FAQ: vulnerability scanner pricing, free tiers, and shortlists
Direct answers to the questions buyers actually ask before shortlisting a vulnerability scanner.
What are the most common questions about vulnerability scanners in 2026?
Which vulnerability scanner is best for a small team?
Nessus Essentials free up to 16 IPs, Snyk Free for code and containers, Trivy Apache 2.0 for any container work. Total cost: $0 for the first ~16 IPs and a handful of repos.
Is there a free vulnerability scanner that's genuinely production-grade?
Yes. OpenVAS / Greenbone Community Edition, Trivy, OWASP ZAP, and Nuclei are all production-grade within their domains. Loaded cost is admin hours.
How often should scans run for SOC 2?
Continuous or at least monthly. Quarterly stretches credibility of CC7.1 controls for SOC 2 Type II.
How often for PCI?
Quarterly external ASV scans (mandatory) plus internal scans after significant change.
How often for HIPAA?
The 2025 Security Rule NPRM proposes annual scans plus continuous monitoring. Continuous is the de facto direction.
Do I need both DAST and SAST?
Eventually yes. SAST in CI is the cheap-to-add starting point. DAST adds the runtime-observable bugs SAST misses.
What is the RFP discount window in 2026?
20-35% off list for committed multi-year contracts at 1,000+ assets. Floor drops further above 10,000 assets.
Per-asset vs per-developer: which is cheaper?
Per-developer wins when developer count is materially lower than asset count. Per-asset wins at scale.
Which scanners are FedRAMP Authorized?
Tenable.sc, Tenable.io (Moderate), Qualys VMDR (Moderate and High), Rapid7 InsightVM (Moderate), Wiz (Moderate).
How fast do commercial scanners cover KEV additions?
Same-day to next-day plugin / signature coverage for Tenable, Qualys, Rapid7, Wiz, Orca. OpenVAS lags by hours to a few days.
When is agentless enough?
Below ~1,000 cloud workloads with no regulated runtime detection requirements. Above that, hybrid (agentless baseline plus agents for runtime-critical workloads) is the defensible architecture.
When does open-source win on TCO?
Below ~$10k/yr loaded admin cost (4-12 hr/month at $95/hr) OSS beats commercial. Above that, commercial wins.
FAQ
- Which vulnerability scanner is best for a small team?Nessus Essentials (free 16 IPs), Snyk Free (code, container), Trivy. Total cost: $0 for the first 16 IPs and a handful of repos.
- Is there a genuinely free production-grade scanner?Yes: OpenVAS / Greenbone Community, Trivy, OWASP ZAP, Nuclei.
- How often should scans run for SOC 2?Continuous or monthly minimum. Quarterly stretches CC7.1 credibility.
- Do I need DAST and SAST?Eventually yes. Start with SAST in CI; add DAST when the app surface justifies it.
- What is the typical RFP discount?20-35% off list at 1,000+ assets on multi-year commitments.