in the cloud, no need for an on-premise server
- Can assess vulnerabilities in web applications, databases, and operating systems
- Three-tiered pricing makes Intruder accessible to any size businesses
- While the tool is highly intuitive, it is still can require quite some time to fully explore all of the platform’s features
The Intruder service is available for a 30-day free trial.
SecPod SanerNow Vulnerability Management is a cloud-based cyber-hygiene platform that includes security management tools for private networks. It lets you scan, detect, assess, prioritize and remediate vulnerabilities across network devices from the same console seamlessly.
The vulnerability scanner in his package of tools is the key service that triggers other functions and supplies system management tools with asset data. The scanner operates periodically, probing vulnerabilities on endpoints running Windows, macOS, and Linux. his service is suitable for businesses complying with HIPAA, PCI DSS, and GDPR.
The vulnerability manager probes devices to check on all ports and also checks all of the settings of the operating system. It examines the version of the operating system, which tells the scanner its patch status. Tests continue to search through for all software and identify the version numbers of those packages. All of this information is passed through to an asset manager, which maintains a software inventory.
The vulnerability manager can be set to perform scans at a frequency of up to every five minutes. The weaknesses that the vulnerability scanner looks for are dictated by a SCAP database. SCAP stands for Security Content Automation Protocol. There are more than 100,000 factors in the SCAP system for the SanerNow vulnerability manager.
The remediation processes of the vulnerability scanner are implemented by the patch manager of SanerNow. The patch manager interfaces with the software inventor and the vulnerability scan results and then accesses the sites of each software and operating system supplier to get patches and updates. The patch manager copies over the installers of these systems and then applies them at the next available maintenance window.
As it is a cloud-based system, the main processing service of SanerNow is hosted for you. This SaaS package includes a comprehensive dashboard, which gives administrators access to the system settings for the monitoring service and also screens of data and action results. All information in the dashboard gets automatically updated every time the vulnerability scanner runs.
- Associated patch manager and asset manager
- Suitable for data privacy standards compliance
All of the functions of SanerNow log and document all of the system and all of their actions thoroughly. The reporting feature of the package includes summaries of this data and stored logs are very useful for standards compliance auditing.
- Scheduled vulnerability scans with adjustable frequency
- Linked patch management with automated patch gathering
- Scans for more than 130,000 vulnerabilities
- Thorough activity logging
- Scanning for devices running Windows, macOS, and Linux
- System console accessible through any standard Web browser
- Some managers don’t like moving secure management out to external platforms
The platform for SecPod SanerNow is a subscription service. SecPod doesn’t publish a price tariff. Instead, the Sales Department negotiates a price with each new customer individually. The best way to get to know the SanerNow service with its vulnerability scanner is to access a 30-day free trial.
ManageEngine produces a wide range of IT infrastructure management tools and Vulnerability Manager Plus is the company’s competitor in the system protection market. The full list of features of this tool is only available to the paid version of the utility, which is designed for large LANs and multi-site networks. The free version is suitable for small and middle-sized enterprises and it will protect up to 25 devices.
The free version gives you both on-demand and scheduled network vulnerability scanning that will detect issues with your in-house network. The advanced technology deployed in the scanner can detect anomalous behavior. This strategy is more effective at identifying zero-day vulnerabilities than conventional rule-based threat database-driven detection systems. You also get threat mitigation actions built into the free edition of Vulnerability Manager Plus.
System and security threats may lie in weak configuration security or out of date software. Vulnerability Manager Plus includes Configuration Management and Patch Management functions that close off these weaknesses. The vulnerability scan will highlight misconfigured devices and enable you to roll out standard configuration policies. The scan also checks on software versions and lets you automate patch installations. You get the option of which patches to rollout, letting you skip versions in cases where essential customizations could be lost through automated software updates. These configuration and software monitoring capabilities extend to web servers and firewalls.
The scanner will identify risky software installed on your equipment and automatically remove unauthorized or unadvised installs.
System administrators get special tools in a dashboard that enable them to extend the basic capabilities of the vulnerability manager. These extend to the integration of Active Directory authentication. The utilities available on the dashboard can be tailored according to the administrator role, which enables team managers to limit the functions available to individual technicians.
- Configuration manager and patch manager
- Free version available
Powerful actions available through the dashboard includes Wake-on-LAN and shutdown capabilities, which can be set as automated mitigation processes or commanded manually. Management reports and system audit recording are included in the Vulnerability Manager Plus package.
- Great for proactive scanning and documentation
- Robust reporting can help show improvements after remediation
- Built to scale, can support large networks
- Flexible – can run on Windows, Linux, and Mac
- Backend threat intelligence is constantly updated with the latest threats and vulnerabilities
- Supports a free version, great for small networks
- The ManageEngine ecosystem is very detailed, requiring time to learn all of its features
The free edition of the package includes almost all of the capabilities of the two paid versions, which are called Professional and Enterprise editions. You can get a 30-day free trial of either of the two paid versions if your device inventory is too large to qualify for the use of the free version.
Domotz is a SaaS platform that provides remote monitoring and management systems for networks and endpoints. The package includes security scans and a patch manager to close down vulnerabilities. The tool will also backup network device configurations and restore them if settings are changed unexpectedly.
- Remote monitoring and management
- Fixed price per LAN
- Security scans
When you enroll a network into the Domotz monitoring program, the cloud-based service installs an agent on one of the servers on the site. This acts as an SNMP Manager and scans the network to discover all connected devices. The system creates a device inventory, detailing hardware attributes, and then scans each endpoint, noting its operating system and software profile. This action is the basis for a patch management cycle.
The Domotz package keeps scanning the monitored system both for performance issues and security enforcement. The service also looks for unauthorized changes to the configurations of network devices. If a performance issue arises or if a security weakness is spotted, the monitor will raise an alert.
The monitoring screens of the Domotz service are hosted on the cloud and they over live aggregated data from multiple sites and then drill down views for each LAN and down to each device. Security scanning needs to be set up and it will then look for deviations from the security policies that you specify.
Security scans also check switch ports and can assess the external security of a network from its cloud location. All reports are stored on the Domotz server for later manual analysis. The package will also check connection security or the protocols that carry your traffic across the internet securely.
The Domotz package also provides a range of analysis tools that can be run on-demand or on a schedule. Examples of these are availability testing with Ping and TraceRoute. Domotz lets you monitor wireless networks and IoT devices, such as security cameras as well as traditional network systems.
Domotz has a multi-tenanted architecture, so managed service providers can use this service to watch over client networks. It is possible to register multiple networks in the same sub-account and consolidate the monitoring of all sites for each customer.
- Port scanning and internet connection security monitoring
- Software inventory management and patching
- Constant network scans that spot unauthorized devices
- Device settings protection through scans and backups
- The trial only lasts 14 days
Domotz charges a fixed fee per network, so the price doesn’t change according to the number of devices on the LAN. You can assess Domotz with a 14-day free trial.
The Paessler system monitoring product is called PRTG. It is a unified infrastructure monitoring tool that covers networks, servers, and applications. PRTG is a bundle of tools and each of those utilities is called a ‘sensor.’ The package has a number of sensors that guard your business against network attacks.
- Automatic device inventory assembly
- Constant checks on hardware changes
Any security assessment has to begin with a check on all of your existing infrastructure. PRTG discovers and monitors all of your network devices for status changes and alert conditions. Network traffic monitoring provided by PRTG can also highlight unusual activities that might indicate an intrusion.
A packet sniffing sensor can be used for deep packet inspection, giving you data on the protocol activity in your traffic. This can be identified by port number or traffic source or destination, among other identifiers.
The Syslog Receiver module in Paessler PRTG will prove more security scanning features to your system defense strategy. Network attacks leave a paper trail and gathering Syslog and Windows Event Log messages is step one in your vulnerability scan strategy.
PRTG is a pure monitoring system, so it doesn’t include any active management and resolution functions, such as patch management or configuration management. However, it does include some extra security assessment features, such as its port scanning and monitoring utility.
Any factor monitored by PRTG can be used as a feed into the tool’s alerting system. Factors such as log message volume, log message severity, SNMP Trap data and port activity can all be included in custom alerts.
Paessler sets charging bands for PRTG that are based on the number of sensors that are activated. Every customer receives delivery of the full PRTG system, but with all of its sensors inactive. You customize your implementation by activating the desired sensors.
- Great for organizations looking for a most holistic form of network, applications, server, and vulnerability monitoring
- Can detect unusual activity and alert proactively
- Scalable pricing based on number of sensors
- Good option for any size network
- Freeware version supports 100 sensors
- Very detailed platform – can take time to fully learn all features and options available
You can use PRTG for free permanently if you only activate up to 100 sensors. You can get a 30-day free trial of PRTG with unlimited sensors to check out its network protection features for yourself. You benefit from full user support, system updates, and security patches even while you are in the free trial period.
CrowdStrike Falcon is a cloud-based endpoint protection system, which covers an entire network by defending the boundary of the system as well as examining all activity on the network for suspicious activity. The Falcon platform is composed of a series of modules that includes threat hunting, and malware identification.
The vulnerability management system of CrowdStrike Falcon is called Falcon Spotlight. This is a standalone product that can be integrated with other modules that are bought as part of a Falcon bundle. The CrowdStrike Falcon bundles are available in four editions: Pro, Enterprise, Premium, and Complete.
CrowdStrike Falcon Spotlight uses a blend of AI processes and a threat intelligence database to spot vulnerabilities in endpoints and networks. The threat intelligence database is continuously updated and includes information about attack incidences that are sourced from around the world.
As a remote system, Spotlight requires an agent on the site so that it can gain full access from within the network and scan all devices. Another benefit of the agent is that it enables the Spotlight system to continue to manage vulnerability issues even if the connection to the internet gets lost. This is the same agent used for the Falcon Platform, so if you already have the Falcon Platform services, you won’t have any further installation tasks to undertake to use Falcon Spotlight.
- Cloud-based processing
- Endpoint protection platform
- Threat intelligence database
- AI procedures
A benefit of the cloud location of Falcon Spotlight is that it is site-neutral. It can scan the endpoints of a business no matter where they are, so it can easily be deployed for multi-site operations and controlled by a central administrator.
Falcon Spotlight doesn’t perform system scans. It logs the devices connected to the network and then reports on the known vulnerabilities of those endpoints as new information on those weaknesses is discovered.
Vulnerability information is made available in the Falcon dashboard, which is accessed through any standard browser. The Spotlight vulnerability information is also available as a feed, which, through the use of a falcon API, can be channeled through to other applications for incident response and threat mitigation.
- Supports networks scanning as well as endpoint protection
- Integrates well with other CrowdStrike tools
- Leverages AI to detect threat activity and assist sysadmin is remediation
- Offers the tool as a cloud service, avoiding complicated installations
- Could use a longer trial period
CrowdStrike offers a free trial of the Falcon system so you can try out its modules for free.
High-Tech Bridge offers a range of network vulnerability scanning services under the brand ImmuniWeb. This is a very sophisticated AI-based system that can be used as a one-time service or contracted in on an SLA for continuous monitoring, consultancy, and advice.
ImmuniWeb specialize in vulnerability scanning and pen testing. The company doesn’t do anything else but it provides a wide range of options for that one task of checking for faults and loopholes in the systems of companies that would give hackers a way in. The automated system focus on vulnerabilities in web servers.
- Vulnerability scanning and pen testing
- Community Edition is free to use
The ImmuniWeb product list ranges from a free Community Edition, through an AI-based automated vulnerability scanner, to the services of a team of human pen testers. The standard of service you get depends on how much you are prepared to pay.
The main vulnerability scanning product of ImmuniWeb is called ImmuniWeb Discovery. This is the AI-based software that provides automated scans of your system from an outsider’s perspective. It will look at your network for all of the ways they know a hacker will try to get in. Unlike a system that just looks for the existence of a list of known exploits, ImuniWeb Discovery applies machine learning techniques to verify any detected weakness and this reduces the incidences of false positive reporting.
The key difference between vulnerability scanning and pen testing is that vulnerability scanning is performed by software automatically and pen testing is a human endeavor. The other security services of ImmuniWeb are all in the pen testing category. These are called ImmuniWeb On-Demand, ImmuniWeb MobileSuite, and ImmuniWeb Continuous.
- Offers pen testing and vulnerability as a done-for-you service – good for companies looking for something more hands-off
- Reporting and dashboards are easy to navigate and use color well to highlight important metrics
- Leverages AI for scanning and threat detection
- Offers a free version, good for small businesses
- Could use better multi-language support
- Is more expensive than some more technical options
The Open Vulnerability Assessment System, OpenVAS is a comprehensive open-source vulnerability scanning tool and vulnerability management system. It’s free of cost, and its components are free software, most licensed under the GNU GPL. It was forked off the renowned (and costly) vulnerability scanner Nessus when Nessus became a proprietary product. OpenVAS is also part of Greenbone Network’s for-cost vulnerability management solution.
- Community-source vulnerability database
- Open source
OpenVAS uses an automatically-updated community feed of Network Vulnerability Tests (NVTs), over 50,000 and growing. Greenbone’s for-cost product provides an alternative commercial feed of vulnerability tests that updates more regularly and has service guarantees, along with support.
OpenVAS is available as packages in multiple Linux distros, in source code form, and as a virtual appliance that can be loaded into a VM on Windows. It is also part of Kali Linux.
OpenVAS has a web-based GUI, the Greenbone Security Assistant, a Qt-based GUI, the Greenbone Security Desktop, and a CLI.
Once you are logged in on the web-based GUI you can run your first scan via the Scans menu item: Scans > Tasks. then on the Tasks page, use the Task Wizard button near the upper left.
When you’ve run a scan task, the Scans > Results page lists the vulnerabilities found.
You can drill down to a particular vulnerability for an explanation and remediation help.
Reports can be exported in various formats, and delta reports can be generated to look at trends.
- Completely open-source tool
- Large dedicated community
- Free to use
- No paid support option
- Interface is barebones and lacking quality of life features
- Enterprises will likely find the learning curve frustrating
Alternatives to OpenVAS
Installing and using OpenVAS has a significant learning curve. Although free, OpenVAS is not simply a vulnerability scanner but a full-up free open source vulnerability management platform. The steep learning curve is one of the main reasons many network administrators look for alternatives to OpenVAS, particularly those that prefer a less hands-on approach while still requiring the robustness of a competent tool. This is why OpenVAS comes in at third on our list after the SolarWinds and Paessler offerings.
Nexpose Community Edition is a comprehensive vulnerability scanner by Rapid7, the owners of the Metasploit exploit framework. The free version of Nexpose is limited to 32 IP addresses at a time, and you must reapply after a year.
Nexpose runs in Windows, Linux, and VM appliances. It scans networks, OSes, web apps, databases, and virtual environments. Nexpose can be paired with Rapid7’s for-cost InsightVM vulnerability management system for a comprehensive vulnerability management lifecycle solution.
- Scans up to 32 IP addresses
- Device autodiscovery
- Free to use
The Community Edition comes with a trial of Rapid7’s web-based console. The online help, behind the “?” icon, is your most helpful asset when getting started.
In the web GUI, you define one or more “sites” – networks of interest – for instance, by providing a CIDR address range. You can then choose from one of several predefined scan templates.
A Discovery Scan identifies all the devices and hosts in your specified address range.
After that, running a Full audit enhanced logging without Web Spider gives you a good initial look at vulnerabilities on your site.
You can drill down to find details of vulnerabilities.
You can look at the vulnerabilities status of a particular host or device. Each vulnerability includes guidance for remediation.
The web console provides multiple predefined reports.
- Free version can support small businesses and home LANs
- Offers a good blend between technical capabilities and ease of use
- Integrates well into the Metasploit framework for more advanced testing
- Updates can cause lockups
- Filtering capabilities could use improvement, specifically more options
You can also set up scheduled scans, enable compliance policies, and track the history of the site’s exposure to vulnerabilities.
Three more network vulnerability scanners
If the eight best network scanners in our list don’t quite fit your needs, you might consider one of these alternatives, which are “bubbling under” the leaders.
The Tripwire Enterprise package of security vulnerability network checks is not free but you can try a demo. However, you can get it on a free trial. This service not only scans your network for anomalies on demand but runs in real-time, alerting you to any configuration or data changes on your network and enforcing change control.
- Supports real-time monitoring
- Can scan for vulnerabilities as well as detect and alert to config changes
- Better suited for larger networks
- No free version, only free demo
- Interface could use improvement
Qualys Cloud Platform Community Edition
Qualys offers its Global AssetView (GAV) tool for free on its Global Cloud Platform. Although there are many tools on the platform, GAV is the only one that is available for free forever. This tool replaces the deprecated Qualys FreeScan and it is a similar asset discovery system that generates an asset inventory. The system will perform live availability checks on the discovered devices whether they are on your site or on the cloud. You get details on each device and also scans to discover all installed software.
- Free forever
- Can be expanded by subscribing to related paid tools
- Provides continuous unattended monitoring
- Security scanning costs extra
Invicti is available as an on-premises application or as a cloud service. This is a costly option, which is the main reason that it does not appear in the main list of this guide. The vulnerability scanner is aimed at web servers and authenticates the activities of all applications that operate to support a web-based enterprise.
- Can be installed both on-premise or in the cloud for additional flexibility
- Tailored for web server monitoring – good option for companies who numerous online applications
- Is more expensive than most other solutions
- Aimed at serving massive enterprises, not ideal for small to medium-sized networks
Vulnerability scanning – and in fact, vulnerability management – is one aspect of protecting your network. Scanners can only detect vulnerabilities that already have tests implemented. You also need to develop a sense of your network’s normal behaviors, via bandwidth monitoring and analysis tools, particularly tools that let you specify automated alerts. When you sense an anomaly and must investigate, network analyzers and packet sniffers are key tools. And there are many other kinds of security tools for the network administrator.
Vulnerability scanning software is essential to help defend your network. There are multiple free options to try out; the right one for your organization is based on your needs, funding, and expertise – or willingness to learn.
Relevant: Best Angry IP Scanner Alternatives
Network Vulnerability FAQs
What are network vulnerability assessment tools?
A network vulnerability assessment tool checks an entire business system for known weaknesses. These vulnerabilities are software quirks, hardware configuration weaknesses, or combinations of valid processes that can assist a hacker or malicious actor within the organization. At the heart of the vulnerability assessment system is a checklist of vulnerabilities that have been uncovered by the producer of the assessment tool. The vulnerability database needs to be updated frequently.
What is a common open-source vulnerability scanning engine?
OpenVas is probably the most widely-used open-source vulnerability scanning system. One problem of open source scanning engines is that knowledge of how the vulnerability scanner operates gives hackers an opportunity to plan attacks that won’t be spotted. Most of the leading vulnerability scanners are proprietary and have private source code and procedures.
Which security tool would you use to scan a host for HTTP vulnerabilities?
HTTP vulnerabilities are part of “website vulnerabilities.” This problem concerns both the websites that your businesses run and websites that users on your network access. Of the security tools in this guide, OpenVAS, Nexpose, Netsparker have the best HTTP vulnerability checks.
How often should you run a vulnerability scan?
Vulnerability scanners are automated processes, so there is no reason not to run vulnerability scans continuously. Check your data security standards for compliance requirements. These usually require comprehensive vulnerability scans to be executed one a month or quarterly. It is also advisable to run a vulnerability scan whenever the vulnerability database gets updated with newly discovered weaknesses.
How long does a vulnerability scan take?
A vulnerability scan performed by installed monitoring software should complete in around 30 minutes. A certified external vulnerability scan for security standards compliance should last between 30 and 90 minutes.