What are the different vulnerability scan types?
Different Scan Modes
When you click on 'Start a Scan' button on Scan page, you'll be given a choice to run three modes of scans. We've described below what each of these types of scans mean:
Automated Scan: Our ever evolving vulnerability scanner scans your application for vulnerabilities in this scan. You can choose to configure it to scan behind login too. Any possible vulnerability is reported by the scanner and the complete scan can take anywhere between 12-48 hours depending on the scope of the application you want to scan. The reported vulnerabilities could have false positives too. These types of scans are included in all our plans.
Automated Scan (Vetted): Vetted automated scan include everything within the Automated Scan + our security engineers carefully reviewing the results of the scan to ensure if there are any false positives, they're removed. The final report you see has no false positives as its review by the security engineers. Expert and Pentest plan include these types of scans.
You'll see status of the reported vulnerabilities as 'Under Review' in the case of Automated Vetted Scans.
Manual Pentest: Manual pentest comprise of automated vulnerability scan + vetted results + a complete penetration test by our security experts. In a pentest, our security experts uncover vulnerabilities which are logical flaws and often beyond the detection capabilities of automated scanners. The entire exercise takes a week or two depending on the scope. In the case of manual pentest, after automated scan completes a ticket is auto-generated where our security engineers get in touch with you requesting details for manual pentest if required. Our 'Pentest' plan covers these types of tests.
Different Automated Scan Types
There are 3 different types of Automated Scans that you can run:
Full Scan - In this, the vulnerability scanner scans for all the vulnerabilities on all endpoints. It ensures to cover the entire web application. The scanner will scan the web application for both high-level bugs such as header misconfigurations, sensitive data leakage and low-level bugs such as SSTI, XSS, SQLi, RCE etc. It is advisable to run a Full Scan at least once a week.
Lightning Scan - In this, the vulnerability scanner scans the web application from a higher level and covers the basic security vulnerabilities. You are expected to run a Lightning Scan at least one lightning scan daily.
Emerging Threats Scan - In this, the vulnerability scanner scans for all the new vulnerabilities in the cyber security world. So whenever a new vulnerability comes around, you can run this scan to find out if your web application is safe from it. New vulnerabilities' examples: Log4Shell, Spring4Shell and Text4Shell.
Updated on: 03/01/2023