The automated process of probing systems, applications, and network devices to identify known security vulnerabilities — missing patches, misconfigurations, and software flaws — before attackers can exploit them.
Vulnerability scanners probe target systems by comparing installed software versions against databases of known vulnerabilities (CVEs), testing for common misconfigurations, and checking for missing security patches. Scans can be authenticated (using credentials to inspect the system from inside, finding more vulnerabilities) or unauthenticated (testing from the network perspective, simulating what an attacker would see). The output is a prioritized list of vulnerabilities with severity ratings, typically scored using CVSS (Common Vulnerability Scoring System).
For ransomware defense, vulnerability scanning is a critical preventive control because ransomware groups consistently exploit known, patched vulnerabilities — not zero-days. The most commonly exploited categories include VPN appliance vulnerabilities (Fortinet, Citrix, Pulse Secure), internet-facing web application flaws (Exchange, Confluence), and Active Directory privilege escalation vulnerabilities. Regular scanning identifies these weaknesses before attackers do, providing the information needed to prioritize patching and close the attack surface.
Effective vulnerability scanning is continuous, not periodic. Internet-facing assets should be scanned daily, internal critical infrastructure weekly, and all systems at least bi-weekly. Use authenticated scans for comprehensive coverage, prioritize remediation based on exploitability (not just CVSS score), and verify that patches actually remediated the vulnerability through re-scanning. The CISA Known Exploited Vulnerabilities (KEV) catalog is essential for identifying which vulnerabilities are being actively exploited in the wild.