Internal Unauthenticated Vulnerability Scans

Last updated: March 18, 2026

Internal Unauthenticated Vulnerability Scans are used to identify security exposures on systems inside the network without using credentials. These scans simulate what an attacker can see or access without authentication and are primarily used to evaluate perimeter-level exposure within internal networks.

This article explains how unauthenticated scans work, what they detect, what they require, and their limitations.

What Internal Unauthenticated Vulnerability Scans Do

Internal Unauthenticated Vulnerability Scans assess systems using network-level probing and enumeration techniques without logging into the target systems. The scan evaluates only what is visible or accessible over the network.

These scans are commonly used to:

  • Identify exposed services and open ports

  • Detect vulnerable service versions through banner analysis

  • Assess internal network exposure from an attacker’s perspective

  • Validate network segmentation and hardening

  • Identify unintended service exposure

Execution Model

Internal Unauthenticated Vulnerability Scans are performed using sensor-based scanning.

  • Execution: User-installed scan agent acting as a sensor

  • Scanning model: One agent scans multiple systems remotely

  • Credential usage: None

Only scan agents installed on Windows host machines are supported for Internal Unauthenticated Vulnerability Scans at this time. Scan agents running on Linux or macOS host machines cannot perform unauthenticated vulnerability scans.

Because these scans do not authenticate, they rely entirely on network reachability and visibility.

Prerequisites

To run Internal Unauthenticated Vulnerability Scans successfully:

  • At least one supported scan agent must be deployed

  • The scan agent must be installed on a Windows host machine

  • The agent must have network access to the target systems

  • Firewalls, IDS/IPS, or network controls must not block scan traffic

No credentials are required.

Data Collected

Unauthenticated scans collect network-visible information only, including:

  • Open TCP and UDP ports

  • Detected services and protocol versions

  • Service banners and fingerprints

  • Operating system guesses based on network fingerprinting

  • Publicly exposed web services or network shares

  • SSL/TLS configuration and certificate details

  • Detection of default credentials or banner-identified CVEs where applicable

The scan does not access internal system configuration or file systems.

Accuracy Considerations

Unauthenticated scans provide limited visibility compared to authenticated scans:

  • Results are based on inference, not system inspection

  • False positives may occur due to banner analysis

  • Vulnerabilities that require authentication cannot be detected

These scans should not be used as a replacement for authenticated scans.

Performance Considerations

Scan duration and completeness depend on:

  • Number of systems in scope

  • Network latency and segmentation

  • Firewalls or security controls affecting probe traffic

Unauthenticated scans are typically faster than authenticated scans but provide less depth.

Common Limitations

  • Cannot detect vulnerabilities that require authenticated access

  • Accuracy depends on exposed services and banners

  • Blocked or filtered ports reduce visibility

  • Results may include inferred or best-guess OS identification

  • Only scan agents on Windows host machines are supported for unauthenticated scanning

  • Linux and macOS scan agents are not supported for unauthenticated vulnerability scans at this time

Best Practices

  • Use unauthenticated scans to validate internal exposure and segmentation

  • Do not rely on unauthenticated scans alone for vulnerability management

  • Follow up with authenticated scans for remediation planning

  • Review exposed services and close unnecessary ports

  • Re-run scans after network changes