Vulnerability Scan Automation: Build Your Own Enterprise Security System
A security team's daily work takes days if done manually; automated, it shrinks to minutes. In this guide we build an end-to-end vulnerability scanning system with open-source tools, step by step; the VefaSec starter template is open source.
Subdomain Discovery Pipeline
The attack surface can extend far beyond your known domains. Subfinder, Amass and Sublist3r gather subdomains from passive sources (CT logs, Shodan, DNSDB). Httpx then filters the ones that are actually live.
The pipeline runs on a nightly cron: discovered subdomains are saved, newly added ones enter the next scan cycle. Forgotten staging, dev and test environments show up in surprising numbers over time.
CVE Tracking: NVD Feed and Custom Rules
The NVD (National Vulnerability Database) RSS/JSON feed is pulled hourly and filtered against the organization's stack. Cross-referenced against the SBOM database, the answer to 'does this CVE affect us?' arrives in 30 seconds.
Each new CVE triggers an automated Jira ticket, a Slack alert and an email to the affected system owner. For critical CVEs (CVSS >= 9), SMS alerts and red indicators on the CISO dashboard.
Automated Scanning with Nuclei
Nuclei scans 5000+ vulnerability scenarios in minutes using YAML-based templates. The community template repository is continuously updated, and writing custom templates for your organization is straightforward. CVE scanning, misconfiguration checks and exposed endpoint detection are standard use cases.
Runs as a Docker container; outputs are streamed as JSON into an indexing system (Elasticsearch, Loki). False positives are filtered with a whitelist mechanism.
Nessus / OpenVAS Integration
Authenticated scanning needs Nessus or OpenVAS; these tools provide deep CVE detection, patch-level checks and compliance scans. Scheduled scans are launched via API, results are fetched on completion and merged into the central database.
Capacity planning: weekly full scan + daily incremental + real-time Nuclei. Large infrastructures scale with parallel workers and a job queue (RabbitMQ, Redis).
Alerting and Admin Dashboard
The Slack webhook + PagerDuty + SMS trio for critical alerts; email for medium/low. Dedup and severity-based filtering avoid alert fatigue. If a finding repeats on the same asset it is marked 'still open', not a new incident.
The admin dashboard is built with Grafana: finding trends, time-to-close, SLA compliance, top 10 most critical assets. VefaSec offers this stack as a ready-made template; installation takes 2 days, the first scan runs within a week.
Talk to VefaSec about your project or audit needs.
Our Diyarbakır-based team delivers end-to-end software development, penetration testing and cybersecurity advisory to enterprise clients. The discovery call is free and non-binding.