Use Cases

Internal Vulnerability Scanner

Use a specialized scanner to prove what a bad actor with internal access can do – and how to stop them

Internal vulnerability scans are vital to your penetration testing engagements. They pierce deeper inside a network than an external vulnerability scan to identify any security risks. This allows you to remediate vulnerabilities within your internal environment before malicious hackers and data thieves can gain access to, modify, or destroy confidential information.

Internal vulnerability scans operate inside the business’s perimeter to identify and prioritize security issues based on their credibility. They examine your security profile from the perspective of an unauthorized insider – someone with access to systems behind the security perimeter. supplies your security team with an arsenal of powerful pentesting tools for your entire workflow. It's easy to integrate our tools into your systems because we've built them with internal vulnerability scanning capabilities from the start.

  • Internal scanning as a priority, not an afterthought

    Start scanning for internal vulnerabilities quickly with our pre-configured Network Vulnerability Scanner.

  • A wide range of highly relevant tools for internal vulnerability scanning

    Focus on those reconnaissance, network scanning, and offensive tools to meet all your internal security scanning needs.

  • Custom specialized features for internal scanning tasks

    Run all our vulnerability scanning tools through our specially designed VPN Agent to uncover any internal network's vulnerabilities.

At a glance

How we outmaneuver other internal vulnerability scanners

Here are a few ways that gives you an edge when it comes to your internal vulnerability scanning requirements.


Other internal scanners



  • You may need to be on site to have access to the business network parameter that you are testing.

  • You can run internal vulnerability scans from anywhere and test internal targets located any place in the world from your dashboard.


  • You may need to spend extra time on configurations and scripts for your internal vulnerability scan, or even on traveling to a specific location for the setup.

  • You can save tremendous time and energy with the VPN Agent and Pentest Robots. Just start scanning through VPN to conduct fast and thorough audits!


  • Scanning the full sweep of network devices, apps, IT security measures, and IT security equipment can prove very time-consuming without a vulnerability assessment toolset designed for performance. Some scanners specialize in one or two of these at the expense of range.

  • internal scanning offers all the types of scans available for external scanning, such as scheduled scans, parallel scans, and bulk scanning. It also includes:

  • Credentialed or authenticated scans – scans in which you scan the target as a logged in user

  • Real-time notifications with custom triggers

  • a choice of Light or Deep scans.


  • Some vulnerability scanners fail to present their findings in an integrated or obvious way, leaving you to wade through and collate the findings into logical groupings manually.

  • You automatically get a big picture evaluation of the target's attack surface and the security posture of the IT infrastructure in your dashboard. There, information is displayed and sorted in a manner that's relevant to pentesting workflows.


  • Many of the scanning tasks require manual input, or lack automated functions following scanning, such as reporting.

  • provides many ways to help you automate your workflows, such as scan templates, scan groups, and scan scheduling.

  • Pentest Robots minimize repetitive work by allowing you to combine multiple pentest tools in an automated testing sequence. Plus, scan findings get automatically mapped onto your target's attack surface.

  • Finally, our advanced reporting tool instantly generates graphical overviews and customizable reports.


  • Other online vulnerability scanners can lack a secure way to connect their service with the internal system that they scan.

  • The VPN Agent ensures the connection between scanning services and your target’s internal network is both encrypted and secure.

Boost your vulnerability management workflow with our internal scanner’s integrated internal vulnerability scanner means you can optimize your workflow with connected capabilities and ready-to-use automation features.

The greatest benefit of using the Network Vulnerability Scanner is that it provides you with a full picture of your attack surface. This includes every public, private, hidden, or even forgotten point from which unauthorized users could try to gain entry, make changes, or extract data.

The internal vulnerability scanner enables you to conduct a full network vulnerability assessment. The combination of tools on the platform is sufficiently wide in range and flexible in application to cover every stage of this type of pentest engagement.

As well as providing a big picture assessment of your infrastructure's security posture, a network vulnerability scan detects many kinds of security issues in your internal networks and locally running software that bad actors could chain and exploit. Individually or collectively, these vulnerabilities can add up to a situation that can cause critical business risks:

  • Missing security patches for operating systems and other apps
  • Outdated network services and other software
  • Open ports
  • Weak credentials
  • Misconfigurations

An internal vulnerability scan using will expose, map, and report them, then issue you with guidance for mitigating them all!

Internal security testing to achieve and maintain compliance

Another major headache that internal vulnerability scans solve is fixing vulnerabilities that help organizations achieve and maintain compliance with regulatory requirements and security standards specific to their industry, such as GDPR, HIPAA, PCI DSS, and others. A typical example is when weak credentials detected by our scans cause privilege escalation and potential unintended access to sensitive information. helps you stay mindful of the business need for security controls that help detect sensitive data exposure and eradicate this damaging, non-compliance consequence and many others.

For example, the PCI DSS requires mandatory, regular testing for systems' and networks' security. In practice, this involves that:

  • Wireless access points are identified and monitored, and unauthorized wireless access points are addressed

  • Internal vulnerabilities are regularly identified, prioritized, and addressed

  • Internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected

  • Network intrusions and unexpected file changes are detected and responded to

How we protect sensitive data that internal scans reveal

Privacy concerns over the sensitive client data found in internal pentests is wider and more immediate than PCI DSS. That is why is located in the European Union.

  • We work under GDPR regulations.

  • We use our own tools on a daily basis and also through the pentesting our Services team delivers to clients.

  • As penetration testers ourselves, we never underestimate adversaries and dedicate a large share of our resources to maintaining and improving internal security throughout our platform and business.

Top vulnerabilities discovered through internal scans

Internal vulnerability scans provide useful insights to improve hardening measures and patch management processes. They help you detect security vulnerabilities before malicious hackers can exploit them and they also help you keep track of patch management processes in networks. When new vulnerabilities emerge, you get real-time alerts and recommendations for further hardening measures.

Among the many issues discovered in your network's attack surface during scans, missing security patches are included. Internal vulnerability scans help you verify that patches have been properly implemented. Unpatched software creates security gaps that a malicious outsider could use to gain access to an internal network.

Two of the most common vulnerabilities detected during an internal scan are:

  1. Missing third-party patches
  2. Unpatched, known high-risk vulnerabilities

A malicious hacker can reach an internal system by tricking an employee to click a link that leads to a web page that exploits known unpatched software on an employee’s device. Outdated software or the lack of hardening of internal systems can abet an attacker to move around internal systems once they gain initial access.

Internal vulnerability scans have the benefit of identifying at-risk systems while providing insight for patch management processes. Use our Network Vulnerability Scanner through VPN to answer questions such as:

  • What is the top missing patch?
  • Is there a lack of third party patches?
  • What are your timelines for patching well-known vulnerabilities with high-risk rankings?

Having a well patched and hardened internal environment helps organizations avoid these types of cyber attacks and can prove important for compliance with many security standards.

Our most used feature

We use the network scanners for perimeter testing, to see if there are any changes in our clients' internal network from month to month, such as with their ports. We scan using the VPN Agent.

We then take the results in the general security dashboard and show them to our clients because it is so easy for them to understand. Internal network scanning has become our most used feature. This feature was how we found in the first place and why we went with it.

Wojciech D

Keith Gatt

Defense contractor

Start using the platform today

Unlock the full power and features of our platfom!
Compare pricing plans and discover more tools and features.

How does your VPN Agent feature guarantee security?

The internal network scanning feature hinges around the effectiveness of our VPN Agent. It is this VPN Agent that allows you to run internal pentests from anywhere, as if you were on-site, without investing time in scripts and configurations (and their maintenance). The VPN Agent comes with flexible deployment options, such as Virtual Machine, Docker Container, and AWS Cloud. And it can easily adapt to a variety of environments and types of internal networks.

So, how does it work to achieve this? How can our VPN agent give you secure access to the full range of tools for internal vulnerability scanning?

The VPN Agent ensures a secure connection between our scanning servers and your target internal network by creating an encrypted tunnel between the scanning engines and your network. Our scanners are then able to reach the hosts from internal networks or protected network segments through this VPN tunnel. Every packet leaving or reaching the network you need to audit is fully encrypted, so no one else can access the network through this channel.

To put our VPN Agent to work, simply create a VPN profile, select a deployment method, run the agent, and test the connection to ensure that automatically connects to your target’s infrastructure. That's it! You are now ready to scan your list of internal network targets as you would with an external target.

VPN Agent platform image
VPN Agent platform image
VPN Agent platform image

Why security and IT pros are switching to for internal vulnerability scanning

The internal network scanning feature and the value of our tools for compliance purposes are just two of the compelling reasons why professional pentesters and security experts are investing in

We typically use to validate the web applications we build internally or for our customers. Not only do we use the tools to validate the security infrastructure, but also to show the customer the quality of the work done. Recently, these test reports are helpful to validate the data security also for GDPR compliance.


Infrastructure testing for open ports

Internal Vulnerability Scans usually begin with reconnaissance to gauge and map all network entry points in a target system. The first priority is often to check for open ports that may expose assets to attackers with local network access. Of course, these ports should not be publicly accessible at all and pose a great risk to internal security.

You need to know if the network perimeter has any open ports and, if so, where they are. In other words, you not only need port discovery, but also mapping. has multiple ways of solving this problem of accurate port detection and checking for you.

As part of our suite of Reconnaissance tools, Pentest-Tools includes a separate Port Scanner and a UDP Port Scanner, to account for differing port scan techniques. These online port scanners detect open ports and running services. They also perform OS fingerprinting on target IP addresses or hostnames. Finally, they check firewall rules and verify whether your services are accessible from the web.

Both port scanners are based on Nmap, the world's most famous port scanner. Using an online and optimized version of the Nmap port scanner, rather than one on a local machine, produces an external view of our systems. For internal vulnerability scans, it is vital that firewalls and network restrictions are included in scan results, to gain the vantage point of a malicious hacker.

Network perimeter assessment with a top quality scanner

The next stage in an Internal Vulnerability Scan involves using network vulnerability scanners for infrastructure testing. The solution for assessing the network perimeter is the Network Vulnerability Scanner. Its role is to discover critical vulnerabilities in widely used software, outdated network services, missing security patches, and badly configured servers.

The network perimeter is what divides your internal network assets from the outside. A network vulnerability scanner accesses and exposes internal network services. It then maps all those services and reports on any detected vulnerabilities. This is a sample Network Vulnerability Scanner report:

Two even more specialized network vulnerability scanners

The Network Vulnerability Scanner with OpenVAS is considered one of the best open-source network security scanners available. To make your workflow even more powerful, includes two additional network vulnerability scanners in your arsenal:

  • The SSL/TLS Scanner – SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are security protocols that use cryptographic methods to produce secure communications across a network. This scanner discovers relevant configuration issues and vulnerabilities associated with these protocols, such as POODLE, Heartbleed, DROWN, ROBOT, and others.
  • The DNS Server Scanner – DNS (Domain Name System) Zone Transfer is a type of database transaction that enables administrators to replicate DNS databases across DNS servers. The DNS Server Scanner checks whether the name servers of the target domain are vulnerable to DNS Zone transfer. It also retrieves the full DNS Zone file and checks for other vulnerabilities in DNS servers.

An automatic exploiter tool that validates internal vulnerabilities

Sniper - Automatic Exploiter provides you with a way to get proof for validating that critical, high-impact CVEs (Common Vulnerabilities and Exposures) are exploitable on the target system. You can run full, controlled, automatic exploitation while leaving the target system unaltered and clean.

The Sniper automatically filters out the noise that vulnerability scanners create so you can gain Remote Code Execution (RCE) and evidence of exploitation in under two minutes. It’s also helpful for weeding out false positives. At the end, Sniper provides a list of tool activities, extracted data (called artefacts), and exploitation details.

How does it work with internal vulnerability scans? Sniper Auto-Exploiter:

  • Mimics real-world internal exploits and attack techniques to determine the truly vulnerable systems
  • Gains RCE (Remote Code Execution) on vulnerable targets
  • Automatically runs post-exploitation to extract interesting data as solid proof for vulnerability validation

A weak password auditor for strong authentication

Default passwords and other weak credentials pose a larger problem for internal networks than most business leaders realize. They are frequently and consistently in lists of top ten internal vulnerabilities. And a single weak password could expose the entire network to security threats involving data-hungry malware.

Finding them manually is ineffective and time consuming, especially if you want to cover the entire attack surface. With the Password Auditor, you can automatically find weak passwords in network services (e.g. SSH, FTP, MySQL), web pages (web forms), and web applications. It also helps you quickly detect services that require authentication (login forms and other password protected pages).

Common Questions

Internal vulnerability scanning FAQs

Scanning internal networks with is available for higher tier options. This option will enable you to scan targets from your private network through the VPN agent to reach internal hosts. You can compare plans to view what features are included in each package and which suits your needs best.