Vulnerability Scanners — Nuclei, Nikto, OpenVAS
Template- and signature-driven vulnerability scanners — answer "is this CVE present here?"
Once you know what's listening (see Network Scanning (Nmap)) you ask the next question: is anything here exploitable? Vulnerability scanners answer that with templates and signatures. For SAST / SCA on your own code see Security Scanning. For deep web-app testing see Web App Testing — Burp / ZAP / Caido.
Modern template-based
- ★ ★ Nuclei (ProjectDiscovery) — YAML-templated vuln scanner; 9,000+ community templates covering CVEs, misconfigs, panels, default creds, exposed APIs. Fast, parallel, scriptable. The current default for "is this CVE present in our deployment / target?" Free.
- nuclei-templates repo — community-maintained; updated daily.
- Pair with httpx (probe), subfinder (discovery), katana (crawl) for an end-to-end recon → scan pipeline.
- Nuclei v3 — code protocol templates (JS), DSL helpers, fuzzing engine.
Classic / heavyweight scanners
- ★ OpenVAS / Greenbone Community Edition — full enterprise-grade vuln scanner; 100k+ NVTs (Network Vulnerability Tests); free OSS variant of Greenbone Vulnerability Manager. Heavy to run but a real Nessus alternative.
- Nessus (Tenable) — paid; the commercial reference; free Essentials covers 16 IPs.
- Qualys VMDR — paid; cloud SaaS; enterprise-only pricing.
- Rapid7 InsightVM / Nexpose — paid; agent + scan hybrid.
- Tenable.io / Tenable Security Center — Nessus-as-a-service.
Web-app focused
- ★ Nikto — old-school web server scanner; checks 7000+ items (default files, server misconfigs, version-specific issues). Noisy but free and complementary.
- Wapiti — Python web scanner with active fuzzing.
- Skipfish (Google) — fast active web recon scanner; legacy but still useful.
- Vega — Java GUI web scanner; legacy.
- OWASP ZAP active scanner — see Web App Testing.
- Burp Pro Scanner — paid; the gold standard active web scanner.
Service-specific
- smbmap / smbclient + Nmap NSE — SMB versions and known CVEs (EternalBlue check).
- CVE-2021-44228 / Log4Shell —
log4j-scan, Nuclei templates. - CVE-2023-23397 / Outlook NTLM — Nuclei + custom templates.
- WPScan — WordPress-specific (plugins, themes, users); free CLI, paid API for vuln data.
- JoomScan, droopescan (Drupal / SilverStripe / Moodle) — CMS-specific.
- WhatWeb / Wappalyzer — fingerprinting feeds vuln scanning decisions.
Cloud / infra
- Prowler — AWS / Azure / GCP / k8s CIS benchmark + custom checks; OSS. See Cloud Pentesting.
- ScoutSuite — multi-cloud audit.
- Trivy / Grype — image and IaC scanning; see Security Scanning.
- kube-hunter / kube-bench — see Container & K8s Pentesting.
SSL / TLS specific
- ★ testssl.sh — bash; thorough TLS audit; free. See Crypto / TLS Testing.
- sslyze — Python; faster machine-readable TLS scanner.
- Qualys SSL Labs — free hosted scan (web only).
Authenticated / agent-based
- ★ Wazuh — open-source SIEM does CVE scanning via the agent; correlates against the NVD. See SIEM (Wazuh / Graylog).
- Lynis — single-host audit; see Server Hardening.
- vuls — agentless Linux CVE scanner.
Pipelines that work
- Bug-bounty pipeline: subfinder → dnsx → naabu → httpx → nuclei → manual triage.
- Internal periodic: Nessus / OpenVAS authenticated weekly + Nuclei daily on perimeter.
- CI on each PR: Trivy + Semgrep + Nuclei templates against staging URL.
Pick this if…
- Default modern recon → CVE scan, free: Nuclei (with full template repo).
- Need a "real" enterprise scanner, free: OpenVAS / Greenbone.
- Compliance / Fortune-500 expectation: Nessus or Qualys (paid).
- Web-app deep coverage: Burp Pro or ZAP active scan.
- WordPress fleet: WPScan with API key.
- TLS posture: testssl.sh.