Sunsetting Server Vulnerability Scanning

  • Updated
On February 15th, 2022, we'll deprecate Server Vulnerability Scanning and replace it with integrations over time. Here's why we're making this shift and guidance on switching to a replacement.
What is this feature? 
Vanta provides a Server Agent to install on servers. The Agent scans for CVEs and surfaces them on the Vulnerabilities page, giving evidence of vulnerability scanning.
Note: We are solely deprecating agent scanning — all other vulnerability integrations and functionality will remain available. Also, note that this is servers only; we are not deprecating the Laptop Agent that powers the Computers Page
Why phase out this feature?
  • Simplifying audits: For many customers, the feature was redundant to other tools. Moreover, most auditors did not use this evidence or preferred other tools over our Agent.
  • Product experience: The Server Agent had poor support for many configurations (autoscale, AMIs, network setups, etc.), and installation was confusing.
  • Security: While the Agent is non-invasive and regularly audited for security, it still requires installation on every server. After evaluating the functionality, we determined the security benefit was not worth the security risk.
What's replacing this?
Going forwards, Vanta will do what we do best: we'll integrate with standard industry tools. We already integrate many tools on the Vulnerabilities page, and we'll add more over time.
For AWS users, we've already introduced an AWS Inspector integration. It's built-in to AWS, takes a few minutes to set up, and directly replaces the Server Agent's functionality. 
1/7/2022: We now support the new Amazon Inspector, which provides continuous scanning, is available in more regions, and provides a one-click setup process. Get started on AWS's website and Vanta's vulnerability page.
How does this affect my audit(s)?
Our Audit partners have already been informed, which should not significantly impact your audit.
If your audit finishes before February 1st, 2022, you should continue using the Server Agent and switch over after your audit.
Otherwise, provide evidence from at least one other scanner. The work involved should be minimal if you're using any other tool. Find more info here.
  • If using a tool Vanta integrates with (such as Inspector, Snyk, or container scanning), Vanta will pull evidence automatically without additional action.
  • Otherwise, provide quick evidence by uploading it on the Documents page. We recommend using AWS Inspector, Azure Defender for Servers, or GCP VM Manager. You'll need to upload proof that a scan was run and that the vulnerabilities have been resolved.
  • Our team is investigating pulling evidence from more tools into Vanta - stay tuned!

Once you've switched, you can turn off Vanta Agent Vulnerability scanning by clicking "Turn off now" on the Agent Vulnerabilities tab.

How can I get more help?
Our goal is to make this as smooth as possible; please don't hesitate to contact Support if you have any questions.