logo

Agent vs Agentless Security Scanning

TL;DR:

  • Agent-based scanning relies on software that runs in real time on the actual machine it’s scanning
  • Agentless scanning scans the disk snapshot.

Agent-based Scanning

The agent is software that you install on the system you want to assess. That agent executes on the target system:

  • reading configuration files
  • checking ports and protocols
  • collecting live data for alerts and reports

Pros

  • All information gathered is on the current state of your actual system.
  • There’s no remote login required, which means no new end point, no remote connection management, and no lag or connectivity issues.
  • The scanner can access all the necessary system elements with few security limitations.
  • There are no snapshots required, which saves time and cost.

Cons

  • Customers have to trust the agent and may have limited control on the agent.
  • The agent taks up resources.
  • The agent may introduce other issues, like a memory leak.
  • The agent must be installed on each machine, which requires time installing, maintaining, and updating the agents.
  • Customers may not be able to install agents on infrastructure assets. E.g. the infra may be managed by a third-party, which might not allow agents on their systems.

Agentless Scanning

A few options

  • Remote access, either SSH or through a cloud shell. It executes outside the target system. It collects real–time information by connecting to the scan target.
  • Disk snapshot scanning assesses a copy of the target system rather than the system itself. It never interacts with the scan target.

Disk scanning is the dominant approach.

  • Low risk: scan a snapshot of the VM filesystem, not the live VM. Minimal chance to disrupt the running VM.
  • Low impact: many customers routinely create daily VM snapshots for backup purposes, so little inconvenience to enable disk scanning.
  • Disk scanners widely available
  • Vulnerability databases widely available