// facet: agentless
Agentless vulnerability scanners: directory + coverage limits
Fully agentless cloud scanners. Snapshot-based data collection. Coverage gaps versus runtime agents documented per row.
author: Oliver Wakefield-Smith · verified 2026-06-26
// direct-answer
What is an agentless vulnerability scanner?
An agentless vulnerability scanner collects data from cloud APIs and out-of-band block-storage snapshots, without installing software on each workload. Wiz, Orca, and Tenable Cloud Security lead. The trade-off: zero footprint, but slower to detect runtime drift than a persistent agent.
// filter ::
asset
deployment
scan-type
compliance
price-band
license
scanner
asset
deploy
price-band
compliance / free
open
Tenable Vulnerability Management (Tenable.io)
Per-asset SaaS replacement for Nessus at scale, plus WAS/EASM/CTEM modules.
verified 2026-06-25 · vendor page
networkwebcloudcontainer
saasagentagentlesshybrid
AMBER
$3,500 / year for 100 assets (~$35/asset/yr)
pci-asvfedrampsoc2hipaaiso27001free tier
Qualys VMDR
Cloud-native VMDR with TruRisk scoring; quote-only at enterprise scale.
verified 2026-06-25 · vendor page
networkwebcloudcontainer
saasagentagentless
QUOTE
Quote only; partner-reported ~$199 per asset per year
pci-asvfedrampsoc2hipaaiso27001free tier
Wiz
Agentless CNAPP. Graph-based risk, big in cloud-native shops. Anchors on workloads not assets.
verified 2026-06-25 · vendor page
cloudcontainercode
saasagentless
QUOTE
Quote only; partner-reported $70k-$120k for ~500-workload mid-market estate
soc2fedramphipaaiso27001free tier
Orca Security
SideScanning agentless CNAPP. Often discounted aggressively against Wiz in head-to-heads.
verified 2026-06-25 · vendor page
cloudcontainercode
saasagentless
QUOTE
Quote only; partner-reported $50k-$100k for ~500-workload estate
soc2fedramphipaaiso27001free tier
[ 4 of 15 scanners shown ] · row prices verified against vendor pages on the date stamped above.
Where agentless hits its ceiling
Agentless snapshot scanning detects what the disk shows at scan time. It misses ephemeral in-memory state, process trees of short-lived containers, and runtime behaviours. Hybrid (agentless baseline + agent for runtime-critical workloads) is the defensible architecture above ~1,000 workloads.
// faq
FAQ
- How often do agentless scanners pull data?Wiz and Orca typically refresh cloud configuration data every 15-60 minutes; deep image scans run on a 24-hour cadence by default.
- Do agentless scanners cover on-prem?Tenable Cloud Security has some hybrid coverage; Wiz and Orca are cloud-only. For on-prem, use Tenable / Qualys / Rapid7 agents.
- Are agentless scans cheaper?Not necessarily. The pricing anchor is cloud workload, not deployment model. Wiz at 500 workloads runs $50k-$120k partner-reported regardless of deployment topology.
- What does agentless miss?In-memory exploits, ephemeral container process trees, runtime exfiltration patterns. All require runtime sensors or agents.
- When is hybrid the right call?When you have ~1,000+ workloads, regulated runtime detection requirements, or zero-tolerance for the agentless scan-time gap.