Usually, our scans take anything from 15 minutes to a few hours to complete. However, this can be influenced hugely by a number of different factors, and there are many reasons why scans may take much longer than that to complete. Here are the most common:

Large number of targets
The biggest factor in any scan is simply how many targets you've added. If one target can take up to a few hours, then hundreds of targets could potentially take hundreds of hours. It's not normally that bad, as we can run many checks in parallel, but as a general rule, the more targets, the longer it takes.

High total number of ports & services
For each discovered service, a number of checks need to be carried out by our scanners. So if you've entered targets with a total of hundreds or thousands of open ports running services exposed to the internet, then our scans will take longer to do all the checks they need to do.

Intrusion prevention systems
In some rare cases, intrusion prevention systems can aim to confuse scanners by making ports which are closed appear to be open, which for the same reason above can cause extended scan times. Some firewalls and modern edge routers even have IDS technology built-in, so it may be worth double-checking if your scan is taking a long time. We recommend whitelisting our scanners through any intrusion prevention systems, as these could hamper our efforts to detect open ports and services and slow down our overall scans.

Very large websites
Our web-application checks are some of the most time-consuming elements of our scans. As such, websites with a very large number of webpages that are linked to from the home page may cause scans to run for longer.

Unusual configurations
Some customers have unusual networking or server configurations that can lead to long-running scans. For example, in one case a reverse proxy was set up to serve a single website from a large number of non-standard ports. This caused our scanner to scan the same website thousands of times. If this is happening on your targets, we'll do our best to let you know about it!

If you ever need to stop a scan, you can cancel scans on the scans page.

Penetration tests have long been an essential part of many organisation’s strategy to protect themselves from cyber attack. But the use of penetration testing alone can often leave such organisations defenceless for long periods of time.

Performing annual penetration tests as a primary defence against attackers gained popularity in years gone by, for good reasons, and is still common in the cyber security industry today. And while this strategy is certainly better than doing nothing, it does have a fairly critical drawback — what happens between tests?

We think this is why most vulnerability scanners go out of their way to tell you there's something wrong, or at least flood you with information about things they've noticed about your infrastructure, such as the fact there's a web server running, or what type of encryption it offers. This might look impressive, to begin with, but it doesn't help later on when you're flooded with information, and you're missing genuine security issues because there's too much noise.

At XcellHost, we like to be a little different. If we don't think there's anything wrong with your security, we'll say so. Of course, where we see small opportunities for improvement, we'll mention them - but we don't throw purely "informational" issues at you which don't need any action, we know you're too busy for that.

That doesn't mean you're losing out on anything important though, under the hood we use an enterprise-grade scanning engine, and if you haven't already, check out our article "What's the benefit of perimeter-specific results?" to see how we prioritize issues that most vulnerability scanners call "informational" that do actually matter in the context of your perimeter.

It can be difficult to know if a vulnerability scanner is any good, especially if you're testing it against your own systems, which at this point in time, may not have any security problems!

There is no doubt that manual penetration tests are an essential part of a robust security solution and an excellent first port of call. Performing annual or, in some cases even quarterly manual penetration tests as a primary defense against attackers is commonplace in the cyber security industry today. Though this strategy does have its merits, it lacks one critical element – continuous coverage.

To answer the question on why continuous vulnerability scanning is essential, it helps to give some examples of situations that could occur:

Perhaps a critical new vulnerability is discovered in software your business is using, during that long year between annual pen tests. Or a security misconfiguration gets introduced by a junior developer. What if a network engineer opens up a port on a firewall exposing one of your databases to the internet?

Whose job is it to notice these issues which, if left unchecked, could result in a data breach or compromise?

Without automated monitoring of issues such as these, it's hard to argue that they'd be noticed and fixed before attackers get a chance to take advantage.

Scanning for security issues on a regular basis helps to complement manual testing, as it provides businesses a good level of ongoing security coverage between manual tests, which are often performed only annually or before big releases.

Our view is that automated continuous monitoring solutions should be the first port of call for companies starting out on their journey towards a robust security solution.

If you're worried about our scanning bringing a system offline, or causing heavy traffic to a production system, rest assured that XcellHost's scanning engine is configured to be safe to use, even when scanning production systems.

XcellHost's scanning engines are designed to be safe. This means that our checks confirm vulnerabilities in ways that cause no downtime, and do not cause unintentional damage.

Some web vulnerabilities do require a thorough set of tests to confirm, and so you may see high traffic on websites you're scanning. However, modern and well-resourced web servers shouldn't have any trouble dealing with this volume. However, if you know you have significant resource constraints; or reasons why your system may not respond well to a peak in traffic, you may want to increase server resources or run a scan outside busy times.

Certain types of denial of service (DoS) vulnerabilities, including distributed attacks (DDoS) are not part of XcellHost's vulnerability scanning offering. Checking for denial of service (DoS) vulnerabilities often involves sending overwhelming amounts of traffic to systems, and so XcellHost does not perform these types of checks.