// taxonomy
Types of vulnerability scanners: DAST, SAST, SCA, CSPM, VM, CTEM
One-line definitions of every scanner type, colored by where it runs in the software lifecycle. Plus where each commonly overlaps and the genuine gaps.
author: Oliver Wakefield-Smith · verified 2026-06-26
// direct-answer
What are the main types of vulnerability scanners?
Network VM (Nessus, Qualys, InsightVM), DAST (Invicti, Burp), SAST (Snyk Code, Checkmarx), SCA (Snyk Open Source, Mend), Container (Trivy, Snyk Container, Wiz), IaC (Trivy, Snyk IaC, Checkov), CSPM (Wiz, Orca, Tenable Cloud Security), EASM, CTEM. Each scans a different lifecycle stage.
Scanner taxonomy
One line per scanner type, coloured by where it runs in the software lifecycle.
- SASTStatic Application Security TestingSource code; pre-compile.build
- SCASoftware Composition AnalysisOpen-source dependencies and licences.build
- IaCInfrastructure-as-Code scanningTerraform / CloudFormation misconfigs.build
- CONTContainer image scanningImage layers, base OS CVEs, secrets.deploy
- DASTDynamic Application Security TestingRunning web app; black-box.runtime
- VMNetwork Vulnerability ManagementUnauth and authenticated network scans.runtime
- CSPMCloud Security Posture ManagementCloud config drift and posture.runtime
- EASMExternal Attack Surface ManagementUnknown internet-facing assets.exposure
- CTEMContinuous Threat Exposure ManagementValidation against attacker pathways.exposure
Typical mid-market stack
For a 200-engineer cloud-first shop: Snyk (SCA + Code + Container + IaC), Wiz or Orca (CSPM + cloud VM), Burp Suite Enterprise (DAST), Tenable.io for any remaining on-prem network. Four tools, not eight. Anything more is usually empire-building.
// faq
FAQ
- Do I need all categories?No. A 200-engineer cloud-first shop typically runs four: Snyk + Wiz/Orca + Burp + Tenable.io for residual on-prem. Eight-tool stacks usually indicate empire-building.
- Is CTEM a real product category or a Gartner buzzword?Both. Gartner coined it; vendors have built genuine continuous-validation platforms (Tenable One, Wiz Defend). The category is real but heavily marketed.
- What is the difference between SCA and a container scanner?SCA scans declared application dependencies (package.json, pom.xml). Container scanners scan the image layers including OS packages and any binaries pulled in at build time. Overlap on language packages.
- Which category did Snyk start in?SCA (Open Source). Snyk expanded into Code (SAST), Container, IaC, and AppRisk over time. Per-developer pricing model preserves across all of them.
- Where does EASM fit?External Attack Surface Management discovers internet-facing assets you did not know you had. Sits ahead of the VM scanner queue.