Vulnerability Management Tool Checklist

How to Select the Right Vulnerability Management Tool: 11 Point Checklist


With numerous vulnerability scanning tools available it’s important to make sure your chosen tool provides all the functionality you need and addresses your vulnerability management objectives. In this blog article we provide 11 checks that will help ensure you make the right choice.

There are various tools available in the marketplace that will do vulnerability scanning for you. Unless you plan on hiring a junior resource to manually scan your environment (obviously not recommended as it is a boring task, prone to error and may even increase your risk), you’ll need some sort of tool. This will typically consist of a console and some scanning engines.

Whether you are using a commercial tool and deploying scan engines or doing manual checks, placement is important. Often when tools return inaccurate findings, it is because of a placement issue. Perhaps a firewall is blocking traffic, or worse, it is providing you with some results, just not the full picture, which lulls organisations into a false sense of security. Make sure the tool can reach the relevant network segments and devices you are trying to scan. If you get the same results for a number of devices, chances are that there is a firewall interfering with the results.

Make sure your chosen tool provides all the functionality you need, such as configuration management and reporting. Keep in mind what your objectives are. If reporting is important, make sure the tool addresses this easily. If you have to drag results to a central location and then run manual reports, then that may not be the right tool for the job. Seek advice from an organisation that specialises in vulnerability management, such as Shearwater, if you are unsure.

Vulnerability management tool checklist:

  Active or passive scanning

Does the tool actively scan and collect the results or is it monitoring network traffic and making decisions based on the traffic?

  Integration

Does the tool integrate with Active Directory, Azure, AWS, DHCP, etc? These features may help scan devices that are new, or do not have a long lifespan.

  Reporting

How much effort is it to get the reports (centralised reporting, flexible reporting, report delivery) you need?

  Vulnerability search

How flexible is the tool in finding, identifying and categorising vulnerabilities?

  Software installed on hosts

Does the tool provide you with information on applications installed?

  Compliance checks

Can you use the tools to complete compliance checks and to validate your configurations?

  Asset management

Can you manage or tag assets?

  Ticket management

Do you want to manage tickets in the system or integrate with another tool?

  Automation

Can you automatically start a scan when a new device is discovered?

  Notifications

Will the tool tell you when there is a critical issue?

  Scheduling

Will the tool allow a flexible schedule?

How often should vulnerability scans take place?

Vulnerability scanning should happen as often as practical, or at least every three months. Regular rescans are also important for confirming that identified issues have been remediated, and that they remain remediated. Scans should cover everything including switches, routers, desktops, servers and printers. They should be staggered to avoid affecting virtual infrastructure (i.e. don’t start a scan simultaneously on 100 servers that are all hosted on the same physical host).

What to scan When to scan  Why?
Infrastructure Outside of core hours Scan critical infrastructure out of core hours to minimise the potential impact to users and customers.
Desktops (after testing) During business hours During business hours when they will be in the office.
Dev/test/UAT Anytime Due to the low potential for adverse impacts.

Vulnerability Management Grader(BETA)

Assess your organisation’s Vulnerability Management Maturity with our free self assessment tool. Understand gaps and get recommendations tailored to your maturity level.


This helpful advice is Best Practice #3 in our Vulnerability Management 101: 5 Best Practices for Success where you will find advice on your next steps of improving the categorisation and prioritisation of your scan data and selecting and configuring your vulnerability management tools.