Vulnerability scanning
Vulnerability scanning is the automated examination of IT systems, networks and applications for known security weaknesses based on current vulnerability databases.
Vulnerability scanning refers to the automated, tool-supported examination of IT systems, network components, servers and applications for known security weaknesses. Specialised scanners compare the detected software versions, configurations and open services against vulnerability databases such as the CVE list (Common Vulnerabilities and Exposures) and usually rate the severity according to the CVSS standard (Common Vulnerability Scoring System). Unlike a penetration test, which manually and in depth pursues selected attack paths, a vulnerability scan provides a broad, regularly repeatable snapshot of the current security posture.
Vulnerability scans are a core building block of effective vulnerability management and provide the basis for prioritised patch management. A distinction is typically made between authenticated scans (using credentials, which can also detect locally installed software and missing patches) and unauthenticated scans (from the perspective of an external attacker). The result is a report that ranks the identified vulnerabilities by criticality and recommends concrete remediation measures. Running scans regularly is decisive, because new vulnerabilities are published every day and a system's security posture changes continuously through updates, new services or configuration changes.
In a regulatory context, vulnerability scanning is an important means of demonstrating due-diligence obligations. The NIS2 Directive and its national transposition require affected entities to assess the effectiveness of risk-management measures and to handle vulnerabilities appropriately. The BSI IT-Grundschutz, ISO/IEC 27001 (in particular Annex A control A.8.8 on the management of technical vulnerabilities) and sector-specific standards such as VDA ISA/TISAX likewise presuppose the systematic detection and treatment of technical vulnerabilities. Vulnerability scans should therefore be embedded in the risk-assessment process, and their results should be documented and tracked through to remediation.
Legal Basis
Art. 21(2)(e) NIS2 Directive (EU) 2022/2555; ISO/IEC 27001 Annex A.8.8; BSI IT-Grundschutz
Practical Example
A machinery manufacturer classified as an important entity under NIS2 sets up weekly authenticated vulnerability scans across its entire server network. The scanner reports a vulnerability rated as critical (CVSS 9.8) in a publicly reachable VPN appliance. The information security officer prioritises the finding based on severity and exposure, arranges for the vendor patch to be applied within 48 hours, and documents detection, assessment and remediation in the vulnerability-management tool. The next scan confirms successful remediation and at the same time provides evidence of the measure's effectiveness to the supervisory authority.