Agent-Based Vs Network Based Internal Vulnerability scanning

Technology is constantly evolving, and with that comes threats. Performing vulnerability scans and assessments is one of the best methods to defend the networks that companies rely on daily.

An externally exposed system that appears secure from a black-box perspective would have been exposed to severe flaws that can be identified after a deeper examination of the system and software being used. That’s where the role of internal vulnerability scanning comes in, it adds a second layer of defense, making your company substantially more breach-resistant.

An internal vulnerability scan is often carried out with access to the internal network, and its main advantage is the identification of vulnerable systems and the resulting knowledge for patch management procedures. And for performing internal vulnerability scan there are two approaches network-based and agent-based internal vulnerability scanning.

Agent-Based Scanning

Each device that needs to be tested has a software package installed called a “agent.” The agent gathers information after installation that shows whether a device may have vulnerability problems and the results of the scans are reported back to the central server.


  • No credential management: The agents used in agent-based scanners are installed directly on the target device, eliminating the need for credentials.


  • Are resource intensive and end up hogging your computing and memory space.

Network-Based Scanner

The practice of finding vulnerabilities on a computer’s network, or IT assets, that hackers and threat actors might exploit is known as network-based vulnerability scanning. It helps to identify the current risk posture of your environment the efficiency of your security measures and possibilities for strengthening your defenses by fixing vulnerabilities.


  • A network-based vulnerability scanner evaluates various operating systems and apps, and the vulnerabilities are then cross-referenced against vulnerability databases to discover unpatched programs that need to be fixed in order to prevent breaches.


  • It cannot detect devices or applications that never communicate and are susceptible to issues brought on by infected systems purposefully disseminating false information.



Identifying top 1% Vulnerabilities in enterprise tech stack

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store