| Trusted target access |
No scanner credential or authenticated target session. |
Approved credential, certificate, API identity, local agent, or supported trusted mechanism. |
| Strongest evidence |
Reachable ports, public or segment-specific services, remote protocol behavior, certificates, and externally visible weaknesses. |
Installed packages, patch state, firmware, registry or file data, local policy, and supported configuration evidence. |
| Primary dependency |
Correct targets, routing, scanner position, firewall behavior, service fingerprinting, and current checks. |
All unauthenticated dependencies plus credential validity, sufficient privilege, supported protocol, and successful local retrieval. |
| Typical blind spot |
Local packages and settings that cannot be reliably inferred over the network. |
Exposure from network positions the scanner did not test; incomplete collection when access is partial or the asset is unsupported. |
| Version confidence |
May depend on banners, service responses, or remote behavior that can be ambiguous or backported. |
Can often confirm installed version and package state, but the evidence still needs validation for vendor backports and applicability. |
| Credential risk |
No target secret is stored for the scan, though authorization and scanner-system security remain necessary. |
The scan identity becomes a sensitive control requiring restriction, secure storage, logging, rotation, and removal when appropriate. |
| Completion proof |
Reached target, tested intended ports/protocols, scan completed, warnings reviewed, exclusions documented. |
Full or partial local collection by asset, authentication method, privilege sufficiency, failure reason, and retest result. |
| Best combined use |
Preserve the observer view from relevant zones. |
Confirm local state and reduce uncertainty where trusted inspection is supported. |