Passive vs Active Security Scanning: What Is the Difference?
Active scanning sends traffic to target systems. Passive scanning reads only publicly available data. This guide explains when each approach is appropriate, and why passive scanning is often the better starting point.
The fundamental difference
Active security scanning sends network traffic to the target system. A port scanner probes which ports are open. A vulnerability scanner sends crafted requests to test for known vulnerabilities. A web application scanner crawls your site and attempts various injections. These techniques produce results, but they also produce traffic — logs, alerts, and in some cases, unexpected side effects on fragile systems.
Passive scanning reads publicly available information without sending a single packet to the target. DNS queries go to public resolvers, not target servers. TLS grades are assessed by checking publicly visible certificates. DMARC policies are published in public DNS. The target system has no record of the scan.
When active scanning is appropriate
Active vulnerability scanning is valuable for understanding your internal attack surface — servers, applications, and services that are not internet-facing. A credentialed scan run by your security team against your own infrastructure can identify unpatched CVEs, misconfigurations in web applications, and privilege escalation paths that passive scanning cannot detect.
Active scanning requires explicit permission. Running an active scan against systems you do not own or have not been authorised to test is illegal under the Computer Misuse Act 1990 in the UK. Even internal scanning should follow a documented testing policy to avoid triggering false alerts or disrupting production systems.
When passive scanning is appropriate
Passive scanning is the right starting point for internet-facing domain security assessment because:
- No permission is required — you are reading public information
- No risk of service disruption
- No false positive alerts generated on the target
- Can be run on any domain — competitors, acquisition targets, supplier domains
- Results reflect exactly what an attacker would see before launching an attack
The attacker's perspective
Attackers begin with passive reconnaissance — they check your DNS records, your DMARC policy, your TLS configuration, your subdomains, your error pages. They do this because it is free, silent, and tells them a great deal about your security posture before they invest in active techniques.
If your DMARC policy is p=none, an attacker knows within seconds that your domain can be spoofed for phishing. If your SSL certificate is from an unexpected issuer, they note it. If a subdomain CNAME points to a decommissioned service, they look up the registration process for that service.
Running passive scans on your own domains gives you the attacker's view of your posture — before they have it.
Combining both approaches
Best-practice security programmes use passive scanning for continuous, broad monitoring of internet-facing exposure, and active scanning for periodic deep assessment of specific systems under controlled conditions. The passive scan tells you where the gaps are; the active scan tells you how deep they go.
VP Shield is a passive scanner. It shows you your public attack surface — DNS, TLS, email authentication, HTTP headers, subdomain risks, and spoofing exposure — without touching your servers. For active internal scanning, you will need a separate tool run under authorised conditions.