Safeguard
SecOps

Types of Vulnerability Assessment, Explained

Not every vulnerability assessment tests the same thing. Here's how network, application, host, and wireless assessments differ, and when each one is the right call.

Safeguard Research Team
Research
Updated 4 min read

"Vulnerability assessment" gets used as a catch-all term, but the actual scope varies enormously depending on what's being assessed. Put directly, the main types of vulnerability assessment are network assessments, application assessments, host-based assessments, database assessments, and wireless assessments, and each one uses different tools and looks for a different class of weakness. Picking the wrong type — or assuming one covers what another does — is a common gap in security programs that think they're covered because "we did a vulnerability assessment" without specifying which kind.

What is a network vulnerability assessment?

A network vulnerability assessment scans the infrastructure layer — routers, switches, firewalls, open ports, and exposed services — for known weaknesses like outdated firmware, weak encryption protocols, or misconfigured access controls. Tools in this category typically work by port-scanning a range of IP addresses and fingerprinting whatever services respond, then cross-referencing versions against known-vulnerability databases. This type of assessment answers "what can an attacker reach and exploit from the network," which is a fundamentally different question than whether a specific web application's code is secure.

What is an application vulnerability assessment?

An application vulnerability assessment focuses specifically on custom-built software — web apps, APIs, and mobile apps — rather than the network or infrastructure hosting them. This is where SAST, DAST, and SCA tooling live: static analysis reads source code, dynamic analysis tests the running application's behavior, and software composition analysis checks third-party dependencies for known CVEs. Because most modern breaches originate at the application layer rather than through a network-level exploit, this type of assessment has become the primary focus for organizations building their own software, and it's the category Safeguard's SCA and SAST/DAST products are built for.

What do host-based and database assessments check that others miss?

Host-based assessments examine an individual server or endpoint's operating system configuration, patch level, and locally installed software for weaknesses — things a network scan might see from the outside but can't fully verify without local access, like file permission errors or unpatched OS-level services. Database assessments go a layer deeper still, checking for misconfigured access controls, unencrypted sensitive fields, excessive user privileges, and outdated database engine versions — issues that neither a network scan nor an application scan is positioned to catch, since they require understanding the database's own configuration and schema, not just how an application queries it.

Do you need all these assessment types, or just the ones that match your risk?

Most organizations don't need every type run with equal frequency — the right mix depends on what you're actually running. A company that's mostly a SaaS application vendor with cloud infrastructure managed by a provider gets more value from frequent application assessments than from network scans of infrastructure they don't directly control. A company running its own data centers with legacy on-premises systems needs network and host assessments as a baseline, in addition to whatever custom applications it builds. The practical approach is to map assessment type to actual attack surface rather than running a generic checklist because it sounds thorough.

FAQ

Is a vulnerability assessment the same as a penetration test?

No — a vulnerability assessment identifies and catalogs weaknesses, typically through automated scanning, while a penetration test goes further by actively attempting to exploit findings to confirm real-world impact and chain them together.

How often should each type of vulnerability assessment run?

Application assessments should run continuously, ideally on every code change, given how fast application code evolves. Network, host, and database assessments are commonly run on a recurring schedule — monthly or quarterly — unless infrastructure changes trigger an ad hoc scan.

Can one platform cover multiple assessment types?

Some platforms specialize in application-layer assessment (SAST/DAST/SCA) while others focus on network and infrastructure scanning; very few vendors genuinely excel at both, so many organizations run a combination of tools rather than a single all-in-one product.

Which type of vulnerability assessment catches the most real-world breaches?

Application-layer assessment tends to have the highest direct correlation with real breaches today, since most attackers target internet-facing web applications and APIs rather than internal network infrastructure directly.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.