Free vulnerability scanner comparison

The vulnerability scanners covered focus on host scanning.  There are many web site, document, technology (Flash, Ruby, Java, etc), file and other vulnerability scanners and fuzzers out there that will help you tackle many other detection tasks.  For more useful tools, feel free to take a look at the tool list from episodes of HNNCast.T00lT1m3.



  • Free for unlimited IPs.
  • Good community support
  • Used by and backed by consultants that work directly for the US Government. Used by German government.
  • Can produce audit reports.
  • Keeps history of scans.


  • Complex to install and configure, but has a VM.

Number of available definitions:

Rapid 7’s Nexpose (Community):


  • Integration with Metasploit so you can exploit the vulns you’ve found.
  • Very active community of penetration testers and security researchers driving development of exploits that are turned into vulnerability definitions. Metasploit has become the defacto framework for exploits.
  • Very easy installation and configuration process. You will be scanning in under 15 minutes.
  • Keeps history of scans.
  • Self contained: installs its own postgresql and apache instance


  • limited to 32 IPs per server instance

Number of available definitions:

  • 82739 (number taken directly from Nexpose UI)

eEye’s Retina (Community):


  • Vulnerability scanner has direct integration their patch management system (Retina CS), which also has a free license.
  • Integration with Metasploit via XML-RPC, MessagePack-based RPC, and local command line, so you can exploit the vulns you’ve found.
  • Easy to install.
  • Several SCAP and additional security benchmark report templates are provided.
  • Once audit results are processed into a remediation report, CVE, Exploit-DB, Core Impact, and Metasploit links are listed right along with the vulnerability found.
  • Schedule scans.
  • Outputting reports to a DB or a file.
  • Alerting on returned audit risk level (High, Medium, Low, Informational), to event log, SMTP, SNMP, and syslog.


  • Limited to 128 IPs per instance.
  • Limited to 365 days of running time.
  • Not web based, UI is lacking (opinion).
  • No SMTP encryption or authentication report (need help configuring a relay?)

Number of available definitions:

  • pending (appears to be 14112 CVEs, 5218 services, 6955 vulnerabilities from DB, 2589 from Metasploit Modules list; total of 28874, of course if the securityfocus and metasploit definitions aren’t just there for reference)



  • Unlimited IP scanning.
  • Easy to setup and use.


  • In the already “saturated” market of vulnerability scanners, nmap probably won’t be receiving the necessary development attention needed to really have NSE take off.

Number of available definitions:

For more info on vulnerability scanners, check out one of the most populate list of security tools on the internet, list of vulnerability scanners.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: