The Next Level of Managed Vulnerability Scanning: Authenticated and Unauthenticated Scans

Trustwave, A LevelBlue Company, is a huge proponent of employing offensive security tactics to ensure a client is properly protected.

For Trustwave, the reason is obvious. Offensive security is an effective approach to evaluate and enhance an overall security posture. We’ve written about this before (just check here, here, and here), but today we will explore the difference between an Authenticated Scan and an Unauthenticated Scan.

Let’s set the stage by defining the two types of scans.

Authenticated vs Unauthenticated Scans

Determining the appropriate vulnerability scanning service to run and optimizing its effectiveness are crucial for maximizing security assessment results. Here are the details about unauthenticated and authenticated scans to help us decide which best suits your needs.

An unauthenticated scan aids in early-stage reconnaissance by identifying unauthenticated, publicly exposed vulnerabilities. Basically, the scan simulates an external attack by an unknown threat actor and helps identify vulnerabilities accessible without credentials.

What an unauthenticated scan accomplishes:

• It replicates how an attacker from outside the network would approach the target.
• It does not require credentials.
• It is a quick overview with a limited view. It can only collect information accessible at the network layer, such as open ports and running services.
• Since the scan is limited in view, there is the possibility that this scan will generate false positives when it comes to vulnerabilities.
• It may also miss vulnerabilities that require deeper access.
  

An authenticated scan will enhance the effectiveness of our vulnerability scans and support a comprehensive assessment of organizational assets, significantly strengthening the company’s security posture.

An authenticated scan:

• Require users to supply valid credentials—such as usernames and passwords or SSH keys—to gain access to the target systems.
• It is in-depth and comprehensive, as it can log in to systems and applications, uncovering vulnerabilities and misconfigurations that remain hidden during unauthenticated scans.
• It delivers a more precise vulnerability assessment by analyzing system configurations, installed software, and patch levels.
• The scan may take longer to complete as it performs more extensive checks.

Choosing between authenticated and unauthenticated scanning depends on the client's security objectives.

However, Trustwave strongly recommends performing authenticated scans. These provide deeper visibility into the system and simulate scenarios where the initial security layer has been bypassed.

Implementing both types of scans supports a defense-in-depth strategy, ensuring that multiple layers of security are in place and functioning effectively.

Trustwave’s Scanning Process

The process begins with the client supplying a list of target assets.

The Managed Vulnerability Scanning (MVS) team, operating under Trustwave SpiderLabs, provides a fully managed vulnerability scanning service. It first performs a discovery scan to determine which targets are live and accessible. The client will confirm if the live targets are within their expectations.

Once confirmed, a full vulnerability scan is conducted on the active targets. The team ensures scan accuracy and completeness and generates comprehensive reports that include vulnerability findings and risk-based prioritization.

The duration of the scanning process depends on the number of targets and the network environment, but it is typically completed within a week.

Addressing Client Concerns

There are cases when clients are hesitant to provide the credentials necessary to conduct a proper, authenticated scan.

These concerns often revolve around giving up the credentials necessary to conduct the scan; also, some are not fully aware of the benefits of conducting authenticated and unauthenticated scans.

There are strong reasons for an organization to provide credentials for authenticated vulnerability scans as they significantly enhance the depth and accuracy of the assessment, enabling greater visibility into system configurations, patch levels, and potential security misconfigurations.

This ensures that the organization fully benefits from its investment.

To address these security concerns, please consider:

1. Reputable scanning platforms, such as Tenable, are designed with security as a priority, ensuring that all credential data is encrypted both in transit and at rest.
2. Organizations can use password vaults or credential management tools to securely store and transmit credentials without exposing them directly.
3. Credentials can be enabled only for the duration of the scan and disabled immediately afterward, minimizing potential risk.

These practices help maintain the confidentiality and integrity of sensitive information while supporting a more effective and comprehensive scanning process.

The Benefits of Scanning

Vulnerability scans typically detect a wide range of security issues across systems, including known vulnerabilities in operating systems and applications, missing security patches (such as those released on Patch Tuesday), misconfigurations, outdated software versions, and potential zero-day indicators.

With deeper access, scans can also uncover vulnerabilities that require authentication to detect, such as user permissions, access controls, and internal configurations.

The overall goal is to provide a comprehensive view of the organization’s risk exposure—both externally and internally.

For those interested in a deeper look at Trustwave’s Offensive Security program, please check out these blogs:

• Why Offensive Security is a Necessity for a Dynamic Threat Landscape
• 7-Step Guide to Properly Scoping an Offensive Security Program
• Why Offensive Security Should Be a Top Priority, Not Just a Check-the-Box Compliance Requirement
• Unlocking the Power of Offensive Security: Trustwave's Proactive Approach to Cyber Defense