What is scanner coverage gap analysis?

Scanner coverage gap analysis is the operational discipline of identifying assets, surfaces, and vulnerability classes that no scanner in the programme is actively examining. It answers a different question than per-scan completeness: instead of asking whether the scan that ran caught everything, it asks which assets the programme never pointed a scanner at, which scan cadences leave windows of undetected change, which scanner classes the programme is missing entirely, and which authenticated surfaces the programme has no credentials to test. The output is a coverage map per asset and per scanner class that an auditor, security leader, or AppSec engineer can read to see where the assurance posture is honest and where it over-reports completeness because nothing is looking.

How is coverage gap analysis different from scanner coverage and limits?

Scanner coverage and limits describes the inherent envelope of each scanner class: what external DAST, authenticated DAST, SAST, SCA, container, and cloud configuration scanners can and cannot detect by design. Coverage gap analysis sits one layer up: it takes the envelopes as given and asks which envelopes the programme has deployed against which assets. A scanner can be capable of detecting a vulnerability class while still being absent from the asset, the asset can be inside the inventory without being inside any scan scope, and the scan scope can include the asset without the cadence ever running. The gap analysis surfaces those misalignments as a coverage map rather than as a per-scanner capability sheet.

How is coverage gap analysis different from false negative detection?

False negative detection asks whether a scanner that ran against an asset missed a vulnerability that was present. Coverage gap analysis asks whether any scanner ever ran against the asset at all, whether the right scanner class ran, whether the scan ran on a cadence that catches change in time, and whether the authenticated surface was reachable. The two are sequential disciplines. A false negative requires a scan to have happened; a coverage gap is the case where no scan happens or where the wrong scan happens. Programmes that operate false negative detection without coverage gap analysis discover that the worst misses are not the ones inside scanner output, they are the ones outside the scanner programme entirely.

How do you build a coverage map for the programme?

A defensible coverage map is a join between the asset inventory and the scan record. For each asset, the map records the scanner classes that have run against it, the most recent successful scan per class, the authentication state for authenticated scans, and the next scheduled scan per class. For each scanner class, the map records the assets in scope, the assets in inventory but out of scope, and the assets currently failing scans. The leadership view rolls up the per-asset rows into coverage rates per asset class (web applications with authenticated DAST, repositories with SAST and SCA, cloud accounts with configuration scanning, container registries with image scanning) and surfaces the trend over time. The audit view reads against the same map to evidence which assets the technical vulnerability management control actually covers. Programmes that maintain the map as a live artefact see gaps as a queue; programmes that reconstruct it for each audit discover gaps as findings during fieldwork.

How does asset inventory accuracy affect coverage gap analysis?

The coverage map is only as honest as the inventory it joins against. Three inventory failures break the analysis. The first is missing assets: services that exist in production but were never registered in the inventory, so the coverage map shows complete coverage of a subset that misses real surface. The second is stale assets: services that retired from production but stayed in the inventory, so the coverage map flags gaps that no longer matter and the team chases ghosts. The third is mis-identified assets: services that exist in the inventory under one canonical key while the scanner output references another, so the join breaks even though both records describe the same asset. The structural fix is keeping the inventory the source of truth for scope decisions, reconciling it against external sources (DNS records, certificate transparency logs, cloud account inventory, repository directory, container registry catalogue, package manifest scan), and treating the inventory-to-scan-record gap as a workstream rather than as a search exercise.

What external signals help surface shadow assets that the inventory missed?

Six external signals consistently surface assets that the internal inventory missed. Certificate transparency logs reveal subdomains that obtained TLS certificates, including assets stood up by other teams without going through the asset registration process. DNS enumeration against the apex domain reveals subdomain records the inventory did not capture. Public cloud account discovery against the cloud provider organisation root reveals workloads in accounts the security programme did not know existed. Repository directory listings against the version control organisation reveal repositories outside the registered set. Container registry catalogue listings reveal images outside the scan scope. Vendor and partner attestation reveals SaaS instances and third-party hosted assets that operate under the brand without being in any internal inventory. None of these signals is complete on its own, and each produces a fresh inventory queue that the security engineering or asset management team has to reconcile against the system of record.

How does scanner-class gap affect coverage assurance?

No single scanner class produces complete coverage for any asset class. A web application needs external DAST for the public surface, authenticated DAST for the protected surface, SAST for the source code, SCA for the dependency tree, and container or VM scanning for the runtime. A repository needs SAST for the code, SCA for the dependencies, secret scanning for credentials, and IaC scanning for the infrastructure manifests. A cloud account needs configuration scanning for the control plane, identity scanning for the IAM model, container image scanning for the workloads, and posture scanning for the resource graph. Programmes that operate one or two scanner classes against an asset that needs four or five inherit a scanner-class gap that no per-scan tuning will close. The fix is matching scanner classes to asset class at scope-design time rather than discovering the gap after a missed finding surfaces through a pentest or incident.

How do compliance frameworks read coverage gap evidence?

Most frameworks read coverage assurance as a control objective even when they do not name it as "coverage". ISO 27001 Annex A 8.8 expects technical vulnerability management to apply to the assets in scope, which implicitly requires evidence that scope is complete and that scans run against it. SOC 2 CC7.1 system monitoring expects detection capability across the system boundary, which implicitly requires evidence that detection actually reaches each component. PCI DSS Requirement 11.3 expects internal and external vulnerability scanning of all in-scope systems on a defined cadence, which directly tests asset-level coverage. NIST 800-53 RA-5 vulnerability monitoring and SI-2 flaw remediation expect monitoring of the information system, which the assessor reads against the asset list. NIST CSF 2.0 ID.AM asset management and DE.CM continuous monitoring create a paired control where inventory completeness drives detection coverage. CIS Controls v8.1 Controls 1 and 2 (inventory of enterprise assets and software) feed Control 7 (continuous vulnerability management) for the same reason. Auditors that compare the inventory to the scan record find coverage gaps as control observations; programmes that maintain the coverage map as a live artefact discover the same gaps as queue items rather than as audit findings.

What anti-patterns recur in programmes operating without coverage gap analysis?

Six anti-patterns recur in programmes that ship scanner reports without an underlying coverage map. The first is reading scan output as evidence of coverage rather than evidence of detection: a clean scanner report against five assets is not assurance for the fifty assets the scanner never touched. The second is treating scope as static: the asset inventory grows, but the scan scope does not, so coverage erodes silently. The third is reading authenticated coverage as binary rather than per-role: the scan ran authenticated, therefore the authenticated surface is covered, while in reality only one role profile out of six was exercised. The fourth is conflating cadence with continuous coverage: a quarterly scan against an asset changing weekly is not continuous coverage of that asset. The fifth is propagating coverage assumptions across asset classes that need different scanner stacks: a strong external scan programme is assumed to cover repositories, container images, and cloud configurations that need entirely different scanner classes. The sixth is treating shadow-asset discovery as out of scope: assets that the team did not register are treated as not the security programme problem, until they become the security programme problem at incident time. A defensible coverage map names each anti-pattern as a measurable signal so the programme drives the gap rate down across cycles rather than discovering it as an external finding.

How does SecPortal support scanner coverage gap analysis?

SecPortal records each scan as a durable artefact rather than as a transient log. The scan record carries the target, the modules that ran, the modules that failed or partially completed, the authentication state for authenticated scans, the findings emitted, and the activity log entries for each step. External scanning, authenticated scanning, and code scanning (Semgrep SAST and dependency SCA against repositories connected through GitHub, GitLab, and Bitbucket OAuth) feed the same engagement record, so the coverage view per asset reads against a single workspace rather than against three separate tool consoles. The findings management feature pairs scanner output with manual entries against 300+ templates with pre-set CVSS 3.1 vectors, so the asset-level record shows where manual testing has supplemented scanner coverage and where it has not. Bulk finding import accepts Nessus, Burp Suite, and CSV exports against an engagement, so coverage data from third-party scanners owned by other teams can land on the same workspace as native SecPortal scans. Verified domain management gates external and authenticated scans against the same verified asset set, so the coverage map is anchored to the verified inventory rather than to an ad-hoc target list. The activity log captures every scan, finding, and override transition with CSV export, so the audit trail supports the coverage analysis with actor and date for each step. Honest scope: SecPortal does not currently ship a packaged coverage-gap dashboard that joins inventory against scan records automatically, does not integrate with external asset management platforms or CMDB sources through packaged connectors, and does not discover shadow assets through certificate transparency, DNS enumeration, or cloud account discovery feeds; programmes that need those signals operate them through their existing attack-surface management tooling and bring the resulting asset list into SecPortal as the verified target set. SecPortal records each scan against the verified asset set with enough fidelity that the coverage analysis runs from the scan record and the activity log without reconstruction across tools.

When should a programme run a coverage gap review?

Four cadences carry the work. A quarterly programme-level coverage review reads the coverage map against the inventory and surfaces the standing gap rate per asset class; this cadence catches the cadence-gap and scanner-class-gap accumulation. A change-event coverage review triggers on each material asset event (new acquisition, new product launch, new cloud account, new repository onboarded) and confirms the new asset has scan coverage before going live; this cadence catches the shadow-asset-at-birth pattern. An audit-prep coverage review runs ahead of each annual or quarterly external assessment and produces the coverage evidence pack the auditor will read; this cadence converts the operational coverage map into the assessment-ready artefact. An incident or near-miss review re-reads the coverage map against the affected asset class after any external surface event (pentest finding, bug bounty submission, post-incident root cause) and adjusts the scan scope, cadence, or scanner-class assignment so the same gap does not recur. Programmes that operate all four cadences treat coverage as a managed property of the scan programme; programmes that run only one or two discover the rest as recurring audit observations.

← Back to Scanner Information

Scanner guide17 min read

Scanner Coverage Gap Analysis: Find Unscanned Assets and Blind Spots

A clean scanner report says nothing about the assets the scanner never touched. Coverage assurance is a separate discipline from per-scan completeness. Programmes that read scanner output as proof of coverage typically over-report assurance by the share of assets that sit outside the scan scope, the share of scanner classes the programme does not run, the share of cadence cycles that miss change windows, and the share of authenticated roles that never get exercised. The gaps surface as pentest findings, bug bounty reports, post-incident root causes, and audit observations because the programme had no internal signal to surface them first.

This guide covers what scanner coverage gap analysis is and how it differs from per-scan false negative detection, the five gap classes a programme has to manage (asset-level, scanner-class, cadence, authentication-depth, shadow-asset), how to build a coverage map that joins the inventory against the scan record, how external signals surface shadow assets the inventory missed, how compliance frameworks read coverage as a control objective, the recurring anti-patterns programmes inherit without an explicit coverage discipline, the four review cadences that keep the map honest, and how internal security, AppSec, vulnerability management, cloud security, security engineering, and GRC teams operate the map as a workspace artefact rather than as a reconstruction during audit fieldwork.

Coverage gap analysis versus per-scan completeness

Two disciplines sit next to each other and produce different evidence. Per-scan completeness asks whether a scan that ran against an asset detected everything it should have detected. Coverage gap analysis asks whether any scan ever runs against the asset, whether the right scanner classes run, whether the cadence matches the asset change rate, and whether the authenticated surface is reachable. The two disciplines are sequential. A false negative requires a scan to have happened; a coverage gap is the case where no scan happens, where the wrong scan happens, or where the scan misses an entire role profile of the protected surface.

Programmes typically discover the gap class by accident. A pentest against a production web application surfaces a vulnerability behind the admin panel; the team checks the scan history and discovers that the authenticated DAST profile only ever logged in as a registered user and never exercised the admin surface. A bug bounty researcher reports an issue on a subdomain; the asset register does not list the subdomain because it was stood up by another team three quarters ago without going through the registration process. An incident post-mortem identifies an outdated dependency in a container image; the container registry was never inside the image scan scope because the registry came from a recent acquisition that the central programme had not absorbed yet. Each of these is a coverage gap, not a false negative. The scanner false negatives guide covers the case where a scan ran and missed; this guide covers the case where the scan never happened or was directed at the wrong surface.^1,5,7,9

The leverage point matters. Closing a per-scan false negative is a scanner tuning problem (better rules, better authentication harness, better coverage signals). Closing a coverage gap is a programme-design problem (better inventory, better scope, better cadence, better scanner-class assignment). Programmes that conflate the two end up tuning scanner rules to close gaps that no rule change will reach.

The five coverage gap classes

Five gap classes carry the operational load in mature programmes. Each class has a different mitigation, a different operating signature, and a different audit consequence. Classifying the gap before attempting to close it is the difference between a queue that drains and a backlog that grows.

Asset-level gap

Assets in the inventory that no scanner ever runs against. The pattern recurs on acquisition-era domains that never made it into central scope, abandoned subdomains parked on the DNS but absent from the scan target list, internal services that ship to production without going through the asset registration process, and container registries set up by adjacent teams without the scan-onboarding handoff. The asset exists, the inventory knows about it, but no scanner is configured to look. The mitigation is a quarterly reconciliation between the inventory and the scan target set, with the delta becoming an onboarding queue rather than a search exercise.

Scanner-class gap

An asset that runs against one scanner class but is missing the others it needs. A web application with external DAST but no authenticated DAST, a repository with SCA but no SAST, a cloud account with configuration scanning but no container image scanning, an API with API security scanning but no source-side review. The asset has some coverage; the coverage does not match the threat surface for the asset class. The mitigation is matching scanner classes to asset class at scope-design time rather than discovering the gap after a missed finding surfaces through a pentest or incident.

Cadence gap

A scan exists but runs less often than the asset changes. A web application redeploying daily with a weekly authenticated DAST cadence carries roughly six days of undetected post-deploy state per week. A container image rebuilding on each pull request with a weekly image scan cadence accumulates drift between every scan. A cloud account with quarterly configuration scanning has thirteen weeks of undetected drift per cycle. The mitigation is matching cadence to change rate per asset class rather than picking a single cadence for the programme.

Authentication-depth gap

An authenticated scan exists but covers a subset of roles. Most production web applications have several role profiles (anonymous, registered user, paid user, administrator, partner, internal user) and the security boundary between roles is one of the highest-value targets for testing. A scan that runs only as a registered user never exercises the administrator boundary; a scan that runs only as an administrator never exercises the anonymous boundary. The mitigation is recording authenticated coverage per role on the scan record, treating each role as a distinct authenticated profile, and operating a multi-profile rotation rather than a single-profile baseline. The scanner authentication failure modes guide covers the six failure classes that produce the worst-case authentication-depth pattern: the scan reports completion against an authenticated profile, but the login never succeeded.

Shadow-asset gap

Assets that exist in production but are not in any inventory the scanner programme reads. The pattern recurs across acquisitions (subsidiary domains acquired through mergers that never got integrated into the central inventory), product team spin-ups (engineering teams stood up infrastructure without going through the asset registration process), legacy systems (services that predate the inventory and were never back-filled), and partner integrations (third-party hosted assets that operate under the brand without being on-prem or in the central cloud account). The first time the asset gets attention is usually a bug bounty report, a pentest finding, or an incident. The mitigation is treating shadow-asset discovery as a continuous workstream feeding the inventory, not as a one-off exercise.

Building the coverage map

A defensible coverage map is a join between the asset inventory and the scan record. Each row in the per-asset view records the scanner classes that have run against the asset, the most recent successful scan per class, the authentication state for authenticated scans, and the next scheduled scan per class. The leadership view rolls the per-asset rows into coverage rates per asset class and surfaces the trend over time. The audit view reads against the same map to evidence which assets the technical vulnerability management control actually covers.

Asset class	Scanner classes typically required	Coverage signal to track
External web application	External DAST, authenticated DAST per role, SAST and SCA against source, container scanning if containerised	Per-role authenticated coverage rate, last successful scan per class, cadence vs deploy rate
API endpoint	API security scanning with authenticated profile, SAST and SCA against source, runtime traffic analysis if available	API schema versions covered, authenticated token classes exercised, route coverage
Source repository	SAST, SCA, secret scanning, IaC scanning if infrastructure manifests present	Branch coverage, pull-request scan rate, scheduled-baseline cadence, language coverage
Container image	Image scanning at build, image scanning at registry, runtime image scanning if available	Image-version coverage rate, scan-on-push success rate, registry catalogue match against scan scope
Cloud account	Configuration scanning, identity scanning, posture scanning across the resource graph	Account coverage rate against organisation root, region coverage, service-class coverage
Internal network service	Internal vulnerability scanning, authenticated scanning where credentials exist, host-based scanning if endpoint-managed	Network range coverage, credential coverage rate, last successful scan per host

The map is only as honest as the inventory it joins against. The structural fix is keeping the inventory the source of truth for scope decisions, reconciling it against external sources (DNS records, certificate transparency logs, cloud account inventory, repository directory, container registry catalogue, package manifest scan), and treating the inventory-to-scan-record gap as a workstream rather than as a search exercise.^2,6,7,8

External signals that surface shadow assets

The shadow-asset gap is the gap the internal inventory cannot close on its own, because the asset never made it into the inventory. Six external signals consistently surface assets that the internal inventory missed. Each signal produces a fresh inventory queue that the security engineering or asset management team has to reconcile against the system of record before the asset can enter scan scope.

Certificate transparency logs.Subdomains that obtained TLS certificates appear in the public CT logs, including assets stood up by other teams without going through the asset registration process. Monitoring the CT logs for the apex domain produces a queue of certificate-bearing subdomains that the inventory may or may not know about.
DNS enumeration. Active enumeration against the apex domain reveals subdomain records the inventory did not capture, including services hosted on cloud providers, on partner infrastructure, or on acquired infrastructure.
Public cloud account discovery. Inventory traversal against the cloud provider organisation root reveals workloads in accounts the security programme did not know existed. The signal is the difference between the central account list and the cloud organisation account inventory.
Repository directory. Listing the version control organisation reveals repositories outside the registered set. Active repositories with code activity but no scan history are a clean signal of the scanner-class gap on a known repository or the shadow-asset gap on an unregistered repository.
Container registry catalogue. Listing the registry reveals images outside the scan scope, especially in programmes that operate multiple registries (a central production registry plus team-owned development registries).
Vendor and partner attestation. SaaS instances and third-party hosted assets that operate under the brand do not appear in any internal scan source. Periodic attestation requests against the vendor inventory surface the SaaS and partner-hosted surface that the scan programme cannot reach directly.

None of these signals is complete on its own. Certificate transparency catches certificate-bearing assets but not those that use IP addresses or shared certificates. DNS enumeration catches DNS-resolvable assets but not those that operate without a public name. Cloud account discovery catches workloads in registered cloud accounts but not those hosted on personal or unregistered accounts. Repository directory catches version-controlled code but not artefacts hosted outside version control. Container catalogue catches registered images but not those built directly in production environments. Vendor attestation catches declared third-party usage but not undeclared shadow vendors. The discipline is running multiple signals against each asset class and treating the resulting inventory queue as continuous rather than as a quarterly clean-up.^11,12,13

Cadence-gap mathematics

The cadence-gap class is the easiest to reason about quantitatively. A scan that runs once per cadence cycle covers the asset state at one point per cycle. The window between two scans accumulates undetected change at the rate the asset changes. The fix is not picking a uniform programme cadence; it is matching the cadence to the change rate per asset class.

Asset change pattern	Defensible scan cadence	Cadence-gap signal
Multiple deploys per day	Continuous or on-deploy scanning, daily authenticated DAST baseline	Days between scan and material change exceeds one
Weekly deploys	Weekly authenticated DAST, daily external DAST against the perimeter	More than one deploy lands between scan cycles
Monthly deploys	Monthly authenticated DAST, weekly external DAST	Multiple deploys land before the next scheduled scan
Quarterly or rare changes	Quarterly authenticated DAST, monthly external DAST, on-change override	Material change without an associated on-change scan

Programmes that operate a single cadence across all assets typically over-scan stable assets and under-scan changing ones. The cadence-gap finding most often surfaces on the highest-velocity assets because those are the ones moving fastest between scheduled scans. The scan scheduling and baseline cadence guide covers how to design cadence per asset class, when to override the schedule with an on-change scan, and how to read the diff between two scan baselines so cadence drives remediation rather than producing a stack of static reports.

How compliance frameworks read coverage evidence

Most frameworks read coverage assurance as a control objective even when they do not name it as coverage explicitly. The paired controls between inventory and detection appear in every major framework; auditors read coverage gaps as control observations when the two records diverge.

ISO 27001 Annex A 8.8 expects technical vulnerability management to apply to the assets in scope. The paired Annex A 5.9 inventory of information and other associated assets sets the asset list that 8.8 has to cover. Evidence read includes the inventory itself, the scan target list derived from the inventory, and the reconciliation between them.^1,2
SOC 2 CC7.1 system monitoring expects detection capability across the system boundary. Coverage of the boundary is the implicit object; assets inside the boundary that have no detection produce a control gap rather than a tuning observation.³
PCI DSS Requirement 11.3 expects internal and external vulnerability scanning of all in-scope systems on a defined cadence. The assessor verifies the asset list against the scan record directly, and any in-scope asset without a recent successful scan against the required class produces an observation.⁴
NIST 800-53 RA-5 vulnerability monitoring expects monitoring of the information system; the paired CM-8 system component inventory sets the asset list. The assessor reads the two together. SI-2 flaw remediation closes the loop on the detection side.^5,6
NIST CSF 2.0 ID.AM asset management and DE.CM continuous monitoring create the same paired control structure: inventory completeness drives detection coverage, and the framework treats the join between them as evidence.⁷
CIS Controls v8.1 Control 1 (inventory of enterprise assets) and Control 2 (software inventory) feed Control 7 (continuous vulnerability management) for the same reason. The numbered controls make the coverage chain explicit rather than implicit.^8,9

Auditors that compare the inventory to the scan record find coverage gaps as control observations during fieldwork. Programmes that maintain the coverage map as a live artefact discover the same gaps as queue items between audits. The cost of the same gap is materially different at the two points in the cycle.

Anti-patterns that produce silent coverage gaps

Six anti-patterns recur in programmes that ship scanner reports without an underlying coverage map. Each pattern produces a coverage gap that the scanner output does not surface, because the scanner output does not know what the scanner did not see.

Reading scan output as evidence of coverage rather than evidence of detection. A clean scanner report against five assets is not assurance for the fifty assets the scanner never touched. The scan record evidences what the scanner did against the targets it was given; coverage assurance requires the join between the target set and the inventory.
Treating scope as static. The asset inventory grows, but the scan scope does not, so coverage erodes silently. Each new asset that should have entered scope but did not is a coverage gap that the programme inherits.
Reading authenticated coverage as binary rather than per-role. The scan ran authenticated, therefore the authenticated surface is covered, while in reality only one role profile out of six was exercised. The remaining roles are an authentication-depth gap that the binary signal hides.
Conflating cadence with continuous coverage. A quarterly scan against an asset changing weekly is not continuous coverage of that asset. The cadence gap accumulates undetected change between cycles even though every cycle reports a clean run.
Propagating coverage assumptions across asset classes that need different scanner stacks. A strong external scan programme is assumed to cover repositories, container images, and cloud configurations that need entirely different scanner classes. The implicit coverage claim is wider than the actual scanner-class coverage.
Treating shadow-asset discovery as out of scope. Assets that the team did not register are treated as not the security programme problem, until they become the security programme problem at incident time. The structural fix is treating the gap between the public asset surface and the registered inventory as a security workstream rather than as an asset management workstream.

Each anti-pattern produces a coverage shortfall that scanner output cannot reveal, because the scanner output is the wrong evidence source for the question. The fix is treating coverage as a property of the programme that gets measured against the inventory rather than as a property of the scanner that gets measured against the scan target list.

The four coverage review cadences

Coverage assurance is a live property of the programme, not an audit artefact. Four review cadences keep the coverage map honest across the year.

Quarterly programme-level coverage review

The coverage map reads against the inventory and surfaces the standing gap rate per asset class. The cadence catches the cadence-gap and scanner-class-gap accumulation that builds up across the quarter. The output is a queue of onboarding actions for the next quarter, not a report for the auditor.

Change-event coverage review

Each material asset event (new acquisition, new product launch, new cloud account, new repository onboarded) triggers a coverage review against the new asset before it goes live. The cadence catches the shadow-asset-at-birth pattern where assets ship to production faster than the inventory and the scan scope can absorb them.

Audit-prep coverage review

Each annual or quarterly external assessment runs against the coverage map. The cadence converts the operational coverage map into the assessment-ready artefact. Programmes that maintain the map continuously see the audit-prep review as a snapshot; programmes that reconstruct it produce audit findings during fieldwork.

Incident or near-miss coverage review

Any external surface event (pentest finding, bug bounty submission, post-incident root cause) triggers a re-read of the coverage map against the affected asset class. The cadence adjusts the scan scope, cadence, or scanner-class assignment so the same gap does not recur. The output is an operating change, not a one-off remediation.

How SecPortal supports scanner coverage gap analysis

SecPortal records each scan as a durable artefact rather than as a transient log. The scan record carries the target, the modules that ran, the modules that failed or partially completed, the authentication state for authenticated scans, the findings emitted, and the activity log entries for each step. The combination is what lets a programme tell coverage from completion before reading the findings as evidence.

Three scanner classes feed the same engagement record. The external scanning feature covers TLS, headers, ports, DNS, exposed paths, and subdomain enumeration against verified domains. The authenticated scanning feature covers post-login coverage with encrypted credential storage. The code scanning feature runs Semgrep SAST and dependency SCA against repositories connected through GitHub, GitLab, and Bitbucket OAuth. Findings from all three classes land on the same findings record per engagement, so the coverage view per asset reads against a single workspace rather than against three separate tool consoles.

The findings management feature pairs scanner output with manual entries against 300+ templates with pre-set CVSS 3.1 vectors, so the asset-level record shows where manual testing has supplemented scanner coverage and where it has not. Bulk finding import accepts Nessus, Burp Suite, and CSV exports against an engagement, so coverage data from third-party scanners owned by other teams can land on the same workspace as native SecPortal scans.

The domain verification feature gates external and authenticated scans against the verified asset set, so the coverage map is anchored to the verified inventory rather than to an ad-hoc target list. The continuous monitoring feature runs external and authenticated scans on daily, weekly, biweekly, or monthly cadence against the verified asset set, so the cadence-gap analysis runs against scheduled scan history rather than against ad-hoc execution. The attack surface management feature extends the perimeter visibility through subdomain enumeration and exposure checks that feed the asset-level coverage rows.

The activity log captures every scan, finding, and override transition with CSV export, so the audit trail extends to the actor and the date for each step. When the audit asks why a given asset has a coverage profile that it does, the activity log is the source of truth for the scope decisions, the scheduled scan history, and the result of each scan.

Honest scope: SecPortal does not currently ship a packaged coverage-gap dashboard that joins an external inventory or CMDB source against scan records automatically, does not integrate with external asset management platforms or CMDB sources through packaged connectors, and does not discover shadow assets through certificate transparency, DNS enumeration of arbitrary apex domains the workspace does not own, or cloud account discovery feeds outside the verified asset set. Programmes that need those signals operate them through their existing attack-surface management tooling and bring the resulting asset list into SecPortal as the verified target set. SecPortal records each scan against the verified asset set with enough fidelity that the coverage analysis runs from the scan record and the activity log without reconstruction across tools.

An operational checklist

At inventory reconciliation

Compare the asset inventory against the scan target list and produce the asset-level gap queue.
Run certificate transparency, DNS enumeration, cloud account discovery, repository directory, and container catalogue scans against the asset surface and reconcile the queue against the inventory.
Treat each delta as a workstream item rather than as a search result.

At scope design

Map scanner classes to asset class and produce the scanner-class gap queue for each asset class that is missing a required class.
Confirm authenticated scans cover each role profile, not only the default role.
Define cadence per asset class based on the asset change rate, not on a single programme cadence.

At scan execution

Confirm scheduled scans dispatched on cadence and record any missed cycles as cadence-gap events.
Confirm authenticated session establishment for each role profile and record the result as an authentication-depth signal.
Capture per-module status on the scan record so partial completion does not get read as coverage.

At quarterly programme review

Read the coverage map per asset class and surface the standing gap rate.
Review external surface events (pentest findings, bug bounty submissions, post-incident root causes) against the coverage map and adjust scope, cadence, or scanner-class assignment.
Produce the assessment-ready coverage evidence pack against the framework controls that read coverage as evidence.

Related disciplines

Coverage gap analysis sits inside the broader scan governance stack. The pages below cover the upstream inventory and scope disciplines and the downstream detection and evidence disciplines that close the loop.

Scanner coverage and limits: the static envelope per scanner class. The capability map this guide assumes as an input when designing the scanner-class assignment per asset class.
Scanner false negatives and undetected vulnerabilities: the discipline that surfaces misses by scanners that ran. The complementary question this guide does not address: did the scan that ran catch what it should have caught?
Scan scoping and target selection: the upstream decision that produces the scan target list. The asset-level gap starts when the target list does not match the inventory.
Scan scheduling and baseline cadence: the discipline that decides how often scans run. The cadence-gap closes by matching the cadence to the asset change rate.
Scanner authentication failure modes: the discipline that prevents the worst authentication-depth gap, where the scan completes but never actually authenticated.
Scanner finding to asset binding: how findings tie to the asset record. A coverage map cannot read against the asset register if findings do not bind to assets consistently.
Scanner output normalised asset resolution: the upstream discipline that produces a single canonical asset key across scanners. Without consistent asset resolution, the coverage map double-counts or misses assets in the join.
Security testing program management: the leadership-level operating view where coverage assurance reads against the broader testing programme.
Continuous threat exposure management explained: the broader CTEM framing where coverage gap analysis sits as one of the scoping and discovery disciplines.
External attack surface management explained: the EASM discipline that feeds shadow-asset discovery into the inventory queue before the scan programme can act on it.

The aggregate picture is that scanner output is necessary but not sufficient evidence of coverage. The honest assurance posture reads the coverage map against the inventory and surfaces the gap rate per asset class as a measurable property of the programme. Programmes that operate the map as a live artefact drive the gap rate down across cycles; programmes that read scanner output as coverage discover the same gaps through pentests, bug bounty submissions, incidents, and audit observations.

Scope and limitations

Scanner coverage gap analysis is a discipline that joins the asset inventory against the scan record. No platform produces the analysis without an inventory it can read and a scan record it can join against. SecPortal records the scan-record side of the join with the verified asset set as the inventory anchor; the programme still has to maintain the inventory itself and reconcile it against external signals (certificate transparency, DNS enumeration, cloud account discovery, repository directory, container catalogue, vendor attestation) that surface shadow assets.

Programmes looking for an automated coverage-gap signal usually find the same two failure modes. Tooling that infers gaps from asset counts produces noise when the inventory is incomplete; tooling that infers gaps from external feeds produces noise when the feeds list assets the programme does not own. Both failure modes recover when the gap signal feeds an inventory queue that human triage promotes into the scan scope. The discipline is treating the queue as the operating output rather than as a search result.

Frequently Asked Questions

Sources

Run scans on a record that ties coverage to the verified asset set

SecPortal records external, authenticated, and code scans against verified assets on a single workspace. Pair scanner output with manual entries on the same engagement to surface coverage gaps before they become incidents.

Start free See the programme view