KEV-TICKERcves_ytd=28,720kev_total=1,289added_7d=+7[CISA KEV ↗]
// taxonomy

Types of vulnerability scanners: DAST, SAST, SCA, CSPM, VM, CTEM

One-line definitions of every scanner type, colored by where it runs in the software lifecycle. Plus where each commonly overlaps and the genuine gaps.

author: Oliver Wakefield-Smith · verified 2026-06-26
// direct-answer

What are the main types of vulnerability scanners?

Network VM (Nessus, Qualys, InsightVM), DAST (Invicti, Burp), SAST (Snyk Code, Checkmarx), SCA (Snyk Open Source, Mend), Container (Trivy, Snyk Container, Wiz), IaC (Trivy, Snyk IaC, Checkov), CSPM (Wiz, Orca, Tenable Cloud Security), EASM, CTEM. Each scans a different lifecycle stage.

Scanner taxonomy

One line per scanner type, coloured by where it runs in the software lifecycle.

  • SASTStatic Application Security TestingSource code; pre-compile.build
  • SCASoftware Composition AnalysisOpen-source dependencies and licences.build
  • IaCInfrastructure-as-Code scanningTerraform / CloudFormation misconfigs.build
  • CONTContainer image scanningImage layers, base OS CVEs, secrets.deploy
  • DASTDynamic Application Security TestingRunning web app; black-box.runtime
  • VMNetwork Vulnerability ManagementUnauth and authenticated network scans.runtime
  • CSPMCloud Security Posture ManagementCloud config drift and posture.runtime
  • EASMExternal Attack Surface ManagementUnknown internet-facing assets.exposure
  • CTEMContinuous Threat Exposure ManagementValidation against attacker pathways.exposure

Typical mid-market stack

For a 200-engineer cloud-first shop: Snyk (SCA + Code + Container + IaC), Wiz or Orca (CSPM + cloud VM), Burp Suite Enterprise (DAST), Tenable.io for any remaining on-prem network. Four tools, not eight. Anything more is usually empire-building.

// faq

FAQ

  • Do I need all categories?
    No. A 200-engineer cloud-first shop typically runs four: Snyk + Wiz/Orca + Burp + Tenable.io for residual on-prem. Eight-tool stacks usually indicate empire-building.
  • Is CTEM a real product category or a Gartner buzzword?
    Both. Gartner coined it; vendors have built genuine continuous-validation platforms (Tenable One, Wiz Defend). The category is real but heavily marketed.
  • What is the difference between SCA and a container scanner?
    SCA scans declared application dependencies (package.json, pom.xml). Container scanners scan the image layers including OS packages and any binaries pulled in at build time. Overlap on language packages.
  • Which category did Snyk start in?
    SCA (Open Source). Snyk expanded into Code (SAST), Container, IaC, and AppRisk over time. Per-developer pricing model preserves across all of them.
  • Where does EASM fit?
    External Attack Surface Management discovers internet-facing assets you did not know you had. Sits ahead of the VM scanner queue.
Related: DAST vs SAST SCA vs container scanner VM vs CSPM vs CTEM