Understanding Authenticated vs. Unauthenticated Vulnerability Scans in CYRISMA
This article explains the differences between authenticated and unauthenticated scans in the CYRISMA platform, helping partners determine the best approach for assessing internal vs. external risk in their environments.
Written by Liam Downward
Updated at June 24th, 2025
- User Manual
- Self Onboarding Guide
- Agents
- The Cyber Risk Assessment Process
- PSA Integrations
- General Questions and Troubleshooting
- The Cyber Risk Assessment Process (Video Tutorials)
- Sales and Prospecting Articles
- CYRISMA Partner Portal Access
- Glossary
- API Documents
- CYRISMA Change Log
- Support Ticket SLA
- Billing Questions
Table of Contents
π What Are Authenticated Scans?
Authenticated scans are performed using valid credentials (local, domain, or Entra) that allow deeper access into a system. When configured correctly, these scans return the most accurate, detailed picture of a deviceβs security posture.
Data collected includes:
Installed software, patch levels, and OS hotfixes
Running processes and services
Registry entries, scheduled tasks, and configuration settings
Local user accounts and group memberships
Antivirus/firewall/endpoint protection status
File system data, including sensitive files or misconfigurations
Accurate CVE and patch-based vulnerability detection
π What Are Unauthenticated Scans?
Unauthenticated scans require no credentials and simulate what an external attacker could see. These scans are typically used for perimeter testing or external asset discovery.
Data collected includes:
Open TCP/UDP ports
Service banners and protocol versions
Operating system guesses (based on fingerprinting)
Publicly exposed web apps or network shares
SSL/TLS configuration and certificate data
Detection of default credentials and banner-grabbed CVEs
π Data Collection Comparison
| Category | Authenticated Scan | Unauthenticated Scan |
|---|---|---|
| Software & Patch Info | β Full detail via registry/pkg manager | β Not collected |
| OS Version & Kernel | β Exact build info | β οΈ Fingerprint-based guess |
| Services & Processes | β Full list with context | β Not collected |
| Vulnerability Accuracy | β Deep config & patch-level CVEs | β οΈ Shallow, banner-based detection |
| Risk Visibility | β Full internal view | β οΈ External/partial view |
| False Positives | β οΈ Fewer | β More common |
| Credentials Required | β Yes | β No |
β Use Case Recommendations
| Use Case | Recommended Scan Type |
|---|---|
| Internal compliance validation | Authenticated Scan |
| Patch audits or missing hotfix discovery | Authenticated Scan |
| Secure baseline/GPO enforcement | Authenticated Scan |
| External attack surface mapping | Unauthenticated Scan |
| Firewall & perimeter testing | Unauthenticated Scan |
| Public service vulnerability checks | Unauthenticated Scan |
Note: For the most accurate risk scoring and to fully leverage CYRISMAβs remediation planning tools, we recommend deploying authenticated scans whenever possible, especially for internal infrastructure.