In a landscape where cyber threats are growing more sophisticated by the day, understanding an organization’s vulnerabilities is a strategic imperative for security and compliance. Conducting vulnerability scans is a key component in helping prevent successful external adversary attacks. In this article, I will discuss what vulnerability scans are, the common types, and actions your organization needs to take to support the achievement of SOC 2 compliance. Click here to learn about more recent breaches.
What is Vulnerability Scanning & How Is it Used to Improve Security?
What is a vulnerability? Simply put, a vulnerability is a system flaw that can be exploited. How do you determine system vulnerability risk? A vulnerability scanner is a great way! A vulnerability scanner is a tool used to scan networks, servers, individual hosts, applications, etc., to check for vulnerabilities within these assets.
The results of a vulnerability scan should then be assessed and evaluated, and the results prioritized for remediation by appropriate personnel within an organization. Generally speaking, the results of the vulnerability scan would be rated on a scale of low, medium, and high. In addition to a vulnerability scan, a vulnerability management program is an important process for an organization to have in place. A vulnerability management program is generally a continuous process defined and outlined to identify, evaluate, and remediate or accept risks/vulnerabilities.
What Are the Types of Vulnerability Scans?
As vulnerabilities can exist in all areas of a business and technological environment, vulnerability scans have various scopes to cover different areas of the environment. Below are the various types of vulnerability scans that can be combined to provide the best coverage for your environment.
- Network Scans focus on identifying vulnerabilities in devices and services connected to a network. These scans detect open ports, weak authentication methods, misconfigurations, and other weaknesses that could be exploited over the network. This is performed from an external perspective.
- Host-Based Scans evaluate vulnerabilities within an individual system or device—such as a server, workstation, or virtual machine—by analyzing it from the inside. These scans use local access or credentials to inspect the internal configuration, file system, and software environment of the target host. Host-based scans are complementary to network scans as they focus on internal threats that the network scans don’t detect.
- Wireless Scans identify weaknesses and misconfigurations in a wireless network environment. This type of scan looks to detect vulnerabilities that could allow unauthorized access, data interception, or exploitation of wireless infrastructure. Wireless networks are potentially the weakest entry point into an organization, particularly in office buildings, shared workspaces, and public-facing locations, so a wireless vulnerability scan should be considered for organizations with these environments.
- Application Scans identify vulnerabilities in web applications, APIs, and other software interfaces, looking for flaws like SQL injection, cross-site scripting (XSS), and insecure authentication mechanisms. These scans may also simulate user inputs and navigate application workflows to uncover weaknesses in logic or implementation.
- Finally, Database Scans identify misconfigurations, missing patches, weak authentication settings, and other known vulnerabilities within a database system. Depending on your business and the internal and customer data stored, databases could be a highly valuable target for attackers.
How Often Should Vulnerability Scans be Performed?
Vulnerability scans can be extensive or have limited scope. They can also be run continuously or periodically. An effective approach could combine these methods into a hybrid model. Continuous monitoring can be used for the most critical or frequently changing assets, while comprehensive scheduled scans can be performed across the broader environment to prevent vulnerabilities slipping through the cracks. This could help your vulnerability management program to keep pace with both internal changes and emerging external threats.
How Do You Perform A Vulnerability Scan? Vulnerability Scanning Tools
Speaking of tools, there are many organizations that provide vulnerability scanning services, and there are even free tools available. See the links below for popular types of vulnerability scans. Note: These scans should be appropriately evaluated to determine which scan or combination of scans may be the most appropriate for a given organization.
- The Ultimate Guide to Free Vulnerability Scanners
- 6 Top Open-Source Vulnerability Scanners & Tools
- 5 free vulnerability scanners you should check out
Once a tool is selected, it is crucial that it is set up to run on appropriate assets. Do not skip the step of identifying all assets, reviewing the purpose and content, and assessing risk before setting up the scan. Scanning all assets and/or the wrong assets can lead to excessive costs and unnecessary time and effort used to sort through false positives or irrelevant vulnerabilities. Leaving out critical assets in the environment risks unidentified and unaddressed vulnerabilities in addition to creating compliance gaps.
Vulnerability Scanning & SOC 2 Compliance
The SOC 2 is governed by the AICPA. To that point, the AICPA does not list prescriptive controls that an organization should have in place to meet SOC 2 compliance. Instead, a listing of requirements is outlined where various types of controls can help meet the requirements.
I have listed three of the criterion below directly from the AICPA SOC 2 requirements and described the controls surrounding vulnerability scans that an organization should have in place to meet these criteria.
CC7.1
To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
Meeting this criteria involves selecting a tool or combination of tools to identify vulnerabilities and setting it up to scan on the appropriate assets as discussed above. Documenting your internal requirements for scan frequency and asset selection in your Vulnerability Management Policies and Procedures assists in maintaining compliance.
CC4.1
COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
This criteria can be met by maintaining a robust Vulnerability Management Program and implementing it in practice. Performing the scans is the first step of the program – analyzing scan results and remediating the vulnerabilities are the other crucial steps to a compliant Vulnerability Management Program. A robust program should have documentation describing who is responsible for reviewing results, guidance for assigning a risk rating to each vulnerability, procedures for remediating vulnerabilities based on risk, and requirements for documenting the risk analysis and remediation activities. Specifying timelines for remediation of vulnerabilities is a key component of this program.
CC4.2
COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
This criteria can be met by demonstrating that the scan results are seen and analyzed by appropriate personnel, and remediation activities are assigned to appropriate individuals and actioned according to policy. Retaining consistent documentation of the scan results, risk analysis, and remediation activities are key to maintaining compliance with the SOC 2 standards.
Common Vulnerability Scanning FAQs
These are some of the common questions we get from clients regarding vulnerability scanning.
What Are the Costs of Vulnerability Scanning?
The costs include the monetary cost of the tool/tools chosen to perform the scan, but the resources needed to analyze the vulnerabilities found by the tool and remediate them should also be included when an organization is looking to evaluate vulnerability scanning costs.
What is the Difference Between a Penetration Test & a Vulnerability Scan?
Vulnerability scanning is an automated process used to identify known weaknesses in systems and software, where penetration testing simulates attacks that would exploit said vulnerabilities. One is not a substitute for another – robust security controls include both.
What Could Happen if Organizations Don’t Do Vulnerability Scanning?
Foregoing vulnerability scanning and remediation leaves organizations open to serious risks. Without proactively identifying and fixing security weaknesses, organizations are far more likely to experience data breaches, ransomware attacks, and service disruptions—all of which can be financially and reputationally devastating. Other consequences include regulatory penalties or compliance failures, increased downtime and slower incident response, and higher costs from reacting to threats instead of preventing them.
What Are the Benefits of Vulnerability Scanning?
See FAQ above, “What could happen if we don’t do vulnerability scanning?” Vulnerability is a critical preventive control; the benefits of scanning include preventing data breaches and all the negative impacts that come along with them.
How Quickly Should Vulnerabilities be Addressed?
Each organization needs to evaluate its systems, potential breach points, and risk appetite to set its own remediation timelines. The timelines should be documented in the Vulnerability Management policies and monitored. Industry frameworks, such as CVSS (Common Vulnerability Scoring System), can help prioritize.
Building Your Vulnerability Scanning Strategy
Understanding where an organization’s technical vulnerabilities are is critical to the success of an organization. If vulnerabilities are not identified and patched in a timely manner, the risk increases of a vulnerability being exploited. This could result in a breach and ultimately impact an organization’s services, finances, and reputation.
One of the standard ways to identify vulnerabilities across your network, web applications, and/or workstations is to conduct vulnerability scans periodically. Vulnerability scans can be conducted by an impartial third party, or internally by knowledgeable staff using some of the tools linked in this article above. Then, analyzing and remediating the vulnerabilities as guided by a robustly documented plan will help protect from evolving threats.
Please reach out if you would like to learn more about SOC 2 compliance requirements. Additionally, if you would like to learn more about any of our other audit services, please don’t hesitate to contact us.
This article was originally published on 6/1/2021 and was updated on 6/4/2025.
Britney Oswald specializes in SOC reporting and has eight years of experience performing IT and controls audits as both an internal and external auditor. In addition, she has experience as a Financial Controller implementing systems and processes within growing businesses. Her favorite part of the job is helping clients implement controls that are right-sized for their organization.