How does runZero compare to a vulnerability scanner?

runZero was built specifically to do asset inventory, network discovery and attack surface management by a team with extensive experience in both vulnerability scanner development and security testing. The same level of effort is applied to device fingerprinting and asset tracking as vulnerability scanners apply to vulnerability identification. It is similar work, but the results are very different because everything in runZero is laser focused on safe, fast detection of all network devices.

The main differentiators:

• runZero tracks assets as they change IPs better than most authenticated vulnerability scanners, without needing credentials or installed agents. There is a lot of magic involved.
• runZero is safe to use to scan everything on the network, whether it’s a printer, clinical equipment, or a typical server. runZero is used in hospitals and SCADA environments.
• In many cases runZero will identify the specific physical hardware of network connected assets.
• runZero doesn’t need sensitive credentials. However, if you supply SNMP credentials, it can also identify information such as device serial numbers, support status, and layer-2 network topology. 
• You can set up a runZero Explorer to perform passive traffic sampling without needing a special network tap. Because runZero samples data on the fly rather than collecting it all, storage requirements are far lower than for a conventional passive scanner.
• runZero collects all of the data in advance. Analysis is then done by building the right query, rather than having to rescan the network with updated checks. We have helped people locate systems subject to major vulnerabilities such as Orion and Ripple20 without needing new scans.
• runZero performs cross-host analysis, allowing it to find problems security scanners miss: for example, re-use of SSH host keys on embedded devices and cloned virtual machines.
• runZero scans network topology including layer 2 port mappings and multi-homed devices. This allows discovery of segmentation problems, assets in the wrong VLAN, hosts evading egress filtering through VPNs, and even support backdoors that dial back to the vendor via secondary tunnel interfaces.

We encourage people to look at the scan results from runZero and their vulnerability scanning tools side-by-side. runZero provides a unique perspective on the network because it was designed to do inventory.

The search capabilities of runZero make it easy to find just about anything (orphaned devices, systems on the wrong domain, expired TLS certs) in a way that vulnerability scanners can’t do without adding (and then rerunning) each specific check. We help customers create a knowledge base of their network and then leverage it across departments and use cases.