What should not be included in vulnerability scanning?

In vulnerability scanning, the primary goal is to identify potential security weaknesses within a system, network, or application without actively exploiting those weaknesses. When scanning for vulnerabilities, security professionals seek to find and report on issues that could be potential entry points for attacks, allowing organizations to address them proactively. This process typically involves evaluating configurations, examining software for known vulnerabilities, and assessing overall security posture.

Exploitative actions, on the other hand, fall under penetration testing, which goes a step further by attempting to exploit identified vulnerabilities to determine the level of risk they pose in real-world scenarios. Introducing exploitation into vulnerability scanning can cause unintended damage to systems and disrupt operations, which is why it is not a component of standard vulnerability scanning practices. Instead, vulnerability scanning serves as an initial assessment tool to inform further security measures without the risks associated with exploitation.