What is vulnerability scanning?
Vulnerability scanning is an automated process that identifies security weaknesses in code, applications, infrastructure, and cloud environmentsbefore attackers can exploit them. It detects known vulnerabilities, missing patches, misconfigurations, and exposed components across your entire technology stack. The goal is not just to find issues, but to surface the ones that actually matter so teams can fix them before they become breaches, particularly as ransomware has become the most frequently reported type of cyberattack worldwide.
Cloud environments change the equation entirely. Workloads spin up and down constantly, infrastructure is defined in code, and applications span containers, serverless functions, and managed services. Traditional network-based scanning was built for static environments and can't keep pace. Modern scanners need to analyze source code, open source dependencies, container images, APIs, and cloud configurations to provide accurate, up-to-date visibility.
Most scanners work by identifying what is installed or exposed, then matching it to known vulnerability intelligence. The output is only useful when it stays current as your environment changes throughout the day.
AWS Vulnerability Management Cheat Sheet
Secure your AWS environment with this definitive guide to cloud defense. From agentless visibility to automated patching, get the essential blueprint for hardening your workloads and neutralizing risks before they scale.
What vulnerabilities does a scan uncover?
| Action | Outcome | Input | Time | Frequency |
|---|---|---|---|---|
| Vulnerability scanning | A list of potential vulnerabilities | Automated |
| Daily |
| Penetration testing | Results of a real-world simulated cyberattack | Manual |
| Once per year |
These are common areas of weakness that a vulnerability scan typically identifies:
Network: Open ports, weak passwords, misconfigured firewalls, and unauthorized devices or connections
System: Missing patches, outdated software, misconfigurations, and vulnerable operating systems
Applications: Security flaws, XSS and SQL injection vulnerabilities, and misconfigured settings
Cloud-specific: Misconfigured cloud services and settings and improper identity access and authentication
The specific vulnerabilities your scanner finds will depend on the type of scan it performs (like network, application, or database) and whether it's an internal scan or external scan. But ideally, you'd use a tool that can spot all four of the vulnerabilities above.
Wiz, for example, caught a vulnerability in Ingress NGINX with system, network, and cloud-specific implications, not to mention an application-specific Ivanti EPMM RCE vulnerability. These are just two examples out of thousands.
Types of vulnerability scanning and common use cases
Vulnerability scanning uses both active and passive techniques:
Active scanning:Sends simulated attacks, queries, or requests to targets to identify weaknesseslike buffer overflows, unencrypted data, and broken authentication.
Passive scanning:Analyzes network traffic without actively probing, detecting vulnerabilities attackers could use to spread malware or exfiltrate data.
Beyond technique, scans also differ by what they target. The most common use cases include:
Network vulnerability scanning: Scans the network for vulnerabilities, including open ports, unpatched software, and weak network protocols
Web application vulnerability scanning: Looks for security flaws like SQL injection, cross-site scripting (XSS), and other vulnerabilities that are unique to web applications
Database vulnerability scanning: Concentrates on identifying vulnerabilities within databases, such as misconfigurations, weak authentication, and overly permissive permissions
Host vulnerability scanning: Scans individual hosts (servers or workstations) to identify vulnerabilities at the operating system level or within installed software
Container and virtualized environment scanning: Identifies vulnerabilities in containerized applications and virtual environments by scanning container imagesand managing containers and virtual machines
Vulnerability scanning vs. penetration testing
Vulnerability scanning and penetration testing serve different purposes. Scanning is automated and continuous, providing broad coverage across your environment as it changes. Penetration testing is manual and time-bound, simulating real-world attacks to validate whether specific weaknesses can actually be exploited.
The two approaches complement each other. Scanning maintains ongoing awareness of potential weaknesses, while pen testing provides deeper validation of how attackers might chain issues together in realistic scenarios.
| Activity | Best at | Typical output |
|---|---|---|
| Vulnerability scanning | Broad coverage and fast detection of known issues | A list of findings to fix or validate |
| Penetration testing | Proving real attack paths and business impact | Exploit evidence and prioritized remediation steps |
How vulnerability scanning works
Vulnerability scanning works by identifying weaknesses across code and runtime environments, then narrowing those findings to the vulnerabilities that could realistically be exploited. In modern environments, the goal is not to produce a long list of issues, but to understand which weaknesses actually increase risk.
Identifying what is present and in use
Accurate scanning requires knowing what actually exists in your environment. This means maintaining visibility into source code and dependencies during build, container images and workloads at deployment, and cloud resources in production.
Without this foundation, vulnerability databecomes misleading. A scanner can only report on what it sees, and if asset inventory is incomplete, findings will be too.
Detecting known vulnerabilities across the stack
Once assets are identified, scanners evaluate them for known vulnerabilities. This includes issues in application code, open source libraries, operating systems, container images, and cloud services.
At this stage, scanning is intentionally broad. The goal is to surface potential weaknesses wherever they exist, knowing that not all findings will represent meaningful risk on their own.Scanners compare what they find against vulnerability intelligence sources like the National Vulnerability Database and CVE.org, which contain databases of product names, impact metrics, vulnerability severity, and recommended mitigation techniques.
Evaluating exploitability through context
This is where modern scanning diverges from traditional approaches. A vulnerability's importance depends on whether it can actually be exploited, not just whether it exists.
Exploitability depends on several factors:
Deployment status: Is the vulnerable asset actually running in production?
External exposure: Is it reachable from the internet?
Permissions and identities: What access does the asset have to other systems?
Data proximity: Is sensitive data nearby or accessible?
Attack path viability: Could an adversary realistically chain this weakness with others?
Scanning that lacks this context produces noise, not insight.
Updating findings as environments and threats change
Both environments and vulnerability intelligence change continuously. New vulnerabilities are disclosed, code is updated, and workloads are redeployed.
Effective scanning revisits exploitability as these conditions evolve. A vulnerability that was previously low risk may become exploitable due to a configuration change, while others may become irrelevant once assets are removed or updated.
Validating remediation and reducing repeat exposure
After vulnerabilities are addressed, rescanning helps confirm that fixes were effective. Over time, this feedback loop helps teams understand where vulnerabilities tend to reappear and where preventative controls can reduce repeat exposure.
In this way, vulnerability scanning supports not just detection, but a clearer understanding of how exploitable risk enters and exits the environment.
Common vulnerability scanning challenges
A vulnerability scan may be ineffective if the following issues are present:
| Challenge | Description |
|---|---|
| Resource sharing | Vulnerability scanning requires significant network bandwidth and computing resources. Production (in the IT environment) is also resource-intensive. When both processes share resources from the organization’s infrastructure, resource contention occurs, which can negatively impact the scan’s efficiency. |
| False positives | Scanners may flag non-existent vulnerabilities, wasting time on issues that don't actually exist. Misconfigurations in scan policies often cause these false alarms. |
| Alert fatigue | Thousands of alerts make it overwhelming to track and address each one. Teams start ignoring findings, and critical vulnerabilities get lost in the noise. |
| Siloed tooling | Using separate scanners across environments creates data silos and fragmented views of risk. Teams struggle to see the full picture or correlate findings across their stack. |
| Lack of context | Most scanners don't understand asset criticality, business processes, or system dependencies. They report CVEs without explaining which ones actually increase risk. |
| Blind spots | Traditional tools often miss cloud infrastructure, containers, serverless functions, and other modern workloads, leaving gaps in coverage. |
| Ongoing maintenance efforts | Some vulnerability scanning solutions require installing agents on target systems for continuous scanning. Additionally, managing these agents’ installation, updates, and maintenance across multiple systems can be challenging and time-consuming. |
| Software development delays | Traditional vulnerability scanning practices require extensive scans and manual verification, which can delay application development and software update release. These delays ultimately hurt an organization’s bottom line. |
Watch 12-min demo
See how Wiz eliminates scanning blind spots and alert fatigue by connecting vulnerabilities to real cloud context.
Key features to look for in a vulnerability scanning tool
Modern vulnerability scanning tools must do more than enumerate CVEs. In cloud-native environments, effective scanning depends on coverage, context, and the ability to reduce risk without slowing teams down. When evaluating a vulnerability scanning solution, these capabilities matter most.
Agentlesscoverage across code and cloud
Effective scanning requires visibility across both code and runtime without relying on agents. Agentless approaches reduce operational overhead and eliminate blind spots from missed installations or offline workloads.
Look for tools that scan source code and dependencies during development, then continue scanning container images, virtual machines, serverless functions, and cloud services in production. This end-to-end coverage helps teams identify vulnerabilities early and continuously assess what's actually running.
Contextual, risk-based prioritization
Severity scores alone don't reflect real risk. The most effective tools prioritize vulnerabilities based on exploitability, not just CVSS ratings.
This requires incorporating context such as external exposure, identity permissions, proximity to sensitive data, and whether a vulnerability is part of a viable attack path. Contextual prioritization helps teams focus on actionable risk and reduces alert fatigue.
External attack surface visibility
Vulnerability scanning should account for how attackers see your environment, not just how it looks internally.
Dynamic scanning of internet-facing assets helps identify exposed services, misconfigurations, and vulnerabilities that are reachable from outside the organization. This attacker-centric perspective is essential for understanding which vulnerabilities pose immediate risk.
Unified visibility across signals
Vulnerabilities don't exist in isolation. Their risk depends on how they intersect with identities, configurations, workloads, and exposure.
Scanning tools that operate within a unified security view make it easier to correlate findings across domains, reducing the need for manual investigation and cross-tool stitching. Unified visibility helps teams understand risk holistically instead of managing disconnected signals.
Actionable, automated remediation guidance
Finding vulnerabilities is only useful if teams can fix them efficiently. Effective scanning tools provide clear remediation guidance that helps engineers resolve issues quickly and confidently.
Automation and AI-assisted recommendations can further reduce friction by suggesting fixes, validating impact, and integrating remediation into existing workflows. This allows teams to move faster without compromising security.
How Wiz approaches vulnerability scanning
Wiz provides vulnerability scanning as part of its broader exposure managementplatform, helping teams identify vulnerabilities across code, images, and runtime cloud environments, then prioritize them based on real-world exploitability.
Unlike traditional scanners that surface vulnerabilities in isolation, Wiz correlates findings with cloud context to determine which issues actually matter. Vulnerabilities are evaluated based on deployment status, external exposure, identity permissions, proximity to sensitive data, and whether they form part of a realistic attack path.
Wiz takes a multi-layered approach, providing deep visibility across cloud, on-premises, and containerized environments without the operational friction of traditional agents:
Agentless workload scanning: Wiz connects via cloud APIs to create encrypted snapshots of storage volumes. This side-scanning approach enables deep operating system and application-level analysis, including software bill of materials (SBOM) generation, with zero impact on production workload performance.
Vulnerability runtime validation: For Linux and Kubernetes environments, the eBPF-based Wiz Sensor monitors which packages are actively loaded into memory. This allows teams to distinguish between active vulnerabilities that are currently executing and dormant ones that exist on disk but aren't being used.
Attack surface management: Wiz probes internet-facing resources to validate external exposure and identify verified attack paths, helping teams understand how attackers see their environment from the outside.
What sets Wiz apart is how it connects vulnerability scanning to exposure management. Rather than producing a simple list of CVEs, Wiz correlates vulnerabilities with network exposure, identity permissions, and secrets on the Wiz Security Graph. This surfaces toxic combinations,such as a vulnerable workload that is also internet-exposed and has administrative access to sensitive data,and identifies which issues represent genuine attack paths, not just theoretical risk.
This same context-aware approach extends to AI workloads, helping teams understand how vulnerabilities in AI pipelines, model-serving infrastructure, and connected data stores factor into overall exploitable risk. To see how Wiz connects vulnerability findings to real exposure across your cloud environment. Get a demo and explore context-driven prioritization firsthand.
Move from vulnerability lists to exploitable risk
Wiz correlates vulnerabilities with exposure, identities, and data access so your team fixes what actually matters.
