Difference between Agent-based and Network-based Internal Vulnerability Scanning

Technology evolution is the only constant in our lives these days. Sometimes, an existing approach can go a long way in addressing problems, while other times, a new approach needs to be adopted to get the work done.

Let’s talk about vulnerabilities; internal networks and software can be riddled with loopholes, which can expose them to breaches and data leaks, paving the way for hackers to have an easy ride. Through the process of vulnerability scanning, IT teams assess, mitigate and report security vulnerabilities that have been found in a company’s internal networks. 

To address issues of vulnerability scanning, there are two primary methods, which have continued to garner traction over the years. These methods include: 

  • Network-based
  • Agent-based 

For someone looking to implement and address internal vulnerability scanners, this is the right place for you. Read on to understand the difference between the two scanning procedures and make the right decision for your organization. 

What is a Network-based vulnerability scanner?

Network-based vulnerability scanner, in simplistic terms, is the process of identifying loopholes on a computer’s network, or IT assets, which can be exploited by hackers and threat actors. Through the implementation of this process, one can successfully identify their organization’s current risk(s). This is not where the buck stops; one can also verify the effectiveness of your systems security measures while improving internal and external defences.

Through this review, an organization is well equipped to take an extensive inventory of all systems, which includes operating systems, installed software, security patches, hardware, firewalls, anti-virus software, and much more. 

How does a Network-based vulnerability scan work?

How does a Network-based vulnerability scan work?


In a nutshell, a network-based vulnerability scanner compares different OS and applications, and the vulnerabilities are checked against vulnerability databases to identify unpatched applications, which are vulnerable and need to be patched to avoid breaches. In the case of firewalls, this scan will help determine well-known ports can be exploited and further, need to be shut down or not.

Network-based vulnerability scanning can be divided into two parts: internal and external scanners

1. Internal scanners:

These types of scanners are specifically designed to expose the shortcomings of internal systems weaknesses. This way, an organization can cover a range of scenarios, which are often not scanned by external scanners. An apt example is as follows:

Suppose you are using an outdated version of a browser within your company’s laptop. Such outdated browser versions can become a trojan horse, especially, if the user is prompted to visit a malicious website. Some other weaknesses include vulnerabilities in the services or ports, like SMB services.

The ease of gaining access to internal networks will depend on how such networks are configured. In lieu of this, the first step should be to map an organization's system and further classify them based on their data and access needed.  


2. External scanners:

External vulnerability scanners, or more commonly known as, perimeter scanning, is as important as internal scanners. As the name suggests, these scanners scan vulnerabilities that the world sees largely from the outside. A few years ago, such scanners were limited to external network infrastructure, which was always in scope for hackers.

However, with advanced technology, most defence mechanisms are breached through web applications, or even through a mix of network-layer vulnerabilities. Organizations are required to keep abreast of these changes and secure their web applications from hackers and external security breaches. 


Common elements of Network-based vulnerability scanners

1. Vulnerability databases:

The database is the main crux of the vulnerability scanner tool, as it contains a list of extensive vulnerabilities and a checklist of the procedures for checking the various system vulnerabilities.

2. User configuration tools:

Users can select target systems and further identify which vulnerability checks should be run within the scanner. 

3. Scanning engines:

The scanning engine is the mind and soul of vulnerability scanners, as it sends packets to target systems. This way, the scanner is able to determine different vulnerabilities, which are reported back to users. 

4. Data of current and previous scans:

This element tracks and acts like the memory base of the scanner, which not only keeps track of current scans, along with the discovered vulnerabilities but also helps feed data into scanning engines. 

5. Results report tool:

The final aspect is the reporting tool, which is the mouthpiece of the scanner in totality. Through this, users can access reports, which explain the vulnerabilities, which were discovered on the various target systems. 

What is an Agent-based vulnerability scanner?

Agent-based scanners make use of software scanners on each and every device; the results of the scans are reported back to the central server. Such scanners are well equipped to find and report out on a range of vulnerabilities. Despite being extremely time-consuming, they can report back on vulnerabilities, even when the scanner is not installed. 

Some features of agent-based scanners include, but are not limited to:

  • Based majorly on pull technology
  • This scanning system is ideal for distributed networks that have limited bandwidth in remote locations
  • Such scanners are not dependent on network connectivity, making them ideal for mobile computers, which are not connected to a central network. 
  • Such scanning tools perform well with Windows-based patch management machines

How does an Agent-based vulnerability scanner work?

How does an Agent-based vulnerability scanner work?


Even though much is not known about the working of an agent-based vulnerability scanner, such assessments need an installed sensor on each individual machine. Such agents are large, which in turn bogs down the systems, as the scans continue to run individually. Once each individual machine is scanned, the legacy systems provide a report, which analysts have to sift through to understand the right points of remediation. 


Differences between Network-based and Agent-based Vulnerability Scanner


                    Network-based                           Agent-based

A network based scanner performs critical functions

A permanent, low impact software monitors the different aspects of a system, to fill in gaps between different end-points.

Works well with minimal performance while reducing agent's management.

There is an external dependency, which can reduce the effectiveness of the scanners.

Require every device to be connected to the network, to function well.

Specific software is needed to access each aspect separately.

New Cta Image Design_CTA 8

Why do companies need to use both Network-based vulnerability and Agent-based scanners?

It takes two to tango; this holds true in the case of network-based vulnerability and agent-based scanners also. By using a combined scanning strategy, an organization can ensure all assets on a network are appropriately scanned for vulnerabilities.

Even though network-based vulnerability scanners are a better choice for specific assets, it is not the preferred standalone choice. Network scanners have a light footprint, dole out fewer negative impacts and reduce false positives.

On the contrary, there are systems and devices, which are not connected to the networks frequently. For such cases, agent-based scanning techniques can become your true friend, by providing a real-time picture of at-risk systems.

Such systems have become almost a necessity with the increase in remote working conditions, caused as a result of the pandemic. As a byproduct of remote working, the attack surface available to hackers has increased, and expanded beyond traditional network perimeters. Whilst installing and managing such agents is not ideal, it can prove to be beneficial for facilitating better coverage.

Both scanning options aren’t mutually exclusive to each other; while the former addresses the concerns from the outside, the latter works internally on each individual system. With the appropriate mix of network and agent-based scanners, organizations can cover each and every type of imminent threat and provide a comprehensive report to the centralized review team for remediation. 

With this said and done, while the network-based approach is extremely cost-effective and fruitful, sometimes, using the agent-based approach for tracking individual vulnerabilities can be a boon in its own way. All organizations need is the optimum mix to address the concerns of breaches and data hacks.


Published on Jun 23, 2021
Nishaanth Guna
Written by Nishaanth Guna
Lead Security Researcher, Appknox.


Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now