Vulnerability Scanning
Vulnerability Scanning provides external security scanning through two engines: Nuclei for CVE and misconfiguration detection, and OWASP ZAP for dynamic application security testing (DAST). Configure targets, create scan profiles, launch scans on demand or on a schedule, and triage findings — all from within Vulnerability Management.
Overview
Access from Security Operations → Vulnerability Management → Scanning in the sidebar. The module has five tabs:
- Overview — How scanning works, engine descriptions, and key concepts
- Targets — Systems to scan (domains, IPs, URLs, CIDRs)
- Scan Profiles — Engine-specific scan configurations
- Scan History — Execution records with status and finding counts
- Findings — Discovered vulnerabilities with triage workflow
The header displays the count of open (untriaged) findings with a status indicator.
Scan Engines
| Engine | Description | Output Format |
|---|---|---|
| Nuclei | Template-based scanner for CVEs, misconfigurations, exposures, default credentials, and takeovers | JSONL |
| OWASP ZAP | Dynamic application security testing — crawls and attacks web applications to find SQLi, XSS, CSRF, and other application-level vulnerabilities | JSON |
Both engines run on isolated ECS Fargate tasks with no access to your production infrastructure. Results are written to S3 and ingested by the scan scheduler.
Targets
Targets define the systems you want to scan. Each target has a type, value, optional description, and active/inactive status.
Target Types
| Type | Description | Example |
|---|---|---|
| Domain | Fully qualified domain name | app.example.com |
| IP Address | IPv4 address (no private ranges) | 203.0.113.10 |
| URL | Full URL with http/https protocol | https://app.example.com/api |
| CIDR | Network range in CIDR notation | 203.0.113.0/24 |
Private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16) are blocked to prevent internal network scanning.
Target Table
| Column | Description |
|---|---|
| Targets | Target name and value |
| Health | Active (green) or Inactive (gray) badge |
| Type | Domain, IP, URL, or CIDR badge |
| Last Scanned | When the target was last included in a scan |
| Created | Creation date |
Click any target row to expand the detail panel showing severity breakdown (Critical, High, Medium, Low, Info counts), description, linked scan profiles, and a Scan this target button.
Adding a Target
Click + Add Target and provide:
- Name — Friendly name for the target
- Target Type — Domain, IP, URL, or CIDR
- Target — The actual value (validated per type)
- Description — Optional context
Duplicate targets within the same organization are rejected.
Scan Profiles
Scan profiles define how scans are configured for each engine. Profiles can be linked to one or more targets and optionally scheduled.
Profile Fields
| Field | Description |
|---|---|
| Name | Profile name |
| Description | What this profile scans for |
| Scan Engine | Nuclei or ZAP |
| Rate Limit | Requests per second (1–1000, default 150) |
| Concurrency | Parallel threads (1–100, default 25) |
| Max Duration | Timeout in minutes (5–240, default 60) |
| Schedule Enabled | Toggle automatic recurring scans |
| Schedule (Cron) | Cron expression for scheduled runs (e.g., 0 2 * * 0 for weekly Sunday 2am) |
Nuclei Profiles
Configure which vulnerability template categories to include:
| Category | Description |
|---|---|
| CVEs | Known CVE vulnerabilities |
| Exposures | Sensitive data or service exposures |
| Misconfigurations | Server and application misconfigurations |
| Default Credentials | Default login detection |
| Takeovers | Subdomain and service takeover detection |
| Technologies | Technology stack fingerprinting |
| Network | Network-level checks |
| SSL/TLS | Certificate and cipher configuration |
| DNS | DNS misconfiguration detection |
Each Nuclei profile also has a severity filter that controls which findings are reported (default: Critical, High, Medium).
ZAP Profiles
| Scan Type | Description |
|---|---|
| Baseline | Passive spider and scan — fast, non-intrusive, no active attacks |
| Full | Active spider with full attack suite — thorough, slower |
| API | OpenAPI/GraphQL spec-driven API testing (requires an API spec URL) |
ZAP profiles can optionally enable Ajax Spider for JavaScript-heavy applications and specify a custom scan policy.
Profile Card Display
Each profile is displayed as a card showing the profile name, engine badge (Nuclei in violet, ZAP in orange), description, template categories or scan type, target count, execution count, schedule badge (if enabled), and a Run Now button.
Running Scans
Manual Scan
Click Run Now on any scan profile, or click Scan this target from a target's detail panel. Each launch creates one or more scan executions:
- Nuclei scans all linked targets in a single execution
- ZAP creates one execution per target (single-URL scanning)
Scheduled Scans
Enable scheduling on a scan profile with a cron expression. The scan scheduler checks for pending scheduled scans every 5 minutes and launches them automatically.
Concurrency Limits
A configurable maximum concurrent scan limit prevents overwhelming your infrastructure. Additional scans queue as PENDING until a running slot becomes available.
Scan History
The Scan History tab shows all scan executions with status tracking and finding summaries.
Execution Table
| Column | Description |
|---|---|
| Profile | Scan profile name with engine badge |
| Status | Execution status with icon |
| Trigger | Manual or Scheduled badge |
| Started | When the scan began (relative time) |
| Duration | Elapsed time or ETA for running scans |
| Severity Breakdown | Critical, High, Medium, Low counts |
Click any execution to expand the detail panel showing execution ID, start/completion timestamps, duration, trigger type, a findings summary table (Total, Critical, High, Medium, Low, Info), error message (if failed), and ECS task ARN.
Execution Statuses
| Status | Description |
|---|---|
| Pending | Queued, waiting for a concurrency slot |
| Launching | Starting the ECS Fargate task |
| Running | Actively scanning targets |
| Processing | Post-processing and ingesting results from S3 |
| Completed | Successfully finished |
| Failed | Error during execution (error message recorded) |
| Cancelled | Cancelled by user |
Running scans can be cancelled. Only scans in Pending, Launching, or Running status can be cancelled.
Findings
Scan findings are discovered vulnerabilities, each linked to a specific scan execution.
Finding Fields
| Field | Description |
|---|---|
| Template Name | Human-readable vulnerability name |
| Template ID | Nuclei template ID (e.g., CVE-2021-44228) |
| Severity | Critical, High, Medium, Low, or Info |
| Finding Type | Category (e.g., cve, exposure, misconfiguration) |
| Host | Target host where the vulnerability was found |
| Matched At | Specific URL or location |
| Description | Vulnerability description |
| References | CVE links, advisory URLs |
| Extracted Results | Nuclei matcher output |
| Curl Command | Reproducibility command |
| Occurrence Count | Times this finding has been seen across scans |
| First Seen / Last Seen | Discovery and most recent detection dates |
ZAP findings include additional fields: Plugin ID, Confidence (0–4), CWE ID, WASC ID, Solution, and Evidence.
Fingerprint Deduplication
Each finding has a fingerprint computed as SHA256(templateId | host | matchedAt). When the same vulnerability is found in a subsequent scan, the existing finding is updated (last seen date and occurrence count) rather than creating a duplicate.
Finding Filters
| Filter | Options |
|---|---|
| Search | Free-text search across template name and host |
| Severity | Critical, High, Medium, Low, Info |
| Triage Status | New, Confirmed, False Positive, Accepted Risk, Promoted |
| Engine | Nuclei, ZAP |
| Recurring | Show only findings seen in multiple scans |
Severity Levels
| Severity | Color | Description |
|---|---|---|
| Critical | Red | Exploitable with severe impact — immediate remediation required |
| High | Orange | Significant risk requiring prompt attention |
| Medium | Amber | Moderate risk, should be addressed in a reasonable timeframe |
| Low | Blue | Minor risk, low priority |
| Info | Gray | Informational, no direct security impact |
Triage Workflow
Each finding has a triage status that tracks its review progress.
Triage Statuses
| Status | Description |
|---|---|
| New | Newly discovered, not yet reviewed |
| Confirmed | Verified as a real vulnerability |
| False Positive | Determined to be a false detection |
| Accepted Risk | Risk acknowledged, no immediate remediation planned |
| Promoted | Promoted to the Vulnerability Register as a formal vulnerability record |
Triaging a Finding
Click any finding to review it. Set the triage status and add a note explaining the decision. The reviewer and timestamp are recorded automatically.
Bulk Triage
Select multiple findings using checkboxes, choose a triage status from the dropdown, and click Apply to update all selected findings at once (up to 500 per batch).
Promote to Vulnerability Register
Confirmed findings can be promoted to the Vulnerability Register, creating a formal Vulnerability record with identifiedDuring: NUCLEI_SCAN or ZAP_SCAN. Once promoted, the finding's triage status is locked to Promoted and linked to the vulnerability record.
AI Analysis
Click Analyze on any finding to generate AI-powered analysis including:
- Impact assessment — What the vulnerability means for your environment
- Remediation guidance — Step-by-step fix instructions
- Priority recommendation — Where this should fall in your remediation queue
Dashboard
The Overview tab header displays aggregate statistics:
| Metric | Description |
|---|---|
| Open Findings | Count of findings not yet triaged or resolved |
| Targets | Total and active target counts, broken down by type |
| Profiles | Total profiles and how many have scheduling enabled |
| Executions | Total runs, currently running, completed/failed in last 30 days, last scan date |
| Findings by Severity | Critical, High, Medium, Low, Info counts |
| Findings by Triage | New, Confirmed, False Positive, Accepted Risk, Promoted counts |
| Findings by Engine | Nuclei vs. ZAP counts |
| Recurring Findings | Findings seen in multiple scan runs |
How It Works
- Configure Targets — Add the domains, IPs, URLs, or CIDRs you want to scan
- Create Scan Profiles — Choose an engine (Nuclei or ZAP), select templates or scan type, link targets
- Launch Scans — Run manually or set a schedule; scans execute on isolated ECS Fargate tasks
- Triage Findings — Review results, confirm or dismiss findings, promote real vulnerabilities to the register