Number of checks included with each license + plan
Number of checks
(Standard with Essential plan)
(Standard with Pro, Premium, Vanguard plan)
>141,000 external checks
>14,000 internal checks
(Standard with Premium and Vanguard plan)
>4,000 external checks
Tenable + ZAP
(Available for purchase on any plan)
~140,000 + 77 ZAP checks
Types of checks:
Essential, Pro, Premium Vanguard:
Unintentionally exposed systems
Checks for software and services which are not recommended to be exposed to the internet
Checks for information leakage which could be used by hackers to mount further attacks
Checks for weaknesses in SSL/TLS implementations
Misconfigurations & common mistakes
Checks for misconfigurations, security best-practices, and common mistakes such as exposing code repositories
Remote vulnerable Software and missing patches
Checks (from an external perspective) for software with publicly known vulnerabilities
Pro, Premium, Vanguard
These plans also include internal scanning (via an agent) for Linux, Windows and MacOS devices. Which offers more comprehensive checks as it is has more privileged access to the machine. Some of the things we check you for include:
Local misconfigurations & common mistakes
No matter how secure the software package is, it can still be configured in an insecure manner - for example leaving default passwords setup; inadvertently leaving admin pages exposed; and not enabling encryption.
Vulnerable software packages & missing patches
Checks your internal targets for vulnerable versions of software packages, frameworks and components, including OS patches, software updates and missing server packages.
Premium and Vanguard
The checks included in these two plans are enhanced further – courtesy of a second scanner. Nuclei covers some of the same vulnerabilities outlined above, but also checks for:
These are weaknesses that can't be exploited in standard HTTP request/response communication; instead, they leverage non-standard forms of communication such as blind XSS or email header injection to retrieve / obtain information of a sensitive nature.
Application licenses cover:
OS command injection
Cross-site scripting (XSS); persistent/stored, reflected and DOM-based XSS
SQL injection; against multiple types of databases
NoSQL injection; specifically against MongoDB
Server-side code injection
Java serialisation weaknesses
Buffer and integer overflows
[For a more detailed explanation of the features included in each plan head to this article: Which service is right for me?]
Where can I see the full list of checks you run?
If you have access to the portal, you can see exactly what we test your for. Just head to the dashboard and click Checks available (middle at the top).
Here you can see all the checks your targets will be evaluated against; with the option to filter by CVSS Rating, Check Type (internal, external, application), or search by CVE or Check Name. You can also see the scan priority setting applicable for each check as an icon next to the check name:
Clicking on any check will take you through to the Check's Detail page, where you can see what targets were scanned for this vulnerability, when and whether they passed or not.
Do all checks get executed all the time?
All checks are enabled, but this does not mean that all checks will be executed against every service that your systems has listening on the internet. Instead, vulnerability scanners will 'fingerprint' the service running on that port and execute checks for that service only (there’s little value in executing a check for a different type of service other than the one that’s listening on your system).
Can I export a list of all the checks?
Yes, absolutely! Just head to the Checks page and hit 'Export to CSV':