Vulnerability scanning used to be something only large enterprises did. Expensive tools. Specialised staff. Complex reports.

That’s changed. Affordable, SMB-friendly options exist now. Here’s how to actually use them.

What Vulnerability Scanning Does

At its core: vulnerability scanning checks your systems for known weaknesses that attackers could exploit.

External scanning: Looking at your systems from the outside - what can an attacker on the internet see? Misconfigured firewalls. Exposed services. Missing patches on internet-facing systems.

Internal scanning: Looking at your network from the inside - what weaknesses exist in your internal systems? Missing patches. Misconfigurations. Weak credentials.

Application scanning: Looking at web applications for vulnerabilities - SQL injection, cross-site scripting, authentication flaws.

Most SMBs need external and internal scanning. Application scanning matters if you have custom web applications.

Why SMBs Should Care

Three reasons:

Insurance requirements: Many cyber insurers now require vulnerability scanning. Some want quarterly scans. Some want evidence of remediation. This isn’t going away - if anything, requirements are tightening.

Essential Eight alignment: Patching is two of the eight controls. Vulnerability scanning tells you what patches are missing. You can’t achieve compliance if you don’t know what’s vulnerable.

Practical risk reduction: Attackers use the same tools. They scan for vulnerabilities constantly. If you’re not scanning yourself, you won’t know what they’re finding.

Tool Options for SMBs

Free and open source:

OpenVAS Free, open-source vulnerability scanner. Powerful but requires technical expertise to run.

• Cost: Free
• Best for: Technically capable teams wanting to save money
• Challenge: Setup and maintenance require skill

Nmap Network scanner that finds open ports and services. Not a full vulnerability scanner but useful for discovery.

• Cost: Free
• Best for: Quick checks and discovery

Affordable commercial:

Qualys FreeScan Limited free external scanning from a major vendor.

• Cost: Free (limited)
• Best for: Testing whether scanning is right for you

Tenable Nessus Essentials Free for up to 16 IPs. The same engine as enterprise Nessus.

• Cost: Free (limited) or ~$3,500/year for professional
• Best for: SMBs wanting proper scanning without massive cost

Intruder Cloud-based scanning designed for businesses without security teams.

• Cost: From ~$150/month
• Best for: SMBs wanting managed, simplified scanning

Detectify Application security scanning with a focus on web assets.

• Cost: From ~$85/month
• Best for: Businesses with customer-facing web applications

MSP-delivered:

Many managed service providers include vulnerability scanning in their packages. This is often the most practical approach for SMBs - you get scanning, interpretation, and remediation support in one relationship.

Getting Started: External Scanning

Start with external scanning. It’s lower risk and immediately valuable.

Step 1: Identify your external assets

• Your domain(s) and subdomains
• Your external IP addresses
• Any cloud services you host

Step 2: Choose a tool For a first scan, Qualys FreeScan or a trial of Intruder works well.

Step 3: Run the scan Most tools make this straightforward - enter your domains/IPs and hit scan.

Step 4: Interpret results Scans produce reports with severity ratings:

• Critical/High: Fix immediately
• Medium: Fix within weeks
• Low/Informational: Fix when convenient, or accept the risk

Step 5: Remediate Address findings in priority order. Most fixes are:

• Apply missing patches
• Close unnecessary ports
• Update configurations
• Disable vulnerable services

Internal Scanning: More Valuable, More Effort

Internal scanning finds more vulnerabilities because there are more systems and they’re usually less hardened than external-facing assets.

The challenge: You need to deploy a scanner inside your network. This requires:

• A system to run the scanner
• Network access to scan targets
• Credentials (for authenticated scanning, which finds more issues)

Authenticated vs unauthenticated: Unauthenticated scanning finds what anyone on the network can see. Authenticated scanning uses admin credentials to check inside systems - far more thorough but requires managing those credentials securely.

For SMBs: If you have an IT provider, ask them about internal scanning. Many RMM tools (NinjaRMM, Datto, ConnectWise) include vulnerability scanning capabilities.

If you’re managing IT yourself, Nessus Essentials is the most accessible option for internal scanning.

Interpreting Results

Vulnerability scans produce a lot of output. Here’s how to make sense of it.

CVSS scores: Common Vulnerability Scoring System. 0-10 scale.

• 9.0-10.0: Critical - exploitable, severe impact
• 7.0-8.9: High - should be addressed quickly
• 4.0-6.9: Medium - address in normal patching cycles
• 0.1-3.9: Low - lower priority
• 0.0: Informational

Context matters: A critical vulnerability on an internet-facing system is more urgent than the same vulnerability on an internal workstation with no sensitive access.

False positives: Scans aren’t perfect. Some findings are incorrect. Verify critical findings before panicking.

The 80/20 rule: Most risk is concentrated in a small number of findings. Focus on critical and high severity first. Don’t get overwhelmed by the volume of medium and low findings.

Common Findings and What to Do

Missing patches: The most common finding. Solution: apply patches. See my earlier articles on patch management automation.

Unsupported software: Software that no longer receives security updates. Solution: upgrade or replace.

Weak SSL/TLS configuration: Servers accepting old, insecure encryption. Solution: update SSL/TLS configuration to modern standards.

Default credentials: Systems still using factory-set passwords. Solution: change passwords immediately.

Unnecessary services: Services running that don’t need to be. Solution: disable or remove them.

Scan Frequency

External scanning: Monthly at minimum. Weekly is better for businesses with significant internet presence.

Internal scanning: Monthly is standard. Quarterly is the minimum that insurers typically accept.

After changes: Scan after significant changes to your environment - new systems, new applications, major updates.

Continuous monitoring: Some tools offer continuous scanning rather than point-in-time. More expensive but provides faster detection.

The Automation Opportunity

Manual vulnerability scanning gets tedious fast. Automation helps:

Scheduled scans: Most tools let you schedule recurring scans. Set it and (mostly) forget it.

Automated reporting: Get summaries emailed to you without logging into consoles.

Integration with ticketing: Create tickets automatically for new vulnerabilities.

Remediation tracking: Track which vulnerabilities have been fixed over time.

If you’re working with AI consultants Brisbane or similar firms, they can help automate scanning workflows and integrate results with your broader security operations.

Compliance Considerations

PCI DSS: If you handle payment cards, quarterly vulnerability scanning by an Approved Scanning Vendor (ASV) is mandatory.

Cyber insurance: Most policies now require evidence of vulnerability scanning. Keep scan reports for claims purposes.

Essential Eight: Scanning supports patching controls by identifying what’s missing.

Client contracts: Larger clients increasingly ask about your security practices, including scanning.

Working with Your IT Provider

If you have managed IT services, vulnerability scanning should be part of the conversation.

Questions to ask:

• Do you scan our external assets? How often?
• Do you scan internal systems? With credentials?
• How are findings prioritised and remediated?
• Can we see scan reports?
• What SLAs apply to critical findings?

If your provider isn’t scanning, ask why not. It’s standard practice for competent MSPs.

Building a Scanning Program

For SMBs wanting to do this properly:

Month 1:

• Inventory external assets
• Run first external scan
• Remediate critical findings

Month 2:

• Set up scheduled external scanning
• Plan internal scanning approach
• Document your process

Month 3:

• Implement internal scanning
• Establish remediation workflows
• Create reporting for management

Ongoing:

• Monthly scans (minimum)
• Track trends over time
• Review quarterly with stakeholders

Getting Help

Vulnerability scanning is one area where Team400 and similar specialists can add significant value. They can:

• Recommend appropriate tools for your situation
• Set up and configure scanning
• Interpret results and prioritise remediation
• Automate ongoing scanning operations

For businesses without dedicated IT security staff, this kind of help turns scanning from a chore into a useful practice.

Common Mistakes

Scanning without remediation: Finding vulnerabilities and not fixing them is worse than not knowing. You now have documented negligence.

Over-relying on scans: Vulnerability scanning finds known issues in common systems. It doesn’t find zero-days, logic flaws, or attacks in progress.

Ignoring context: A critical finding on a test system is different from a critical finding on your finance server. Prioritise by actual risk.

Scanning production without warning: Aggressive scans can impact performance. Coordinate with system owners and scan during low-usage periods.

One and done: A single scan is a snapshot. Continuous scanning catches new vulnerabilities as they emerge.

The ROI Case

Is vulnerability scanning worth the investment?

The median cost of remediating a data breach in Australia is significant. Even for SMBs, recovery costs, notification requirements, legal exposure, and reputation damage add up.

Vulnerability scanning that catches and fixes a single exploitable weakness before it’s used? That’s an excellent return on a few hundred dollars a month.

More practically: you probably need scanning for insurance and contracts anyway. Treat it as cost of doing business, and use the information to actually improve security.

Final Thought

Vulnerability scanning isn’t about generating impressive reports. It’s about finding and fixing weaknesses before attackers do.

Start simple. Scan your external assets. Fix what you find. Expand to internal scanning when ready. Build a sustainable practice.

The businesses that scan regularly and remediate consistently are the ones that avoid the breaches their competitors suffer.

That’s worth the effort.