A vulnerability scan is an automated process that uses specialised tools to detect known security weaknesses in systems, networks, applications and configurations. Scanners compare the target environment against databases of known vulnerabilities (such as CVE entries) and misconfigurations, producing reports that detail discovered issues along with severity ratings. Scans can be authenticated (using credentials for deeper inspection) or unauthenticated (simulating an external attacker's view).
Vulnerability scanning is a cost-effective way to maintain continuous visibility into an organisation's security posture and is a required control in many compliance frameworks. Scans should be run on a regular schedule and after significant changes to the environment, with results feeding into the broader vulnerability management process. Interpreting scan results in context is important, as false positives can waste remediation effort whilst false negatives may leave critical weaknesses unaddressed.