Coverage in This Build
The current scanner core includes:- 69 native verification modules for web, API, protocol, configuration, authentication, and exposure checks.
- 51 CyStack-maintained high-confidence checks bundled with the product for known exploited products, exposed systems, and critical misconfigurations.
- NVD 2.0 CPE-to-CVE matching using a local index. The number of detectable CVEs follows the local NVD feed snapshot and grows as the feed is updated.
- 196 CWE-to-OWASP Top 10 mappings for conservative classification.
- 70+ OWASP WSTG detector mappings for web security testing references.
- CVSS, EPSS, CISA KEV, and public exploit indicators for prioritization.
| Coverage Type | Count Model |
|---|---|
| Native vulnerability classes | 69 detector modules in the scanner core. |
| Bundled CyStack checks | 51 high-confidence checks in this build. |
| Known CVEs | All CVEs present in the local NVD CPE index that match concrete detected products and versions. |
| OWASP Top 10 | All 10 OWASP Top 10 2021 categories are supported through CWE/source mapping when evidence is available. |
| WSTG | 70+ detector-to-WSTG mappings for web testing guidance. |
High-Impact Vulnerability Classes
VulnScan is designed to cover the vulnerability classes that most often lead to real compromise:| Category | Examples |
|---|---|
| Injection | SQL injection, NoSQL injection, command injection, code injection, SSTI, CSTI, LDAP/XPath injection, CRLF, email header injection. |
| Cross-site scripting | Reflected XSS, stored XSS, DOM XSS, unsafe client-side sinks. |
| Access control | LFI/RFI, path traversal, open redirect, mass assignment, exposed object references. |
| Authentication | Default credentials, weak password exposure, brute-force risk, session fixation, JWT weaknesses, exposed login/admin panels. |
| SSRF and OAST | SSRF, blind/out-of-band interaction classes, metadata endpoint exposure where safely testable. |
| File and content exposure | Exposed .git, backup files, config files, directory listing, debug endpoints, sensitive well-known paths. |
| API security | GraphQL exposure, OpenAPI/Swagger exposure, API route discovery, unsafe methods, parameter discovery. |
| TLS and crypto | Expired/self-signed certificates, legacy protocols, weak ciphers, SMB signing, SMBv1, weak SSH posture. |
| Network services | Redis/NFS/VNC/X11/RDP exposure, SNMP/SMTP/SMB/SSH/IPMI checks, unauthenticated or unsafe service posture. |
| Cloud and storage | Public cloud storage exposure and misconfiguration signals. |
| Component CVEs | Vulnerable web frameworks, CMS, plugins, themes, servers, middleware, and network services with concrete version evidence. |
OWASP Top 10 2021 Coverage
| OWASP Category | VulnScan Coverage |
|---|---|
| A01 Broken Access Control | Path traversal, LFI/RFI, open redirect, mass assignment, exposed resources, authorization-sensitive findings. |
| A02 Cryptographic Failures | TLS issues, weak ciphers, certificate problems, JWT and cryptographic configuration weaknesses. |
| A03 Injection | SQLi, XSS, command/code injection, NoSQL, LDAP/XPath, SSTI, CSTI, CRLF, format-string style classes. |
| A04 Insecure Design | File upload risk, mass assignment, unsafe business/API patterns, design-sensitive exposure findings. |
| A05 Security Misconfiguration | Headers, CORS/CSP, debug panels, actuator endpoints, exposed APIs, unsafe HTTP methods, cloud storage. |
| A06 Vulnerable and Outdated Components | CPE-to-CVE matching, CMS/framework/plugin detection, known exploited CVEs. |
| A07 Identification and Authentication Failures | Default credentials, weak auth, brute-force indicators, session and password quality checks. |
| A08 Software and Data Integrity Failures | Deserialization, prototype pollution, unsafe dependency/component integrity patterns. |
| A09 Security Logging and Monitoring Failures | CWE-based classification when such findings are detected. |
| A10 SSRF | SSRF and related out-of-band/metadata exposure checks. |
Accuracy and False-Positive Reduction
VulnScan uses several controls to reduce false positives:- CPE matching requires concrete product and version evidence.
- Wildcard-only CPE matches are suppressed because they are too noisy.
- Version ranges are evaluated against detected versions.
- Findings are deduplicated by vulnerability, host, port, and affected location.
- When duplicate evidence exists, the highest-confidence and verified finding is kept.
- CISA KEV and high EPSS increase priority but do not replace technical evidence.
- Informational metadata is separated from actionable findings.
- Public source names are normalized before display so users see a product-level source label instead of internal engine names.
Prioritization Signals
Each finding can include:- Severity: Critical, High, Medium, Low, Info.
- CVSS v3 score and vector when available.
- EPSS score and percentile.
- CISA KEV status and required action.
- CWE classification.
- OWASP Top 10 and WSTG references.
- Confidence and verified status.
- Public exploit/PoC indicator.
- Risk score from 0 to 100.