On February 15th, 2022, we'll deprecate Server Vulnerability Scanning and replace it with integrations over time. Here's why we're making this shift, along with guidance on switching to a replacement.
What is this feature?
Vanta provides a Server Agent to install on servers. The Agent scans for CVEs and surfaces them on the Vulnerabilities page, giving evidence of vulnerability scanning.
Note: We are solely deprecating agent scanning — all other vulnerability integrations and functionality will remain available. Also, note that this is servers only; we are not deprecating the Laptop Agent that powers the Computers Page.
Why phase out this feature?
Simplifying audits: For many customers, the feature was redundant to other tools. Moreover, most auditors did not use this evidence or preferred other tools over our Agent.
Product experience: The Server Agent provided poor support for various configurations (autoscale, AMIs, network setups, etc.), and the installation process was confusing.
Security: While the Agent is non-invasive and regularly audited for security, it still requires installation on every server. After evaluating the functionality, we determined the security benefit was not worth the security risk.
What's replacing this?
Going forward, Vanta will do what we do best: we'll integrate with standard industry tools. We already integrate many tools on the Vulnerabilities page, and we'll add more over time.
For AWS users, we've already introduced an AWS Inspector integration. It's built-in to AWS, takes a few minutes to set up, and directly replaces the Server Agent's functionality.
1/7/2022: We now support the new Amazon Inspector, which provides continuous scanning, is available in more regions, and provides a one-click setup process. Get started on AWS's website and Vanta's vulnerability page.
How does this affect my audit(s)?
Our Audit partners have already been informed, which should not significantly impact your audit.
If your audit is completed before February 1, 2022, you should continue using the Server Agent and switch over after your audit is finished.
Otherwise, provide evidence from at least one other scanner. The work involved should be minimal if you're using any other tool. Find more info here.
If using a tool Vanta integrates with (such as Inspector, Snyk, or container scanning), Vanta will pull evidence automatically without additional action.
Otherwise, provide quick evidence by uploading it on the Documents page. We recommend using AWS Inspector, Azure Defender for Servers, or GCP VM Manager. You'll need to upload proof that a scan was run and that the vulnerabilities have been resolved.
Our team is investigating pulling evidence from more tools into Vanta - stay tuned!
Once you've switched, you can turn off Vanta Agent Vulnerability scanning by clicking "Turn off now" on the Agent Vulnerabilities tab.
How can I get more help?
Our goal is to make this process as smooth as possible; please don't hesitate to contact our Support team if you have any questions.