Vulnerability Scanning
Adversaries use automated tools to probe target systems for specific software versions, configurations, and known vulnerabilities, then cross-reference discovered services against exploit databases to select the most effective attack vector.
via banner grabbing
known exploit code
& data exfiltration
The Escalating Threat of Vulnerability Scanning
Vulnerability scanning is a critical reconnaissance technique where attackers use automated tools to identify specific software versions and known vulnerabilities on target systems. By probing network services, analyzing server banners, and fingerprinting running applications, adversaries build a comprehensive map of exploitable weaknesses. This intelligence allows them to select the most effective exploit for initial access, dramatically increasing their success rate while minimizing detection. It is the digital equivalent of a burglar casing a building, identifying every unlocked window, faulty alarm, and weak door lock before ever setting foot inside.
According to CISA Advisory AA25-022A, threat actors are actively chaining multiple vulnerabilities together to gain initial access to target networks. The stakes have never been higher: the CISA Known Exploited Vulnerabilities (KEV) catalog grew by a staggering 1,484 new entries in 2025 alone, with approximately 20.5% of cataloged vulnerabilities being actively exploited by ransomware groups according to analysis by gopher.security. This means nearly one in five known vulnerabilities is being weaponized by the most destructive class of threat actors operating today.
The volume of vulnerability attacks surged by 56% in 2025 according to IndusFace, and in the first half of 2025 alone, more than 21,000 CVEs were disclosed (DeepStrike.io). Perhaps most alarmingly, approximately 41% of those newly disclosed vulnerabilities were rated as exploitable in real-world attack scenarios. This creates an overwhelming challenge for defenders: the attack surface is expanding faster than most organizations can patch, and adversaries are leveraging automation to exploit this gap at scale.
Authoritative Sources & References
- CISA AA25-022A, Threat Actors Chaining Vulnerabilities for Initial Access
- MITRE ATT&CK, T1595.002 Vulnerability Scanning Technique
- CISA Known Exploited Vulnerabilities (KEV) Catalog
- NIST Cybersecurity Framework (CSF) 2.0, Vulnerability Management Guidance
- F5 Labs, Sensor Intel Series: Top CVEs Analysis
Understanding Vulnerability Scanning
Vulnerability Scanning is a reconnaissance technique where adversaries use automated scanning tools to probe target systems for specific software versions, configurations, and known vulnerabilities. Scanners harvest running software and version numbers via server banners, listening ports, and other network artifacts, then cross-reference this information against databases of known exploits (CVEs) to identify the most effective attack vectors. This process is often the critical bridge between broad network reconnaissance (such as IP block scanning) and targeted exploitation. Tools like Nessus, OpenVAS, Nuclei, and custom scripts automate the discovery process, enabling attackers to assess hundreds or thousands of hosts rapidly. The technique exploits the fact that most network services voluntarily disclose their identity and version through protocol handshakes, HTTP headers, and TLS certificates, information that was designed for interoperability but serves as a goldmine for reconnaissance.
Imagine a home security inspector going house to house with a clipboard and a detailed product database. They look at the brand and model of your front door lock, check if your alarm system is running firmware with known weaknesses, and note whether your garage door opener uses a recalled remote protocol. They examine the serial plate on your water heater to see if it's a model prone to carbon monoxide leaks, and they peek at your mailbox to determine which bank you use. They're not breaking in, they're cataloging every weakness they can find so they know exactly which tools and techniques to use when they do decide to exploit your home. A vulnerability scanner does exactly this to your network: it reads the nameplates, checks the recall lists, and builds a prioritized plan of attack, all without triggering a single alarm.
When Vulnerability Scanning Meets Negligence
James Okonkwo had been a systems administrator at CloudHealth Corp, a mid-sized healthcare SaaS provider managing electronic health records for over 200 clinics across the southeastern United States. Like many organizations, CloudHealth had grown rapidly, adding new servers, microservices, and cloud instances faster than their security team could keep up. Among their infrastructure was an internal management portal running Apache Struts 2.5.0, a version with a well-documented Remote Code Execution vulnerability tracked as CVE-2017-5638. This vulnerability had been publicly known since 2017 and was the same flaw weaponized in the devastating Equifax breach.
On a Tuesday morning, CloudHealth's intrusion detection system flagged unusual outbound network traffic, but by then it was already too late. Attackers had used automated vulnerability scanning tools to discover the outdated Struts version exposed on the management portal. The entire scan-to-exploitation cycle took less than four hours: the scanner identified the vulnerable service, cross-referenced it against exploit databases, deployed a publicly available Metasploit module, and established a persistent backdoor. Within 48 hours, the attackers had exfiltrated 180,000 patient health records containing names, Social Security numbers, diagnoses, and prescription histories.
The consequences were devastating. Under HIPAA regulations, CloudHealth faced $4.8 million in fines, legal fees, mandatory credit monitoring for all affected patients, and a federal compliance audit. Three class-action lawsuits were filed within weeks. The company's reputation was shattered, seven clinic networks terminated their contracts, and CloudHealth's revenue dropped 35% over the following fiscal year. James, who had flagged the outdated Struts instance in an internal ticket six months earlier that was deprioritized due to "resource constraints," resigned citing organizational negligence.
The breach was a catalyst for wholesale change. CloudHealth's new CISO, hired in the aftermath, worked with James, who returned as a security consultant, to implement a comprehensive vulnerability management program. They deployed automated vulnerability scanning across all internet-facing and internal assets, running continuous assessments with weekly full-scan cycles. A formal patch management policy was established with a 72-hour SLA for critical vulnerabilities (those with known exploits or in the CISA KEV catalog), a 30-day window for high-severity issues, and quarterly reviews for moderate findings.
Beyond scanning and patching, they implemented virtual patching through their Web Application Firewall (WAF), creating custom rules that blocked exploitation attempts against systems awaiting patch deployment. They integrated their scanner results with their SIEM (Security Information and Event Management) platform, enabling real-time correlation between vulnerability data and actual attack attempts. Automated alerts were configured for any new CVE matching their software inventory that appeared in the CISA KEV catalog or had a public exploit available.
The results spoke for themselves. Within the first quarter, CloudHealth reduced their exploitable attack surface by 92%. Critical vulnerability remediation time dropped from an average of 145 days to under 48 hours. Their vulnerability scanning program now covers 100% of known assets, including cloud instances, containers, and third-party APIs, and their security team has visibility into their risk posture that they never had before. Most importantly, in the 18 months since implementation, CloudHealth has detected and blocked over 3,000 exploitation attempts against previously unknown or unpatched vulnerabilities, proving that proactive vulnerability management is not just a compliance checkbox, it is the foundation of effective defense.
7 Steps to Defend Against Vulnerability Scanning
- Discover and catalog every internet-facing and internal asset including servers, cloud instances, containers, APIs, IoT devices, and third-party SaaS integrations. You cannot protect what you do not know exists, shadow IT is the number one blind spot for most organizations.
- Implement automated asset discovery tools that continuously scan your network for new devices and services, ensuring your inventory stays current as infrastructure evolves and new resources are provisioned or decommissioned.
- Assign clear ownership for each asset with documented business criticality ratings, ensuring that vulnerability findings can be prioritized based on the importance of the affected system to your operations.
- Implement industry-standard scanners such as Nessus, OpenVAS, Qualys, or Tenable.io configured for authenticated scanning where possible, which provides dramatically deeper visibility into software versions, missing patches, and configuration weaknesses compared to unauthenticated scans alone.
- Schedule scans on a continuous or at least weekly basis for internet-facing assets and monthly for internal networks, with immediate ad-hoc scans triggered by new CVE disclosures affecting your software stack.
- Correlate scanner results across multiple tools and data sources to reduce false positives and gain a more accurate picture of your actual risk posture, no single scanner catches everything.
- Define clear SLAs tied to severity: patch critical vulnerabilities with known exploits within 24-72 hours, high-severity issues within 14-30 days, and moderate findings on a quarterly cycle. Document exceptions and require executive sign-off for any delay beyond the defined SLA.
- Prioritize patches based on real-world exploit availability and threat intelligence rather than relying solely on CVSS scores, which often overstate or understate actual risk depending on your specific environment and configuration.
- Develop a tested patching workflow that includes staging environment validation, rollback procedures, and change management approval to prevent patch-induced outages while maintaining urgency.
- Deploy Web Application Firewall (WAF) and Intrusion Prevention System (IPS) rules that block exploitation attempts against known vulnerabilities, providing immediate protection for systems that cannot be patched immediately due to compatibility, testing, or change management requirements.
- Maintain a library of virtual patches aligned with your vulnerability scan findings, and ensure WAF/IPS signature databases are updated automatically at least daily to cover newly disclosed CVEs affecting your software stack.
- Monitor virtual patch effectiveness by correlating WAF/IPS block events with vulnerability scan data, validating that protection rules are actually triggering against real-world attack attempts.
- Subscribe to automated alerts from the CISA Known Exploited Vulnerabilities catalog and cross-reference every new entry against your asset inventory and vulnerability scan results to identify immediately relevant threats.
- Integrate threat intelligence feeds (such as CISA advisories, vendor security bulletins, and exploit database updates) into your security operations workflow to ensure your team has real-time awareness of emerging threats.
- Establish a rapid-response playbooks for when a KEV-listed vulnerability is found in your environment, with pre-approved emergency change procedures that bypass normal change management timelines while maintaining safety guardrails.
- Commission quarterly penetration tests that simulate real-world attack scenarios including vulnerability scanning, exploit chaining, and lateral movement, validating that your defensive controls actually work against motivated human adversaries, not just automated scans.
- Use pen test findings to calibrate your vulnerability scanner configurations and false-positive rates, ensuring your automated tools are catching what matters and not drowning your team in noise.
- Include red team exercises annually that test your organization's end-to-end detection and response capabilities, from initial reconnaissance through exploitation, persistence, and data exfiltration.
- Implement a continuous cycle of Discover → Assess → Prioritize → Remediate → Verify → Report, with clearly defined roles, responsibilities, and metrics at each stage. Track Mean Time to Remediate (MTTR) by severity level and report trends to executive leadership monthly.
- Use risk-based vulnerability management (RBVM) platforms that combine vulnerability data, threat intelligence, asset criticality, and network context to produce actionable prioritized remediation plans that focus your team's limited resources where they matter most.
- Foster a security culture where vulnerability management is a shared responsibility across IT, development, and business teams, not just the security team's problem. Tie remediation metrics to team and individual performance goals.
Common Mistakes & Best Practices
✕ Common Mistakes
Running vulnerability scanners only once a year. Annual compliance-driven scans leave 364 days of blind spots. Attackers scan continuously, your defenses must match. New vulnerabilities are disclosed daily, and a system patched in January can become critically vulnerable by March.
Patching critical systems without testing first. Blindly deploying patches to production systems without staging environment validation often causes outages, leading to a culture where teams delay or skip patches entirely due to fear of breaking things. Test first, patch fast.
Ignoring "low-risk" vulnerabilities that can be chained. Attackers routinely chain multiple medium or low-severity vulnerabilities together to achieve critical impact. A moderate information disclosure combined with a weak authentication bypass can equal full system compromise.
Not inventorying shadow IT and cloud assets. Cloud instances, developer workstations, forgotten subdomains, and unmanaged IoT devices often run outdated software and become the weakest link. If you are not scanning it, adversaries will find it and exploit it.
Failing to correlate vulnerabilities with threat intelligence. A vulnerability is just data until you understand who is exploiting it, how, and against what targets. Without threat context, your team wastes time on theoretical risks while missing the vulnerabilities actively being weaponized against your industry.
✓ Best Practices
Continuous vulnerability scanning with weekly automated assessments. Deploy scanners that operate around the clock, providing real-time visibility into your vulnerability posture. Weekly full-scan cycles combined with continuous targeted scanning of critical assets ensures nothing slips through the cracks.
Risk-based prioritization using CVSS scores and exploit availability. Go beyond CVSS by incorporating exploit availability, threat actor targeting, asset criticality, and network exposure into your prioritization model. A CVSS 7.0 with a public exploit on an internet-facing server is more urgent than a CVSS 9.8 behind multiple firewalls.
Virtual patching for systems that cannot be immediately updated. Use WAF rules, IPS signatures, and runtime application self-protection (RASP) to block exploitation attempts while you work through your patching pipeline. This is not a substitute for patching, it is a bridge to keep you safe while you get there.
Comprehensive asset discovery including cloud and IoT devices. Use both passive and active discovery techniques to build a complete asset inventory. Integrate cloud provider APIs, network scanning, DNS enumeration, and certificate transparency logs to find assets you did not know you had.
Integration of vulnerability data with threat intelligence platforms. Connect your vulnerability scanner outputs directly to threat intelligence feeds and your SIEM platform. Automated correlation enables your team to immediately identify when a vulnerability in your environment is being actively exploited in the wild.
Red Team vs Blue Team View
How Attackers Use Vulnerability Scanning
Attackers treat vulnerability scanning as the critical bridge between broad reconnaissance and targeted exploitation. They deploy tools like Nessus, OpenVAS, Nuclei, and custom scripts to systematically probe target networks for running services, software versions, and configuration weaknesses. Their goal is not just to find vulnerabilities, it is to identify the most efficient path to initial access.
Sophisticated threat actors cross-reference discovered software versions against exploit databases like ExploitDB, Metasploit, and GitHub PoC repositories. They prioritize vulnerabilities that have public exploit code, that affect internet-facing services, and that can be chained with other weaknesses for maximum impact. They also look for misconfigurations: default credentials, exposed management interfaces, unprotected APIs, and debug modes left enabled in production.
The entire scanning process is often automated and conducted at scale, scanning thousands of targets simultaneously to find the weakest links. Attackers may use slow, low-and-slow scanning techniques to avoid triggering rate limits and intrusion detection alerts, distributing their probes over hours or days rather than seconds.
- Nessus Professional / Tenable.io
- OpenVAS / Greenbone
- Nuclei (ProjectDiscovery)
- Nmap with vuln scripts (NSE)
- Metasploit auxiliary/scanner modules
- Custom banner-grabbing scripts
- Shodan / Censys recon queries
How Defenders Counter Vulnerability Scanning
Defenders counter vulnerability scanning by owning the reconnaissance space, running their own vulnerability assessments before attackers do. This means implementing a proactive vulnerability management program that includes continuous scanning, rapid patching, virtual patching, and ongoing monitoring. The goal is to identify and remediate vulnerabilities before adversaries can discover and exploit them.
Blue teams deploy Web Application Firewalls and Intrusion Prevention Systems configured with virtual patches that block known exploit patterns even before the underlying software is updated. They subscribe to CISA alerts and maintain awareness of the Known Exploited Vulnerabilities catalog, treating every KEV entry as a critical priority requiring immediate action.
Beyond reactive patching, mature blue teams implement a vulnerability management lifecycle, a continuous cycle of discovery, assessment, prioritization, remediation, verification, and reporting. They use risk-based approaches to prioritize patches based on exploit availability, asset criticality, and threat intelligence rather than applying patches blindly in CVSS order.
- Tenable.sc / Nessus Enterprise
- Qualys Vulnerability Management
- Rapid7 InsightVM / Nexpose
- AWS Inspector / Azure Defender
- WAF virtual patching (Cloudflare, AWS WAF)
- CISA KEV Catalog monitoring
- SIEM correlation (Splunk, Sentinel)
How to Spot Vulnerability Scanning Abuse
Threat hunters look for the telltale signs that an adversary is conducting vulnerability reconnaissance against their organization. While vulnerability scanning traffic can blend with legitimate admin activity, there are distinct behavioral patterns that experienced hunters can identify. The key is looking for systematic, automated probing that goes beyond normal user or admin behavior, especially when it targets multiple services, ports, and hosts in a coordinated way within a short time window.
Adversaries conducting vulnerability scans often exhibit a recognizable fingerprint: they query many services sequentially from a single source, request information that reveals software versions (such as HTTP headers, TLS certificates, or protocol banners), and may follow up targeted reconnaissance with actual exploitation attempts within hours. They may distribute their scanning across multiple source IPs to avoid rate-limiting and detection, but the behavioral pattern remains consistent, systematic enumeration followed by focused exploitation.
From a defensive perspective, organizations should monitor for unexpected connection patterns, excessive banner-grabbing requests, unusual User-Agent strings associated with scanning tools, and, critically, any correlation between vulnerability scan traffic and subsequent exploitation attempts on the same targets. This is where integrating vulnerability scan data with your SIEM and threat intelligence becomes essential: it allows you to detect not just the scan itself, but the full attack chain from reconnaissance to compromise.
Indicators to Monitor
- Sequential port scanning from single or clustered source IPs followed by service fingerprinting
- HTTP requests extracting Server, X-Powered-By, and X-AspNet-Version headers at scale
- TLS handshake analysis revealing automated client behaviors (e.g., JA3 fingerprint matching known scanners)
- Unusual volume of DNS reverse lookups and PTR queries correlating with scan source IPs
- Correlation between vulnerability scan traffic and subsequent exploit payloads on the same targets
- Access to known vulnerable endpoints (e.g., /struts2-showcase, /actuator, /wp-admin) from unexpected sources
Strengthen Your Vulnerability Management
Every unpatched vulnerability is an open invitation. Whether you are a security professional, a system administrator, or an organizational leader, the time to act is now. Review your vulnerability management program, check your exposure against the CISA KEV catalog, and ensure your organization is not the next headline.
Explore Related ATT&CK Techniques
💬 Questions & Discussion
Have questions about vulnerability scanning, need help setting up your vulnerability management program, or want to share your experience defending against T1595.002? Leave a comment below or reach out to the security community. The best defense begins with knowledge, and the best knowledge comes from shared experience.