Guide

How to run a network vulnerability scan

A step-by-step penetration testing walkthrough · 2026

A network vulnerability scan identifies the services, software versions and misconfigurations on your hosts that attackers could exploit. This guide walks through running an authorized scan end to end, using ShadowSecurityScanner as the example tool — though the workflow applies to any scanner.

⚠️ Authorization first. Only scan systems you own or have explicit, written permission to test. Unauthorized scanning may be illegal. This guide assumes authorized testing.

1. Confirm authorization and define scope

Before any scanning, agree the scope in writing: which IP ranges, hostnames and ports are in bounds, the testing window, and who to contact if something breaks. Clear scope keeps the engagement legal and focused.

2. Install the scanner

Download the single ShadowSecurityScanner binary for Windows, macOS or Linux. There's no installer or server to set up — it runs as a native desktop app and keeps all data on your machine, so nothing leaves your environment.

3. Add your targets

Enter the in-scope IP addresses, CIDR ranges or hostnames. Start narrow — a handful of hosts — to validate the workflow before scanning a whole subnet.

4. Run the scan

Pick a scan profile and start. The scanner performs port scanning, then service and OS fingerprinting across protocols like HTTP, TLS, SSH, SMB, DNS and LDAP, and runs thousands of catalogued network and web-application checks — de-duplicated with soft-404 calibration to limit false positives.

5. Prioritise the findings

A raw CVE list isn't a plan. Sort findings by EPSS (the probability a vulnerability will be exploited in the next 30 days) and by CISA KEV status (vulnerabilities known to be actively exploited). A CVSS 7 that's actively exploited outranks a CVSS 9.8 that nobody uses. Learn how EPSS and KEV work →

6. Report, remediate and re-scan

Export a PDF or HTML report for stakeholders, or SARIF for GitHub code scanning and XML/CSV for your pipeline. After remediation, re-scan and use scan diffing to confirm issues are resolved and to catch regressions where a fixed issue returns.

Run your first scan

ShadowSecurityScanner is free and open-source — download it and start in seconds.

Download ShadowSecurityScanner

Related guides

What are EPSS and CISA KEV? — how to prioritise the findings this scan produces.
Best free open-source penetration testing tools — other tools for the workflow.
ShadowSecurityScanner vs Nessus vs OpenVAS — pick the right scanner.