Vulnerability scanner directory.
Filter by asset, deploy, price-band.
Live filterable scanner table. Per-asset list prices verified against vendor pages on the date stamped per row. Quote-only vendors carry partner-reported ranges, not inferred rates. No demo wall.
What is a vulnerability scanner, in one paragraph?
Single-scanner on-prem workhorse. Per-scanner not per-asset.
Per-asset SaaS replacement for Nessus at scale, plus WAS/EASM/CTEM modules.
Cloud-native VMDR with TruRisk scoring; quote-only at enterprise scale.
Insight Agent + Live Dashboards + Remediation Projects; per-asset list tiers.
Agentless CNAPP. Graph-based risk, big in cloud-native shops. Anchors on workloads not assets.
SideScanning agentless CNAPP. Often discounted aggressively against Wiz in head-to-heads.
Per-developer SCA + SAST + Container + IaC. Free tier is genuinely usable.
Enterprise DAST with Proof-Based Scanning to cut triage. Sibling brand to Acunetix.
Mid-market DAST sibling to Invicti. Per-target pricing, AcuSensor IAST optional.
PortSwigger's enterprise DAST. Out-of-band Collaborator detection. Published list pricing.
Mid-market scanner + patch in one. Cheapest list pricing on the directory.
Managed wrapper around OpenVAS / ZAP / Nuclei. Cheap entry point for solo founders.
Pen-tester-flavoured scanner platform with report generator. Per-target monthly.
Self-hosted GPL scanner. Real cost is admin hours and feed lag versus Nessus.
De-facto open-source container / IaC / SBOM scanner. CI/CD minutes are the real cost.
Per-asset TCO ceiling
Anchored to published vendor list rates plus a 20 to 35 percent RFP discount window. Quote-only vendors carry the partner-reported midpoint and a wider band.
| vendor | low | mid | high | basis |
|---|---|---|---|---|
| Tenable.io | $12.2k | $18.8k | $18.8k | 100-asset list anchor $35/asset/yr, 20-35% RFP discount window, plus WAS/EASM/CTEM module uplift if toggled. |
| Qualys VMDR | $64.1k | $106.8k | $117.5k | Quote only. Partner-reported ~$199/asset/yr midpoint, 40% RFP discount floor. |
| Rapid7 InsightVM | $7.9k | $11.3k | $12.9k | Per-asset list ~$1.75/asset/month at scale tier; 30% RFP discount floor. |
| Wiz | $61.6k | $79.2k | $120.0k | Quote only. Per-workload anchor (~$140-$240/workload/yr partner-reported), with $50-$120k mid-market floor. |
| Snyk (Team) | $3.5k | $3.9k | $4.5k | $25/dev/month published Team tier. Dev count proxied as max(5, webApps + 5). |
| Open-source baseline (OpenVAS + Trivy + ZAP) | $15.6k | $22.2k | $31.1k | Admin hours/month scaled with asset count, loaded hourly rate, plus ~$2,400/yr infra estimate. |
Shortlist wizard
Four questions to a three-tool shortlist. No email, no demo.
Free-tier matrix
What you can actually do in each free tier. Real caps, not marketing.
CVE / KEV context
Counters and the week's KEV additions. Backed by CISA + NVD + EPSS.
FAQ
- What is a vulnerability scanner?A vulnerability scanner is software that probes networks, hosts, web applications, cloud configurations, container images, or source code for known security weaknesses (CVEs) and configuration drift, then ranks the findings by severity for remediation.
- Which vulnerability scanner is best in 2026?There is no single best scanner. For network VM, Tenable.io, Qualys VMDR, and Rapid7 InsightVM lead. For cloud-native, Wiz and Orca dominate. For web apps, Invicti, Acunetix, and Burp Suite Enterprise. For code and containers, Snyk and Trivy.
- Is there a free vulnerability scanner?Yes. Nessus Essentials is free up to 16 IPs. OpenVAS / Greenbone Community Edition is fully free self-hosted. Trivy is Apache 2.0 for containers, IaC, and SBOMs. Snyk has a free tier with usable monthly caps.
- What does a vulnerability scanner cost?Network VM list prices land between $21 and $199 per asset per year depending on vendor. Cloud-native scanners like Wiz and Orca are quote-only, typically $50k to $120k per year at mid-market scale. Snyk anchors at $25 per developer per month.
- How often should I run vulnerability scans?PCI DSS requires quarterly external ASV scans plus internal scans after significant change. SOC 2 expects continuous or at least monthly scanning. HIPAA defers to risk analysis but auditors increasingly expect weekly or continuous coverage.