What Are the Different Vulnerability Scan Types?

Last updated: June 6, 2026

When you click the Start a Scan button from the dashboard, you'll be presented with a choice of scan modes. Here's a breakdown of each scan type, what it covers, and when to use them.

Scan Modes

1. Automated Crawling (Web)

The Automated Crawler explores your target to build and update your endpoint inventory without performing any security checks. It can be run on-demand or scheduled at regular intervals to ensure your inventory stays current and accurately reflects the latest state of your application.

Applicable for: Web App

2. Automated Scan (Lightning)

The Lightning Scan performs high-level checks to address basic web application vulnerabilities quickly. It is optimized for speed and is recommended for daily use to maintain a consistent baseline of security across your targets.

Applicable for: Web App, APIs, Cloud Infra

3. Automated Scan (Emerging Threats)

This scan identifies vulnerabilities from emerging cyber threats such as RegreSSHion, Polyfill, Log4Shell, and Text4Shell, helping secure your infrastructure against newly discovered exploits. Use this scan to quickly assess your exposure whenever a new threat is disclosed.

Applicable for: Web App, APIs, Cloud Infra

4. Automated Scan (Full)

An in-depth automated DAST scan that checks for 10,000+ vulnerabilities including known CVEs, OWASP Top 10, misconfigured headers, XSS, SQLi, and many more. Running a Full Scan at least once a week is recommended for optimal security coverage.

When running a Full Scan, you can choose between two coverage modes:

  • Full Coverage — Scans the entire inventory of known endpoints for a comprehensive security assessment.

  • Delta Coverage — Scans only newly discovered or changed endpoints since the last scan, making it faster and ideal for continuous integration workflows.

Applicable for: Web App, APIs, Cloud Infra

5. Manual Pentest

A Manual Pentest combines automated vulnerability scanning with offensive testing conducted by Astra's security experts. Our pentesters focus on business logic vulnerabilities, privilege escalation, authentication flaws, and more. The entire process typically takes a few weeks depending on the scope.

Applicable for: Web App, APIs, Cloud Infra, iOS, Android, and others

How to Initiate a Vetted Scan

A Vetted Scan is a vulnerability scan that has been reviewed and validated by Astra's security experts to ensure accuracy and minimize false positives. To request a vetted scan:

  1. Log in to the dashboard and navigate to the Continuous Scans page.

  2. Open the scan from the list that requires vetting.

  3. Click the Request Vetting button.

Need Help?

If you have any questions about which scan type is right for your needs, please reach out to our support team by raising a ticket from your Astra dashboard.