Openvas

Overview

Openvas is a penetration testing tool that appears across penetration testing workflows in this knowledge base. It is referenced as part of higher-level security analysis, investigation, monitoring, or validation activity rather than as an end in itself.

What It Is

Openvas is best understood as a penetration-testing tool in this knowledge base. Its role is conceptual and system-facing rather than procedural: it gives analysts or defenders a structured way to examine evidence, model system behavior, or reason about security state.

How It Works

Openvas works by turning technical inputs into more interpretable outputs at the system level. Across the source skills, it appears as part of larger analysis, investigation, monitoring, or validation loops rather than as a standalone end state.

Core Concepts

• soc
• vulnerability scanning
• nessus
• qualys
• openvas
• cvss
• remediation
• patch management
• soc operations
• gvm
• authenticated scan
• greenbone

Typical Workflow

• Nessus Scan Configuration (API):
• nessus_url = "https://nessus.company.com:8834"
• Scan type selection: Choose "Advanced Scan" for full control over plugin families, or "Credentialed Patch Audit" for patch compliance. Avoid "Basic Network Scan" for penetration tests as it uses a limited plugin set.
• Discovery settings: Configure port scanning to scan all 65,535 TCP ports and top 1,000 UDP ports. Set host discovery to use ARP (local), TCP SYN, and ICMP for maximum coverage.
• Authentication: Add Windows credentials (domain account with local admin), SSH credentials (key-based preferred over password), SNMP credentials (v3 with authPriv preferred), and database credentials for database-specific checks.
• Plugin configuration: Enable all plugin families relevant to the target environment. For penetration testing, ensure "Denial of Service" plugins are disabled unless explicitly authorized. Enable CGI scanning for web servers.
• Performance settings: Set maximum concurrent hosts per scanner (default 30, reduce for sensitive networks), maximum concurrent checks per host (4-5 for production, higher for test environments), and network timeout values appropriate for the target network.
• Start the scan during the authorized testing window
• Monitor scan progress through the Nessus web interface, checking for hosts timing out, authentication failures, or plugins causing errors
• Watch for credential failures indicated by "Authentication Failure" results; these mean the authenticated scan fell back to unauthenticated mode, producing incomplete results

Use Cases

• SOC teams need to establish or improve recurring vulnerability scanning programs
• Scan results require prioritization beyond raw CVSS scores using asset context and threat intelligence
• Vulnerability data must be integrated into SIEM for correlation with exploitation attempts
• Remediation tracking needs formalization with SLA-based dashboards and reporting
• Zero-Day Response: New CVE published — run targeted scan for affected software, cross-reference with KEV and exploit databases
• Compliance Audit Prep: Generate PCI DSS or HIPAA vulnerability report showing scan coverage and remediation status
• Post-Patch Verification: Rescan patched systems to confirm vulnerability closure and update tracking dashboard
• Network Expansion: New subnet added to infrastructure — onboard to scan scope with appropriate policy
• Third-Party Risk: Scan externally-facing assets to validate vendor patch compliance before integration
• When conducting security assessments that involve performing authenticated scan with openvas

Limitations

• Output still depends on context, data quality, and surrounding analysis.
• The tool should be interpreted as part of a broader workflow, not as a complete answer by itself.
• Capabilities and visibility vary depending on environment, integrations, and available inputs.

Related Tools

• Tenable.io, And Cloud Infrastructure Assessment, And Compliance Checks, And Patching Integration, And Prioritization, CISA KEV Catalog, IaC Scanning, Misconfigurations

Sources

• building-vulnerability-scanning-workflow
• performing-authenticated-scan-with-openvas
• performing-vulnerability-scanning-with-nessus