Tooling

Vulnerability Scanners — Nuclei, Nikto, OpenVAS

Template- and signature-driven vulnerability scanners — answer "is this CVE present here?"

Once you know what's listening (see Network Scanning (Nmap)) you ask the next question: is anything here exploitable? Vulnerability scanners answer that with templates and signatures. For SAST / SCA on your own code see Security Scanning. For deep web-app testing see Web App Testing — Burp / ZAP / Caido.

Modern template-based

  • ★ ★ Nuclei (ProjectDiscovery) — YAML-templated vuln scanner; 9,000+ community templates covering CVEs, misconfigs, panels, default creds, exposed APIs. Fast, parallel, scriptable. The current default for "is this CVE present in our deployment / target?" Free.
    • nuclei-templates repo — community-maintained; updated daily.
    • Pair with httpx (probe), subfinder (discovery), katana (crawl) for an end-to-end recon → scan pipeline.
    • Nuclei v3 — code protocol templates (JS), DSL helpers, fuzzing engine.

Classic / heavyweight scanners

  • OpenVAS / Greenbone Community Edition — full enterprise-grade vuln scanner; 100k+ NVTs (Network Vulnerability Tests); free OSS variant of Greenbone Vulnerability Manager. Heavy to run but a real Nessus alternative.
  • Nessus (Tenable) — paid; the commercial reference; free Essentials covers 16 IPs.
  • Qualys VMDR — paid; cloud SaaS; enterprise-only pricing.
  • Rapid7 InsightVM / Nexpose — paid; agent + scan hybrid.
  • Tenable.io / Tenable Security Center — Nessus-as-a-service.

Web-app focused

  • Nikto — old-school web server scanner; checks 7000+ items (default files, server misconfigs, version-specific issues). Noisy but free and complementary.
  • Wapiti — Python web scanner with active fuzzing.
  • Skipfish (Google) — fast active web recon scanner; legacy but still useful.
  • Vega — Java GUI web scanner; legacy.
  • OWASP ZAP active scanner — see Web App Testing.
  • Burp Pro Scanner — paid; the gold standard active web scanner.

Service-specific

  • smbmap / smbclient + Nmap NSE — SMB versions and known CVEs (EternalBlue check).
  • CVE-2021-44228 / Log4Shelllog4j-scan, Nuclei templates.
  • CVE-2023-23397 / Outlook NTLM — Nuclei + custom templates.
  • WPScan — WordPress-specific (plugins, themes, users); free CLI, paid API for vuln data.
  • JoomScan, droopescan (Drupal / SilverStripe / Moodle) — CMS-specific.
  • WhatWeb / Wappalyzer — fingerprinting feeds vuln scanning decisions.

Cloud / infra

SSL / TLS specific

  • testssl.sh — bash; thorough TLS audit; free. See Crypto / TLS Testing.
  • sslyze — Python; faster machine-readable TLS scanner.
  • Qualys SSL Labs — free hosted scan (web only).

Authenticated / agent-based

  • Wazuh — open-source SIEM does CVE scanning via the agent; correlates against the NVD. See SIEM (Wazuh / Graylog).
  • Lynis — single-host audit; see Server Hardening.
  • vuls — agentless Linux CVE scanner.

Pipelines that work

  • Bug-bounty pipeline: subfinder → dnsx → naabu → httpx → nuclei → manual triage.
  • Internal periodic: Nessus / OpenVAS authenticated weekly + Nuclei daily on perimeter.
  • CI on each PR: Trivy + Semgrep + Nuclei templates against staging URL.

Pick this if…

  • Default modern recon → CVE scan, free: Nuclei (with full template repo).
  • Need a "real" enterprise scanner, free: OpenVAS / Greenbone.
  • Compliance / Fortune-500 expectation: Nessus or Qualys (paid).
  • Web-app deep coverage: Burp Pro or ZAP active scan.
  • WordPress fleet: WPScan with API key.
  • TLS posture: testssl.sh.

On this page