What Is Vulnerability Scanning? How It Works and What It Misses

Vulnerability scanning is the automated process of identifying known security weaknesses by comparing assets against CVE databases. Organizations run continuous scans and still get breached. The reason is architectural: scanners cover known, catalogued weaknesses. This article covers the definition, how scanners work, the scan types, the scoring process, the limitations, and how runtime protection fills the gap that scanning cannot close.

Key Takeaways

• Vulnerability scanning identifies known security weaknesses by comparing assets against CVE databases
• It covers networks, hosts, web applications, cloud environments, and open source dependencies
• Scanners assign severity scores using CVSS (0-10) to help teams prioritize remediation
• Scanning cannot detect zero-day vulnerabilities because no CVE entry exists for them yet
• Scanning confirms a library or component is present -  it cannot confirm whether the vulnerable function is called in production
• Runtime protection is the complementary layer that addresses what scanning structurally cannot reach

What Is Vulnerability Scanning?

Vulnerability scanning is the automated process of identifying known security weaknesses by comparing assets against databases of published vulnerabilities (CVEs). It is distinct from penetration testing in a specific way: scanning is automated detection of known weaknesses, penetration testing uses active exploitation to confirm and measure impact. They serve different purposes and neither substitutes for the other.

Vulnerability management is the full lifecycle: scan, prioritize, remediate, verify, and report. Scanning is the detection step within that lifecycle.

Types of Vulnerability Scans

Network Scanning

Identifies weaknesses in routers, switches, firewalls, and servers across the network perimeter and internal segments. Network scanning is typically the broadest scope scan in an enterprise environment and is foundational to understanding patch posture across infrastructure.

Host Scanning

Installed on endpoints and servers, host scanning covers operating system configurations, installed software versions, and patch levels. It produces more accurate findings than unauthenticated network scans because it has direct access to the asset it is inspecting.

Web Application Scanning

Tests running web applications from outside for OWASP-class vulnerabilities such as SQL injection and XSS. Web application scanning operates at the HTTP layer rather than the network or OS layer, so it catches a different class of exposure.

Cloud Scanning

Covers containers, virtual machines, serverless functions, and cloud service misconfigurations. Cloud scanning has become essential as infrastructure has moved toward ephemeral, API-managed resources that do not map cleanly to traditional host-based scanning models.

SCA Scanning

Identifies known CVEs in open source and third-party dependencies. For a full explanation, see software composition analysis.

How Vulnerability Scanning Works

1. Discovery: scanner identifies all assets in scope
2. Detection: compares asset state against CVE databases (NVD, vendor advisories)
3. Scoring: vulnerabilities rated by CVSS (Critical 9.0-10.0, High 7.0-8.9, Medium 4.0-6.9, Low 0.1-3.9)
4. Reporting: findings delivered with severity, asset, and remediation context
5. Remediation: patch, update, or apply a compensating control

CVSS (Common Vulnerability Scoring System) is a standardised framework for rating vulnerability severity. It is widely referenced in PCI-DSS and SOC 2 compliance programs, which require documented vulnerability management processes with severity-based prioritisation.

Benefits of Vulnerability Scanning

Continuous Visibility Into Known Risks

Automated scanning maintains an up-to-date inventory of known weaknesses across the attack surface. Without it, asset visibility degrades quickly in environments with frequent deployments, new cloud resources, and changing dependency manifests.

Compliance Support

PCI-DSS, SOC 2, HIPAA, and DORA all require regular scanning. Results feed audit documentation, remediation tracking, and evidence of due care for security controls.

Prioritised Remediation

CVSS scoring helps security teams focus effort on critical and high-severity findings first, reducing alert fatigue from flat finding lists with no triage signal.

Early Detection

Catches unpatched software and misconfigured services before attackers can exploit them. The earlier a known vulnerability is identified, the smaller the window of exposure.

Limitations of Vulnerability Scanning

Blind to Zero-Day Threats

Scanners match assets against known CVE databases only. A vulnerability with no published CVE returns no findings. This is not a tool quality problem, it is an architectural constraint. Scanning is structurally limited to what has already been documented and assigned an identifier.

Cannot Assess Runtime Exploitability

Scanning finds that a component contains a vulnerability. It cannot determine whether the vulnerable function is called in production, whether the call path is reachable from external input, or whether runtime conditions make exploitation possible. A library with a critical CVE that is never executed at runtime is not an active risk, but a scanner cannot make that distinction.

Alert Volume and CVE Fatigue

Enterprise scans routinely produce hundreds of findings, the majority in code paths never executed at runtime. Security teams spend significant time triaging findings with no real risk behind them.

Point-in-Time Snapshot

A scan from yesterday may miss a deployment from this morning. Environments change continuously, and scan frequency always lags behind deployment frequency in high-velocity engineering organisations.

Vulnerability Scanning vs. Runtime Protection

Scanning and runtime protection are complementary, not competing. They cover different phases and different threat models.

Scanning operates before and after deployment. It identifies structural issues in known, catalogued vulnerabilities. Runtime protection monitors execution in production and blocks exploitation regardless of whether a CVE exists.

The analogy holds precisely: scanning is a home inspection that identifies structural issues. Runtime protection is the smoke alarm and sprinkler system that responds to fire. You need both, and one does not substitute for the other.

This is the only section where Raven is mentioned. Raven's Runtime SCA monitors production execution and surfaces only the vulnerabilities in functions that actually run, cutting CVE noise by 99%. Runtime application prevention and runtime security address the zero-day and exploitability gaps that scanning cannot close by design.

Conclusion

Vulnerability scanning identifies known weaknesses and is required in any security program. It cannot protect against zero-day attacks, confirm which vulnerabilities are actively exploited in production, or stop exploits from executing once an application is running. A complete programme layers scanning with runtime protection — scanning to find what is known, runtime to catch what is not.

See how Raven's Runtime SCA cuts CVE noise by 99% and catches what scanners miss.

FAQs

What is vulnerability scanning in cybersecurity?

Vulnerability scanning is the automated process of comparing assets against databases of published vulnerabilities (CVEs) to identify known weaknesses. It covers networks, hosts, web applications, cloud infrastructure, and open source dependencies.

What is the difference between vulnerability scanning and penetration testing?

Scanning is automated detection of known vulnerabilities. Penetration testing uses active exploitation techniques to confirm reachability and measure impact. Scanning runs continuously; penetration testing is typically periodic and scoped. Both are necessary, but they answer different questions.

How often should you run a vulnerability scan?

Continuously for critical assets and after every significant deployment or infrastructure change. Compliance frameworks like PCI-DSS require quarterly external scans at minimum, but that cadence is insufficient for environments with frequent releases.

What does CVSS mean?

Common Vulnerability Scoring System. A standardized framework for rating vulnerability severity on a 0-10 scale: Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low (0.1-3.9). CVSS scores are referenced by PCI-DSS and SOC 2 for compliance documentation.

Can vulnerability scanning detect zero-day attacks?

No. Scanners match against known CVE databases. A zero-day vulnerability with no published CVE produces no findings. Runtime behavioral detection is required to catch zero-days, as it monitors what code actually does rather than what is known about it.

What is the difference between vulnerability scanning and vulnerability management?

Scanning is the detection step. Vulnerability management is the full lifecycle: scan, prioritize, remediate, verify, and report. Scanning produces the findings; vulnerability management is the programme that acts on them.

What tools are used for vulnerability scanning?

Common tools include Tenable Nessus, Qualys, Rapid7 InsightVM, OpenVAS, Wiz, and Snyk. SCA-specific scanning is handled by tools like Snyk, Mend, and Black Duck. Tool selection depends on asset type, environment, and whether the primary need is infrastructure, web application, or dependency coverage.