External vs internal vulnerability scanning: which one does your business actually need?
External and internal vulnerability scanning find different things — here is what each one covers, where they overlap, and which is the right starting point for a UK small business.
Here's a scenario that plays out often enough to be a pattern, not a one-off: a business owner asks their IT provider whether their systems have been scanned for vulnerabilities. The IT provider says yes. What they mean is that they ran a scan from inside the network, checking internal systems against known vulnerabilities. What the business owner meant, and what an external attacker would actually attempt, is something different: a scan of what's visible from the outside, before any authentication, before any access to the internal network at all. Both scans are real. They find different things.
Understanding the difference matters because it determines what you're actually getting visibility on and what remains blind to you.
What external scanning covers
An external vulnerability scan probes your domain and internet-facing systems from the outside, exactly as an attacker would. It has no access to your internal network, no credentials, no privileged position inside your infrastructure. It sees only what's publicly visible: open ports, SSL certificate configuration, DNS records, HTTP response headers, exposed services, and anything else reachable from the open internet.
This is what Olimpio does. It maps your external attack surface, the part of your security posture that anyone on the internet can probe without any inside access, and surfaces misconfigurations and vulnerabilities in that surface. For most UK small businesses, this is where the meaningful external risk lives: a misconfigured mail server, a missing security header, a weak DKIM key, an exposed admin panel, an expiring certificate.
What internal scanning covers
An internal vulnerability scan runs from inside your network, either from a device already on the network or via credentials that give it access to scan systems from an authenticated position. It can see things an external scan can't: unpatched software on devices within the network, internal service vulnerabilities, misconfigured internal systems, lateral movement risks between machines on the same network.
Internal scanning is typically the domain of managed security service providers, penetration testers, and larger organisations with dedicated IT infrastructure to monitor. It requires ongoing access to the internal network to be meaningful, and the findings it produces often require more technical expertise to interpret and remediate than external findings do.
Which one a small business should start with
For a UK SMB without a dedicated IT team, external scanning is the right starting point, for three reasons. First, external vulnerabilities are what an opportunistic attacker, the kind most likely to affect a small business, will actually probe. They don't have inside access. They're scanning the internet looking for exposed services and misconfigured domains, and your external surface is what they see. Second, external findings are generally more actionable without specialist infrastructure knowledge: a DNS record change, a security header addition, an SSL certificate renewal are all things a business can action with or without a technical team. Third, external scanning requires no access to your internal network, making it something you can run yourself rather than depending on an IT provider to run for you.
Internal scanning becomes more relevant as a business grows, as its internal infrastructure becomes more complex, and as it takes on a managed IT relationship where someone is responsible for the internal network on an ongoing basis.
Where Cyber Essentials sits in this
Cyber Essentials covers both external and internal controls, which is why its assessment combines automated external checks, the kind a scan handles, with self-assessment questions about internal controls like device configuration, access management, and patching. The external scan component maps directly to what an external vulnerability scanner produces. The self-assessment covers the internal picture that no external scan can reach.
Running an external scan like Olimpio before a Cyber Essentials assessment gives you visibility on the external findings an assessor would identify automatically, so you can fix them before they become part of your assessment result rather than after.
Frequently asked questions
Can an external scan see anything inside my office network? No. An external scan only reaches what's publicly accessible from the internet. Devices, servers, and systems not exposed to the internet are outside its scope.
Does my business need both types of scanning to be properly protected? For most small businesses, external scanning provides meaningful protection against the most likely threats. Internal scanning adds value as complexity grows, but it's not a prerequisite for getting meaningful security visibility.
How is external vulnerability scanning different from penetration testing? Penetration testing involves a human tester actively attempting to exploit vulnerabilities they find, often going further than automated scanning to understand whether a weakness can actually be used in an attack. Scanning identifies vulnerabilities; pen testing attempts to prove they're exploitable. Both are valid, but penetration testing is more expensive and typically suited to larger or higher-risk environments.
How often should an external scan run? Your external attack surface changes whenever you add new services, update DNS, change hosting, or add integrations. Scheduled regular scanning, rather than one-off checks, means changes don't create gaps in your visibility between manual scans.
Will an external scan affect my website's performance or availability? A properly conducted external scan should have no noticeable impact on a normal website's performance or availability.
Run a free external scan of your domain to see your attack surface exactly as an attacker would, with findings explained in plain English: olimpio.io/free-scan