Passive vs. Active Scans: What Every MSP Needs to Know

Passive vs. Active Scans: What Every MSP Needs to Know

MSPs always ask us what they can do to improve their client’s security posture. Security is a process and requires a layered approach, but there is one thing that can make a big difference and increase your monthly current revenue.

MSPs are always looking to provide value for their clients, but it’s overwhelming to try to add a bunch of new services at once. That said, active vulnerability scanning is an emerging resource that goes a long way in mitigating security risks; under 5% of MSPs currently offer this as part of their risk assessments and monthly MSP services, and they’re missing out on a huge opportunity to protect clients and add to their monthly recurring revenue.

Passive Scans

Currently, most MSPs use passive scans like Rapidfire Tools. Passive scanning is a method of vulnerability detection that relies on information gleaned from network data that is captured from a target computer without direct interaction. These tools are good for identifying asset inventory, active directory configurations, and retrieving basic server and workstation information about a network; it emphasizes network monitoring activity.

In its reports, passive scans can’t prioritize exactly what issues need to be addressed and how to resolve them. In today’s changing world, you need to add an active scanner in addition to a passive scanner to understand your client’s true risk.

Active Scans

As the Internet of Things (IoT) grows and more IP devices are plugged into networks–including wireless and wired devices–clients are more vulnerable than ever. Generally, these devices are an on-ramp for hackers; if they can get into the network from something innocuous like a copier, they can get access to computers and other devices with sensitive information.

Active scans are much more comprehensive than passive scans because they look at internal and external networks in the same way a hacker sees the network. In that regard, active scans simulate an attack so you can see real-time vulnerabilities threatening their network. They understand the weaknesses of an entire IP network, not just servers, workstations, and firewalls.

Scanner Reporting Functions

Once the scan is complete and the risks are exposed, the active scanner report will prioritize the steps to remediation to reduce risk. It is very comprehensive and easy to use, with links and other information you need to quickly remediate the issues. Over time, you can even build comparison reports to show how your client’s security posture has improved and provide proof of compliance. This solution is all about quick risk discovery, saving time and maximizing efficiency, and knowing what fixes to prioritize.


On the other hand, passive scans list results in a way that feels like drinking from a firehose, with information being “sprayed” everywhere. In that regard, it is difficult to determine which solutions to prioritize. But as we mentioned, active scanners take the guesswork out of next steps, laying out an exact plan for remediation; it is continuous vigilance and security.

Monthly Recurring Revenue

Offering continuous active scanning is a lucrative model for monthly recurring revenue; by contrast, it’s difficult to build recurring revenue with passive scanners.

Consider this: once risks are identified, MSPs can build projects around remediating them. The active scanner reporting function also clearly shows clients why they have to put in different defenses to keep their networks safe through visible charts and graphs. This allows MSPs to show their clients their value, even over time, by improving their security posturing.

Final Thoughts

No one scanner can do everything; as a result, you need a multi-layer approach to security, which includes both passive and active scanners. The benefits of this combined approach include:

  1. IP based tools that can scan everything on a network and not miss anything.
  2. A simulation of an attack by viewing the network in real-time, the same way hackers would see it, to show gaps.
  3. A multi-tenant dashboard to quickly scan and identify specific new vulnerabilities across all of your clients’ IP addresses.

In this regard, active scanners allow MSPs and their clients to be more secure, create more projects, and provide continuous vigilance. By contrast, passive scanners are only able to look at risks within servers, workstations, and firewalls.

As we continue to move to the cloud and a convergence of IPs is growing in our client’s networks, active scans are going to become more and more important since passive scans are limited in scope and can only discover and scan a subset of the network. In order to protect your client’s entire network, including the emerging IoT, you need to be able to discover and actively scan all IP devices; if a single IP address is missed, it could be the catalyst to infect the entire network.

In terms of frequency, once the initial discovery and baseline vulnerability assessment is performed, active scans can be automatically scheduled by the client on a continuous or quarterly basis for maximum security since risks are constantly changing. Notably, this kind of proactive protection is exactly what security and compliance auditors are looking for; clients should always be audit ready.

For more information on how you could benefit from adding an active scanner to your security suite, contact us today.