How to Scan External Assets for Known Vulnerabilities
What tools are available for external vulnerability scanning?
The main categories of tools:
Open-source scanners:
- Nuclei - ProjectDiscovery’s template-based scanner with over 8,000 detection templates for CVEs, misconfigurations, and exposures. Fast, extensible, and community-maintained.
- OpenVAS - Greenbone’s open-source vulnerability scanner with a large vulnerability test library. Heavier than Nuclei but provides more comprehensive reporting.
- Nmap NSE scripts - Nmap’s scripting engine includes vulnerability detection scripts for common CVEs, useful for targeted checks on specific services.
Commercial scanners:
- Nessus - Tenable’s vulnerability scanner with professional-grade detection and compliance checking.
- Qualys VMDR - Cloud-based vulnerability management with external scanning capabilities.
EASM platforms:
- SurfaceLoop - combines asset discovery with continuous CVE scanning across all internet-facing assets.
- Other EASM vendors provide similar combined discovery-and-scanning capabilities.
The choice depends on scale: open-source tools work well for targeted scanning of known assets, while EASM platforms are designed for continuous monitoring across an entire external attack surface including assets the security team may not know about.
How do you run an external vulnerability scan?
A practical workflow using Nuclei as an example:
1. Define targets. List the domains and IP addresses to scan. For a comprehensive assessment, start with EASM discovery to find all internet-facing assets rather than relying on a manually maintained list.
2. Select detection templates. Nuclei organises templates by type. For CVE detection:
nuclei -u https://example.com -t cves/ -severity critical,highThis runs all Critical and High severity CVE templates against the target.
3. Execute from an external vantage point. Run the scan from outside your network - a cloud VM, a VPS, or a SaaS platform. Scanning from inside your network tests different conditions than what an attacker would encounter.
4. Review and triage results. Each finding includes the CVE ID, severity, matched evidence, and affected URL. Triage by:
- Is the CVE on CISA’s KEV list (actively exploited)?
- Is the asset production or development?
- Is a public exploit available?
- Is a patch available from the vendor?
5. Remediate and rescan. After patching or applying workarounds, rescan to confirm the vulnerability is resolved.
How SurfaceLoop handles this
SurfaceLoop automates this entire workflow. Enter your root domain and SurfaceLoop discovers all internet-facing assets, scans them for known CVEs using thousands of detection templates, and re-scans continuously. New CVEs are matched against your asset inventory within hours of publication.
See Known Vulnerabilities (CVEs) feature →What are the limitations of external vulnerability scanning?
Key limitations to understand:
Version-based false positives. If a scanner detects Apache 2.4.49, it flags CVE-2021-41773 (path traversal). But the organisation may have backported the security patch without updating the version string. The scanner reports a vulnerability that has been fixed.
Obfuscated version strings. Security-conscious organisations remove or modify version banners. This reduces the scanner’s ability to fingerprint software, leading to false negatives - real vulnerabilities that go undetected because the version cannot be determined.
No application-layer testing. External scanning checks infrastructure vulnerabilities (web server CVEs, SSL/TLS issues, known product flaws) but does not test application logic - SQL injection, authentication bypass, business logic errors. These require dedicated application security testing.
No zero-day coverage. CVE detection only finds known, publicly disclosed vulnerabilities. If a vulnerability has not been assigned a CVE, no scanner will detect it.
Network-level limitations. Firewalls, WAFs, and rate limiting can interfere with scanning accuracy. CDNs may mask the actual server software behind a proxy layer.
Despite these limitations, external vulnerability scanning remains one of the most cost-effective security measures. It catches the low-hanging fruit that attackers routinely exploit - unpatched internet-facing software - and does so continuously and at scale.
Frequently asked questions
- Is it legal to scan my own external assets for vulnerabilities? +
- Yes, scanning assets you own or have authorisation to test is legal. However, scanning assets you do not own without permission may violate computer misuse laws. Ensure you have documented authorisation, and be aware that some hosting providers require notification before scanning. Cloud providers like AWS and Azure have specific policies for vulnerability scanning on their infrastructure.
- How often should external vulnerability scans run? +
- At minimum weekly, with daily scans for critical assets. New CVEs are published daily and exploitation often begins within hours of disclosure. Continuous scanning ensures newly disclosed vulnerabilities are detected before attackers find them. Compliance frameworks like PCI DSS require quarterly scans as a minimum.
- What is the difference between authenticated and unauthenticated scanning? +
- Authenticated scanning uses credentials to log into systems and inspect installed software versions directly, producing more accurate results. Unauthenticated scanning works from outside without credentials, relying on banner grabbing and response fingerprinting. External attack surface scanning is inherently unauthenticated because it mirrors the attacker's perspective.
- How do I reduce false positives in vulnerability scan results? +
- Use scanners that validate findings beyond simple version matching. Cross-reference results with vendor advisories. Prioritise findings confirmed by multiple detection methods. Consider scanners that attempt safe exploitation checks to confirm vulnerability presence. Review and tune scanner configurations to exclude known false positive patterns.
Get SurfaceLoop security briefings
No spam, just findings that matter. Fortnightly.