Cyber Essentials Plus Vulnerability Scanners, Compared by Assessor Pass/Fail

Net Sec Group is an IASME and NCSC certification body. Across our 800-plus engagement history, the assessor has reviewed scan output from every major vulnerability scanner UK SMEs deploy. This article is the comparison the vendor pages cannot publish: which scanner's output passes a CE Plus audit cleanly, and which gets queried by the assessor for clarification or rejected for evidence-format reasons. The five scanners covered are the ones we encounter on customer estates today: Tenable Nessus, Qualys VMDR, Rapid7 InsightVM, OpenVAS / Greenbone Community Edition, and the AWS Inspector / Microsoft Defender for Cloud / GCP Security Command Center cloud-native combination for cloud-only estates.

The article walks the five assessor criteria, walks each scanner against them, lands a one-line recommendation per buyer profile (in-house engineering team, MSP-managed estate, cloud-only estate), and closes with the practitioner observations that decide CE Plus pass-rate in practice. For the broader CE Plus assessment-day reference, see the CE Plus Assessment Guide on netsecgroup.io. For the related vulnerability-scanning hub on this site, see the vulnerability-scanning hub.

The five assessor criteria

The CE Plus assessor reviews scan output against the IASME CE Plus test specification. What the assessor accepts in practice comes down to five criteria.

1. Authenticated coverage

The IASME requirement is that vulnerability detection covers the in-scope estate accurately. An unauthenticated scan misses configuration-level CVEs that an authenticated scan catches. Authenticated scanning requires the scanner to log into each in-scope device and read the installed-software inventory, the registry or equivalent, and the configuration files. Scanners that produce only unauthenticated results are queried by the assessor; scanners that produce credentialed-scan output with verified inventory pass the criterion cleanly.

2. CVSS reporting clarity

The assessor reviews findings against CVSS (the FIRST scoring methodology). The accepted output names the CVE, the CVSS v3.1 base score, the affected device, the affected component, and a date. The assessor flags scan output that gives only a vendor-proprietary severity rating without the CVSS underlying score. Output that conflates severity with exploitability without showing the score breakdown gets queried.

3. False-positive triage workflow

The IASME requirement is that the in-scope estate has no critical or high-severity CVEs older than 14 days from vendor release date. False positives that the applicant cannot triage off the report look the same as real findings. A scanner that supports per-finding suppression with documented rationale, where the suppression carries forward into subsequent scans, makes the assessor's review faster. A scanner whose only false-positive workflow is to re-scan with different settings produces evidence packs that take the assessor twice as long to review and increases the chance of an accidental rejection.

4. Operating-system coverage that matches CE Plus scope

CE Plus scope routinely includes Windows 10 and 11 (multiple feature update levels), macOS 14 and 15, Ubuntu LTS releases, Red Hat Enterprise Linux derivatives, mobile platforms via MDM, and increasingly Linux server distributions in IaaS. The scanner has to detect on every platform the applicant has in scope. A scanner with thin macOS coverage forces the applicant to produce supplementary per-device evidence on macOS, which is acceptable but slow.

5. Evidence-pack exportability

The CE Plus evidence pack the assessor reviews on the day is a structured set of documents. Scan output that exports cleanly to a PDF or HTML report with per-device sections, CVE list, CVSS scores, and the dates of scan and remediation, slots into the evidence pack as one document. Scan output that requires the applicant to assemble the evidence-grade report manually from CSVs and JSON exports adds preparation time and increases the chance of evidence-format errors.

The 5-scanner comparison matrix

Each cell uses one of three ratings: Pass (assessor accepts cleanly), Pass-with-friction (assessor accepts but expects clarification or supplementary evidence), or Query (assessor will ask for additional output before deciding).

| Scanner | Authenticated coverage | CVSS clarity | FP triage | OS coverage | Evidence export | Overall | |---|---|---|---|---|---|---| | Tenable Nessus / Tenable.io | Pass (broad credentialed scanning) | Pass (CVSS v3.1 native) | Pass (per-finding suppression with rationale) | Pass (Windows, macOS, Linux, mobile via MDM integration) | Pass (PDF and HTML report templates fit assessor format) | Pass | | Qualys VMDR | Pass (broad credentialed scanning) | Pass (CVSS v3.1 native, plus Qualys Severity 1 to 5 mapped) | Pass-with-friction (per-finding suppression but UI is dense, assessor may ask for narrative) | Pass (Windows, macOS, Linux, container) | Pass (custom report builder fits assessor format with effort) | Pass | | Rapid7 InsightVM | Pass (broad credentialed scanning) | Pass-with-friction (CVSS v3.1 plus Rapid7 Real Risk Score, the latter requires explanation in evidence pack) | Pass (per-finding suppression with rationale) | Pass-with-friction (Linux server coverage strong; macOS coverage adequate, mobile integration via Insight Agent) | Pass (PDF report templates) | Pass-with-friction | | OpenVAS / Greenbone Community Edition | Pass-with-friction (credentialed scanning supported, but configuration takes practitioner skill) | Pass (CVSS v3.1 native) | Query (FP suppression workflow is less polished, evidence pack typically requires manual triage notes) | Pass-with-friction (Windows and Linux strong; macOS and mobile coverage thinner than commercial peers) | Pass-with-friction (HTML report templates need customisation for assessor format) | Pass-with-friction | | Cloud-native: AWS Inspector / Microsoft Defender for Cloud / GCP Security Command Center | Pass for cloud workloads (in-platform credentialed scanning); Query for non-cloud devices (no agent on laptops) | Pass (CVSS v3.1 native) | Pass (per-finding suppression in each platform's console) | Pass for cloud workloads; Query for laptop fleet (cloud-native scanners do not cover physical endpoints) | Pass-with-friction (export from console works; assessor expects one consolidated report not three platform consoles) | Pass for cloud workloads only |

Per buyer profile recommendation

The matrix above answers "does the scanner pass the assessor". The right scanner for a specific firm depends on the firm's profile.

In-house engineering team

Recommendation: Tenable Nessus (Tenable.io for SaaS deployment, Nessus Professional for self-hosted). The reasoning: in-house engineers can configure authenticated scanning correctly, fast, and the FP triage workflow scales with engineering team capacity. Nessus's evidence-pack export needs no customisation. Total cost of ownership for an in-house team is low because the scanner runs on the team's existing infrastructure-management cadence.

MSP-managed estate

Recommendation: Qualys VMDR or Rapid7 InsightVM depending on the MSP's existing tooling. The reasoning: both are MSP-friendly with multi-tenant administration. The MSP runs the scans on the firm's behalf, exports the evidence pack to the firm's CE Plus engagement, and takes the friction off the in-house team. Where the MSP already runs InsightVM, the InsightVM Real Risk Score requires a narrative paragraph in the evidence pack but does not block CE Plus pass.

Cloud-only estate

Recommendation: AWS Inspector + Defender for Cloud + GCP Security Command Center as appropriate, supplemented by Tenable Nessus or Qualys VMDR for the laptop fleet. The cloud-native scanners are the right answer for in-scope IaaS workloads (no agent install, no friction); they are the wrong answer for the company-issued laptops that staff use to connect to those workloads. CE Plus scope routinely includes the laptops, and cloud-native scanners do not cover them. Use one of the commercial scanners for the laptop fleet alongside the cloud-native scanners for the workloads.

Microbusiness or budget-constrained estate

Recommendation: OpenVAS / Greenbone Community Edition with practitioner-led configuration. The reasoning: zero-licence-cost scanning is workable at this scale, but it requires a practitioner who can configure credentialed scanning correctly and triage false positives manually. Smaller estates have fewer findings and less reconciliation overhead, which makes the manual triage tractable. The evidence-pack export needs more polish than the commercial peers but reaches assessor-acceptable format with template customisation.

Practitioner observations from 800-plus engagements

Three observations decide CE Plus pass-rate in practice.

1. Authenticated scanning is not optional, it is the difference between pass and rework. Unauthenticated scanning produces output the assessor flags as incomplete; the applicant runs a second authenticated scan and submits 5 to 10 working days late. Configure authenticated scanning before the assessment day, not on the day.

2. The 14-day window is measured from vendor release date, not from when the patch hits the device. A scan run the morning of the assessment day, finding a CVE published 13 days ago with a patch released the same day, is the patching control passing on the wire. A scan finding a CVE published 18 days ago with no patch applied, is the patching control failing regardless of how recent the scan is. See the Cyber Essentials 14-day Patching Guide for the full window mechanics.

3. The IASME sampling formula determines how many devices the scanner needs to cover, not just total estate size. A 100-device estate on 5 builds samples at 17 devices; the scanner has to produce credentialed scan output for those 17 specific devices, not for any 17 of the 100. See the CE Plus Sample Sizes reference for the per-build formula.

How CE Plus scanning relates to CE Basic patching evidence

The CE Basic SAQ asks for evidence the firm meets the 14-day patching window. The CE Plus assessment runs the vulnerability scan that tests the same control. A CE Plus engagement effectively re-tests the CE Basic patching answer with assessor-supervised evidence. A firm that scrapes through CE Basic with thin patching evidence will fail CE Plus on the patching control unless the underlying practice tightens.

For the foundation patching reference, see Patching and Updates on this site. For the related vulnerability-scanning topics, see Vulnerability Scanning (foundation), External vs internal scanning for CE Plus, False positives in CE Plus vulnerability scans, and Scanning cloud vs on-premises CE Plus estates. The Secure Configuration control sits adjacent to scanning; see Secure Configuration for that reference.

Common questions

Can I use the cheapest scanner that passes and not worry about the others?

Yes, in principle. The CE Plus assessor reads scan output not the scanner brand. OpenVAS-Community-Edition output that meets the five assessor criteria passes the same way Nessus output does. The reason firms move to commercial scanners is operational cost, not assessor preference: triage workflow, integration with existing tooling, vendor support when the scan misbehaves.

Does the assessor expect me to remediate every finding or just the in-scope critical and high?

CE Plus tests the in-scope estate against critical and high-severity CVEs older than 14 days from vendor release. Lower-severity findings are not failure conditions for CE Plus; they remain operational findings the firm should address but the assessor does not block on them.

What if my scanner reports a finding that is not actually present (a false positive)?

The applicant suppresses the finding with a documented rationale (the device is not running the affected component, the configuration mitigates the CVE, the device is out of scope and the scanner picked it up by accident). The suppression travels with the scan output into the evidence pack. The assessor reviews the rationale and either accepts or queries.

Does cloud-native scanning replace endpoint scanning?

No, for any firm whose CE Plus scope includes physical or virtual laptops. Cloud-native scanners cover the IaaS workloads and not the endpoints. See Scanning cloud vs on-premises CE Plus estates for the worked split.

Where do we book CE Plus?

Book a Cyber Essentials Plus assessment with Net Sec Group. The booking form lets you describe the estate and current scanning tooling; the assessor confirms the scope and engagement timeline.

Reference material

Where this fits on this site

This article is the scanner-comparison spoke under the vulnerability-scanning hub. The other vulnerability-scanning spokes are external vs internal scanning for CE Plus, false positives in CE Plus vulnerability scans, and scanning cloud vs on-premises CE Plus estates. For the foundation patching topic, see Patching and Updates and Vulnerability Scanning on this site.