Automating Vulnerability Scanning with Nmap and Vulners: Inside Securelic’s Engine

When scaling an External Attack Surface Management (EASM) strategy, visibility is only half the battle; the other half is context. Identifying open ports on a target is foundational, but understanding the specific Common Vulnerabilities and Exposures (CVEs) tied to the services running on those ports is what transforms raw data into actionable intelligence.

At Securelic, we orchestrate an array of open source security tools to build a comprehensive view of cloud and API vulnerabilities. Today, we are pulling back the curtain on how we execute Vulnerability Scanning with Nmap within our backend architecture, specifically focusing on the powerful vulners NSE script.

The Evolution of the Port Scan

For decades, security professionals have relied on Nmap: Network Scanning & Security Auditing Tool as the undisputed gold standard for network reconnaissance. While many users interact with Nmap through the terminal or a basic nmap online port scan interface, its true power lies in automation and scripting.

The introduction of the Nmap Scripting Engine (NSE) fundamentally changed the landscape. Instead of merely identifying that port 443 is open, Nmap NSE Scripts for Vulnerability Scanning allow the engine to query databases, bypass firewalls, and detect specific misconfigurations. Among these scripts, vulners stands out as a critical component for automated security pipelines.

The vulners script dynamically correlates the software version information gathered by Nmap (using the -sV flag) against the massive Vulners vulnerability database, instantly returning known CVEs associated with the target's running services.

How Securelic Implements the Vulners NSE Script

Building an Online Port Scanner Powered by Nmap that scales across thousands of assets requires a balance of stealth, speed, and accuracy. Running an exhaustive scan on all 65,535 ports with deep vulnerability checks can take hours a luxury we do not have in continuous EASM environments.

Here is the exact Python logic we utilize within Securelic's orchestration engine to trigger our targeted Vulners scans:

# Securelic Scan Orchestration Engine - Vulners Module

if scan_type == 7:  

    # 7 indicates our targeted Vulners NSE scan 

    nmap_command_list = [

        nmap_path, 

        "--top-ports", "100", 

        "-sS", 

        "-sV", 

        "-Pn", 

        "--script", "vulners", 

        "-oX", output_file,

        target_address

    ]

    # Increase timeout for Vulners scans to accommodate database queries (10 minutes)

    scan_timeout = os.environ.get("NMAP_VULNERS_TIMEOUT", 600)

Deconstructing the Command for SaaS Environments

Every flag in this command list is intentionally selected to optimize for automated, cloud-based reconnaissance:

• --top-ports 100: Instead of scanning default ports or the entire spectrum, we target the 100 most statistically common ports. This drastically reduces scan time while maintaining a high probability of discovering exposed critical services (e.g., HTTP/S, SSH, FTP, databases).

• -sS (TCP SYN Scan): The default stealth scan. It performs a half-open connection, which is faster and less likely to be logged by basic intrusion detection systems than a full TCP connect scan.

• -sV (Service Version Detection): This is the mandatory prerequisite for the vulners script. Without knowing the exact version of the service (e.g., Apache 2.4.49), the script cannot query the CVE database.

• -Pn (No Ping): In modern cloud infrastructure, ICMP requests are frequently blocked by default firewalls. This flag forces Nmap to assume the host is up, ensuring the scan proceeds even if the target is dropping pings.

• --script vulners: Instructs the NSE engine to take the version data gathered by -sV and pull relevant CVEs from the Vulners API.

• -oX output_file: Outputting the results in XML format is critical for an automated backend. This allows Securelic to parse the complex Nmap output programmatically, map the CVEs to our internal database, and generate clean, actionable reports for the end user.

• scan_timeout = 600: Querying external vulnerability databases adds overhead. We explicitly define a 10 minute timeout limit to ensure our worker queues don't hang indefinitely on unresponsive targets.

Beyond the "Free Online Port Scanner"

If you search for a Free Online Port Scanner, you will find hundreds of websites offering basic TCP handshake checks. However, a modern security posture requires more than just knowing if port 80 is open. It requires continuous, agent-less monitoring that understands the context of the services running.

By utilizing clean code practices to orchestrate these highly specific Nmap commands, Securelic transforms raw command-line output into a unified, API-driven threat dashboard. We don't just tell you a port is open; we tell you exactly which CVE is threatening your infrastructure and how to patch it before an attacker exploits it.

Understanding the mechanics of tools like Nmap and integrating them into functional, automated pipelines is what separates basic reconnaissance from enterprise-grade attack surface management.