Authentication to hosts is required for trusted scanning. Before launching scans, you need to setup authentication credentials on target hosts. The account requirements depend on the target technology as described in our documentation. It is recommended that you fully review the account requirements for each technology. The authentication credentials are supplied in authentication records before users launch authenticated scans.
Account credentials must have sufficient privileges, as defined by the service, for each target host. When processing an authenticated scan, the service determines whether the account provided has sufficient privileges for each target host. If sufficient privileges are found, the assessment phase occurs and the most accurate and complete information is collected from the scan. If insufficient privileges are found, the scan completes based on scan type as described below.
Vulnerability Scan. When insufficient privileges are found, the assessment phase occurs using the credentials provided assuming the credentials allow login to the target host. Authenticated scanning with insufficient privileges does not return the most complete and comprehensive vulnerability results since not enough information is gathered from the host. In this scenario, it's very possible that the scan results identify false-negatives and it's also possible that scan results identify false-positives. If the credentials do not allow login to the target host, the service performs a non-authenticated scan.
Compliance Scan. When insufficient privileges are found, proper authentication to the host for compliance fails, the assessment phase does not occur, and the scan is finished. As a result, no compliance information is collected from the host. The Authentication Report helps you identify where authentication was successful and where it failed for compliance hosts.
For account requirements, refer to the following topics: