What is a vulnerability scanner?

A vulnerability scanner is an automated tool that checks your website for known security weaknesses. It tests your site against a database of common flaws, including misconfigured headers, expired certificates, open ports, and known software vulnerabilities, then produces a report listing what it found and how to fix each issue.

Is a vulnerability scanner the same as penetration testing?

No. A vulnerability scanner is an automated tool that checks for known issues quickly and cheaply. Penetration testing (pen testing) involves a human security expert actively trying to break into your site using creative techniques. Scanning is a good starting point and should be done regularly. Pen testing is more thorough and typically done annually or after major changes.

How often should I scan my website for vulnerabilities?

You should scan your website at least quarterly, after any major updates or changes, and whenever you add new functionality or third-party integrations. Continuous monitoring that scans daily or weekly is ideal for catching issues before attackers find them.

Are free vulnerability scanners any good?

Free scanners can identify basic issues like missing headers and expired certificates, but they have limitations. They typically check fewer items, produce less detailed reports, and do not provide ongoing monitoring. They are a reasonable starting point, but businesses that rely on their website for leads or sales should invest in a more thorough scan.

What Is a Website Vulnerability Scanner (And Do You Need One?)

If you run a business website, chances are someone has tried to tell you that you need a "vulnerability scanner" or a "security audit." The terminology can feel opaque, and the sales pitch often assumes you already know what these things do. This article explains what a vulnerability scanner actually is, what it finds, and whether your business needs one.

What does a vulnerability scanner do?

A vulnerability scanner is an automated tool that probes your website for known security weaknesses. Think of it like an MOT test for your website: it runs through a checklist of common problems and flags anything that needs attention. It does not try to break into your site -- it checks whether known vulnerabilities exist so you can fix them. The NCSC's vulnerability management guidance recommends regular scanning before someone else finds them.

The scanner works from the outside, just like a potential attacker would. It connects to your website, examines how your server responds, checks your configuration, and compares what it finds against a database of known security issues. The whole process typically takes a few minutes, and you receive a report listing every issue discovered along with its severity and recommended fixes.

What a vulnerability scanner actually finds

A good scanner checks dozens of potential issues. Here are the main categories it examines:

SSL and encryption problems

The scanner checks your SSL certificate is valid, has not expired, covers the correct domains, and uses strong encryption. It also checks that your server is not supporting outdated protocols like TLS 1.0 or TLS 1.1, which are no longer considered secure.

Missing or misconfigured security headers

HTTP security headers like HSTS, Content-Security-Policy, and X-Frame-Options tell browsers to activate built-in protections. The scanner checks which headers are present, which are missing, and whether the ones that exist are configured correctly. See our guide to HTTP security headers for a full explanation of what each one does.

Open ports and services

Every port your server leaves open is a potential entry point. The scanner checks which ports are accessible from the internet and flags any that should not be, such as database ports, admin interfaces, or development servers accidentally exposed to the public.

Software vulnerabilities

If your website runs on a content management system like WordPress, the scanner can detect the version and check whether it has known vulnerabilities. It also checks for outdated plugins, themes, and server software that attackers could exploit — the OWASP Web Security Testing Guide covers common vulnerability categories.

Exposed files and directories

The scanner looks for sensitive files that should not be publicly accessible: configuration files, database dumps, backup archives, admin panels, and debug endpoints. These are common on small business websites and are a goldmine for attackers.

Email authentication

Your domain's email security records -- SPF, DKIM, and DMARC -- are part of your overall security posture. The scanner checks whether these records exist and are properly configured. Without them, attackers can impersonate your domain in phishing emails. See our SPF, DKIM, and DMARC guide for details.

Cookie and consent issues

The scanner checks whether your site sets cookies before obtaining visitor consent, whether cookies use secure flags, and whether your consent mechanism meets current standards. This is increasingly important as the ICO continues to enforce cookie compliance for UK websites.

Scanner vs penetration testing: what is the difference?

These two things serve different purposes and are not interchangeable.

A vulnerability scanner is automated, fast, and relatively inexpensive. It checks for known issues against a defined list. It can scan your site weekly or even daily without costing more. It catches the common, well-understood problems that make up the majority of real-world attacks.

Penetration testing (pen testing) involves a human security expert actively trying to break into your website. They use creativity, intuition, and techniques that automated tools cannot replicate. Pen testing is more thorough but costs significantly more and is typically done once a year or after major changes.

For most small businesses, starting with regular vulnerability scanning is the practical choice. It catches the issues most likely to be exploited, costs a fraction of what pen testing costs, and can be run continuously. If your business handles sensitive data, processes payments at scale, or operates in a regulated industry, adding an annual pen test on top of regular scanning is sensible.

Scanner vs monitoring: are they the same thing?

No, though they are related. A vulnerability scanner takes a snapshot of your security at a specific moment. You run a scan, you get a report, you fix the issues. But what happens if something changes the next day?

Security monitoring runs continuously. It watches your website for changes -- new vulnerabilities appearing in your software, certificates approaching expiry, configuration drift, DNS changes -- and alerts you when something needs attention. Monitoring is what turns a one-time check into ongoing protection.

Ideally, you want both: regular scans to catch existing issues, and monitoring to catch new ones as they appear. PulseShield combines both in its monitoring plans, scanning your site and alerting you when anything changes.

Do you need a vulnerability scanner?

If your website does anything more than display static text, the answer is almost certainly yes. The UK government's cyber security guidance recommends regular vulnerability scanning for all businesses. Here is a simple way to think about it:

Does your site collect any visitor information? Contact forms, newsletter signups, account creation -- all of these make your site a target.
Does your site run on WordPress or another CMS? These platforms are the most common targets for automated attacks because of their popularity.
Does your site use third-party plugins or integrations? Each one is a potential vulnerability.
Would it damage your business if your site was hacked? Lost revenue, damaged reputation, potential data breach notifications -- the cost of a breach far exceeds the cost of prevention.

If you answered yes to any of these, a vulnerability scan is a sensible precaution. The cost of a scan is minimal compared to the cost of dealing with a breach.

What a good scanner checks for (that free tools miss)

There are plenty of free tools that will check a few headers or test your SSL certificate. They are useful for a quick sanity check, but they have real limitations:

Limited scope: Free tools typically check one or two things. A comprehensive scanner checks dozens of categories across your entire attack surface.
No remediation guidance: Free tools tell you something is wrong but often do not explain what to do about it. A proper report gives you specific, actionable steps.
No ongoing protection: A one-off check does not protect you next week. Monitoring ensures you are alerted when new issues appear.
No context: Free tools show raw technical output. A good scanner presents findings in a report you can understand and act on without being a security expert.

PulseShield's free scan is a step up from basic free tools. It checks your SSL configuration, all major security headers, cookie compliance, email authentication records, open ports, and exposed files. You get a professional PDF report with findings categorised by severity, each one explained in plain English with specific remediation steps. Run yours now.

When to scan

At a minimum, scan your website:

Right now, if you have never had a security check
After any website update, redesign, or migration
When you add new functionality or third-party integrations
Quarterly as a routine check
Immediately if you suspect your site has been compromised

For businesses that depend on their website for leads or sales, continuous monitoring is the better approach. It catches issues as they appear rather than waiting for the next scheduled scan. See what PulseShield's monitoring includes and whether it fits your needs.