What is the impact of the scan?

The impact is almost always negligible. We do not run scans that are known to be intrusive unless specifically requested to do so. The only time we have seen a scan impact a system was due to grossly out of date software (WordPress). These same scans are being conducted regularly by researchers and attackers in the wild during all hours of the day. If those scans are not impacting your systems, it’s highly likely ours won’t either.

What does the scan tell me?

The scan takes a black box (zero knowledge) approach. It attempts to fingerprint the system and determine what vulnerabilities exist in the endpoint being scanned. An experienced security professional reviews the results, often augmenting the scan with additional reconnaissance to provide a risk rating, likelihood, and recommendation for remediation.

How often should I run a scan?

Much of this comes down to your network architecture and the information systems you are trying to protect. Many regulations also have requirements for how often and what kind of scans are conducted.

Will this scan help with my PCI (or other regulation) compliance?

Yes. Due to the low cost of our scanning solution, organizations requiring scans for compliance often use our toolset to identify vulnerabilities and assess their remediation efforts. Because most scanning tools charge on a per-address, per-scan model, the costs can add up rather quickly. Once our scanner shows a clean bill of health, an organization can run their final scans with an approved scanner and avoid the repeated costs.

I have an IPS/IDS that will block your scans. How can I make sure those systems are secure?

In this case, we recommend scanning the endpoint with the IPS/IDS enabled. This will provide a glimpse into the effectiveness of your defenses. We then request the scanner’s addresses be whitelisted to get an accurate picture of what vulnerabilities exist.

What addresses should I whitelist?

DNS Name: scanner.isoutsource.com
Ipv6: 2600:3c01::f03c:91ff:febb:8850

Can you scan systems on AWS, Azure, GoDaddy, Bluehost, wpengine, etc.?

Scanning systems other than your own often requires advanced notification and scheduling with the provider. These systems typically host multiple systems in shared environments meaning your scan could impact their other customers.

AWS Permission Request Form: https://aws.amazon.com/security/penetration-testing/