2.1 Given a scenario, implement vulnerability scanning methods and concepts.
📘CompTIA CySA+ (CS0-003)
This topic is very important for the exam. You must understand:
- What agent-based scanning is
- What agentless scanning is
- How each works
- Advantages and disadvantages
- When to use each
- Security and management considerations
- How they are used in modern IT environments (cloud, servers, endpoints, etc.)
1. What Is Vulnerability Scanning?
A vulnerability scan checks systems (servers, desktops, network devices, cloud resources, applications) for:
- Missing patches
- Weak configurations
- Open ports
- Outdated software
- Known security vulnerabilities (CVEs)
- Compliance issues
The goal is to find weaknesses before attackers do.
There are two main ways to perform these scans:
- Agent-based scanning
- Agentless scanning
2. Agent-Based Vulnerability Scanning
What Is an Agent?
An agent is a small software program installed directly on a system.
It runs locally on:
- Windows servers
- Linux servers
- Workstations
- Cloud virtual machines
- Containers
The agent collects security information and sends it back to the central scanning system.
How Agent-Based Scanning Works
- The security team installs an agent on each endpoint or server.
- The agent continuously monitors the system.
- It collects:
- Installed software versions
- Patch levels
- Running services
- System configurations
- File integrity changes
- The agent sends this data securely to a central console.
- The console analyzes vulnerabilities and generates reports.
Key Characteristics of Agent-Based Scanning
- Runs locally on the device
- Does not require active network scanning
- Works even if the device is outside the corporate network
- Can scan even when the device is offline (results upload later)
Advantages of Agent-Based Scanning
1. Deep Visibility
Since the agent runs inside the system, it can see:
- Registry settings (Windows)
- File permissions
- Local configuration details
- Running processes
- Installed packages
This gives more accurate results.
2. Works for Remote Devices
Very useful for:
- Remote employees
- Cloud servers
- Laptops not always connected to VPN
The agent reports back whenever it has internet access.
3. Lower Network Impact
Because it doesn’t require heavy network scanning:
- Less network traffic
- No port scanning noise
- Less chance of triggering intrusion detection systems (IDS)
4. Continuous Monitoring
Agents can:
- Monitor changes in real time
- Detect newly installed vulnerable software
- Track configuration drift
This supports continuous vulnerability management.
Disadvantages of Agent-Based Scanning
1. Must Be Installed and Maintained
- Agents need deployment
- Must be updated
- Can break after OS updates
- May require endpoint management tools
2. Consumes System Resources
Agents use:
- CPU
- Memory
- Disk
- Network bandwidth
On high-performance servers, this must be carefully managed.
3. Security Risk if Compromised
If an attacker:
- Disables the agent
- Manipulates it
- Uses it for persistence
It becomes a security concern.
Proper access control and monitoring are required.
3. Agentless Vulnerability Scanning
What Is Agentless Scanning?
Agentless scanning does not require software installation on the target system.
Instead, the scanner connects remotely using:
- Network scanning (ports and services)
- SSH (Linux)
- WinRM / WMI (Windows)
- SMB
- SNMP
- API connections (cloud platforms)
How Agentless Scanning Works
- A central scanner is deployed inside the network.
- It scans IP ranges.
- It identifies:
- Open ports
- Running services
- Operating system
- Service versions
- It may log in using credentials (credentialed scan) to gather deeper information.
- It compares findings to vulnerability databases.
Key Characteristics of Agentless Scanning
- No installation required
- Uses network connectivity
- Often scheduled (weekly, monthly, etc.)
- Scans systems from the outside perspective
Types of Agentless Scans
1. Non-Credentialed (Unauthenticated) Scan
- No login access
- Sees only exposed services
- Simulates an external attacker
- Limited visibility
2. Credentialed (Authenticated) Scan
- Uses admin credentials
- Logs into the system
- Collects patch and configuration data
- More accurate than non-credentialed scans
The CySA+ exam expects you to understand this difference.
Advantages of Agentless Scanning
1. No Software Deployment Needed
- Easier to implement
- No impact on endpoints
- Good for large environments
2. Good for Network Visibility
It can:
- Discover unknown devices
- Detect rogue systems
- Identify exposed services
- Map open ports
Very useful for asset discovery.
3. Centralized Control
All scanning is managed from:
- A central server
- No endpoint configuration required
Disadvantages of Agentless Scanning
1. Requires Network Access
If a device:
- Is offline
- Is behind strict firewall rules
- Is outside the network
It may not be scanned.
2. Can Generate High Network Traffic
Large scans can:
- Overload switches
- Affect bandwidth
- Trigger security monitoring alerts
3. Limited Depth (Without Credentials)
Non-credentialed scans:
- Cannot see internal configuration
- May miss vulnerabilities
- Can produce false positives
4. Agent vs. Agentless – Direct Comparison
| Feature | Agent-Based | Agentless |
|---|---|---|
| Requires installation | Yes | No |
| Works outside network | Yes | Usually no |
| Network impact | Low | Can be high |
| Deep system visibility | High | Medium (High if credentialed) |
| Setup complexity | Higher | Lower |
| Continuous monitoring | Yes | Usually scheduled |
| Good for remote users | Yes | Not ideal |
| Good for asset discovery | No | Yes |
5. When to Use Agent-Based Scanning
Best for:
- Remote workforce laptops
- Cloud virtual machines
- Continuous compliance monitoring
- Systems that frequently leave the corporate network
- Environments requiring detailed configuration checks
6. When to Use Agentless Scanning
Best for:
- Internal network infrastructure
- Network device scanning (switches, routers)
- Asset discovery
- External perimeter scanning
- Environments where installing agents is not allowed
7. Cloud Environments (Important for Exam)
In cloud platforms:
- Agent-based scanning works well for cloud VMs.
- Agentless scanning can use cloud APIs to:
- Query system configuration
- Check storage buckets
- Review security group settings
Modern vulnerability management often uses a hybrid approach:
- Agents for endpoints
- Agentless for network discovery
8. Security Considerations
For the exam, understand:
Credential Protection
Agentless credentialed scans require:
- Secure credential storage
- Privileged access management
- Encrypted communication
Encryption
All communication between:
- Agent → console
- Scanner → target system
must be encrypted.
Access Control
Limit who can:
- Configure scans
- View vulnerability reports
- Access credentials
9. Performance and Operational Impact
Before implementing scanning:
- Schedule scans during low-traffic hours
- Avoid scanning production systems aggressively
- Test in staging environments first
- Monitor CPU/memory impact
CySA+ exam questions may describe:
- A system crashing during scans
- Network slowdown
- False positives
You must identify whether:
- Agentless scanning load is too high
- Credentials are misconfigured
- Agents are outdated
10. False Positives and Accuracy
Agent-based scanning:
- Fewer false positives
- More accurate configuration data
Agentless scanning:
- More likely to misidentify services
- Banner grabbing may give incomplete information
Credentialed scans improve accuracy.
11. Common Exam Scenario Clues
If the question mentions:
- “Remote laptops not connected to VPN” → Agent-based
- “Need to discover unknown devices” → Agentless
- “High network traffic during scans” → Agentless issue
- “Need continuous monitoring” → Agent-based
- “Cannot install software on servers” → Agentless
- “Need deeper configuration checks” → Agent-based or credentialed agentless
12. Best Practice: Hybrid Approach
Most organizations use:
- Agent-based scanning for endpoints and servers
- Agentless scanning for network discovery and infrastructure
This provides:
- Full coverage
- Reduced blind spots
- Balanced performance
Final Exam Summary (Very Important)
You must know:
✅ What an agent is
✅ How agent-based scanning works
✅ How agentless scanning works
✅ Credentialed vs non-credentialed scans
✅ Advantages and disadvantages of both
✅ Performance considerations
✅ Security considerations
✅ When to use each method
✅ Why hybrid approaches are common
If you clearly understand these differences, you will be well prepared for the CySA+ CS0-003 exam objective 2.1 regarding vulnerability scanning methods.
