Looking at options for vulnerability scanners — which ones would be a good fit for a midsize software startup?

2k views24 Comments

IT Strategist in Government, 1,001 - 5,000 employees
We use Nessus, but we are a large organization. For a smaller organization on a limited budget, I would recommend to use an online scanner tool like Intruder.io or likes. Once you have you product developed/matured, you can invest in a better tool, which will be more suited for your target industry.   
Chief Technology Officer in Software, 51 - 200 employees
We use Nuclie as its open source. https://nuclei.projectdiscovery.io/
Still in Nascent stages, but so far good for our use cases

CIO in Services (non-Government), 1,001 - 5,000 employees
We use Tenable asit is number 1 in a lot of categories.
Director of Tech and Cyber Strategy in Finance (non-banking), 1,001 - 5,000 employees
We looked at Nessus but when with Qualys (our parent allowed us favorable commercial terms).

OWASP has a number of open source tools. My advice is to look at a tool that not only provides the scanner but to also look at integration costs (particularly if you use a CMDB) and determine where the best marginal dollar spent is. In many cases the easy of operationalizing the tool can be more important than the tool. Ultimately cyber security is about redundancy and layering and IMO what best supports that strategy is more important than how well one tool might perform on its own,

Vice President & Chief Information Security Officer (CISO) in Software, 10,001+ employees
Nessus, Qualys, wazuh, OpenVAS are good options 
VP of IT in Retail, 10,001+ employees
I would recommend using Nessus as it’s one of the best product out there. It’s an ideal solution from product and price perspective for a mid-size startup.
Founder & CISO in Education, 11 - 50 employees
Our experience has been good with the following tools.

For network - Nessus
For SAST - SonarQube or Verracode
For OSS - Dependecy Track or Snyk
For DAST - Acunetix or Burpsuite.
Director of Information Security Operations in Consumer Goods, 1,001 - 5,000 employees
Nmap, nesus, qualys
CISO in Software, 10,001+ employees
Both Qualys and Tenable are standard choices for many businesses, but the most commonly used in startups is Burp.
CISO in Finance (non-banking), 10,001+ employees
For Mid Size organization's Nessus professional not nessus security center is good for OS scanning and Configuration Audit. Burp suite even licensed version of it is good option for web scanning. Burp suite freeware is there but has lot of limitations. NMAP is also good option for network scanning. Organization can also reply on open source vapt tools for scanning and manual security testing of apps. Microsoft baseline security analyzer which is free can also be used for windows OS scan.

Content you might like


Yes, but not enough, we want/need to ramp up38%


No, but I expect this will change soon6%


1.6k views1 Upvote1 Comment

We provide company-wide training56%

We only train certain departments/roles32%

We have a targeted individual training approach.9%

I am unsure how we handle security training.3%