🚀 SecureCheap is live — Start free →
Security
Vulnerability Scanner

Vulnerability Scanner

What the scanner checks

Port & service discovery

We scan the top 1000 ports (TCP) and identify:

  • Service name and version (via banner grabbing)
  • Whether the service should be exposed or is misconfigured
  • Known CVEs for that service version

Risk ratings for common exposed services:

ServicePortRisk if public
SSH22Medium — brute force surface
MySQL3306Critical — database exposed
Redis6379Critical — often unauthenticated
MongoDB27017Critical — often no auth
Elasticsearch9200High — data exposure
phpMyAdmin80/443High — brute force / exploits
RDP3389High — ransomware vector
FTP21High — cleartext credentials

CVE matching

After identifying services and versions, we cross-reference against:

  • NVD (National Vulnerability Database)
  • MITRE CVE feed
  • ExploitDB for publicly known exploits
  • WPScan DB (WordPress-specific)

Results include:

  • CVE ID
  • CVSS score (0–10) and severity label
  • Whether a public exploit exists
  • Remediation guidance

DNS security

CheckWhat we verify
SPFValid record exists, ~all or -all qualifier
DKIMSelector present, valid signature
DMARCPolicy present (quarantine or reject preferred)
CAACertificate Authority Authorization record
DNSSECSigned and validated
Zone transferAXFR restricted

Scan frequency

TriggerWhen
ManualOn-demand from Scanner page
ScheduledDaily (Pro) or weekly (Free)
On new resourceAutomatically on integration sync
On CVE publishWhen a new CVE matches your software

The scanner runs from dedicated egress IPs. You can allowlist them in your firewall to ensure scans always complete. Find the IPs in Settings → Scanner IPs.