Magnifying glass inspecting document text

It’s a reasonable assumption that a mature vulnerability management programme already covers cryptographic risk — after all, both scan infrastructure and produce findings. In practice, the two disciplines ask different questions, and a strong vulnerability management programme can coexist with almost total blindness to cryptographic exposure.

What Vulnerability Scanning Actually Looks For

Vulnerability scanners are built to identify known weaknesses — unpatched software, missing security updates, misconfigurations that match a signature or CVE database. The question being asked is essentially: “does this system have a known flaw that’s been publicly catalogued?”

What Cryptographic Discovery Actually Looks For

Cryptographic discovery asks a structurally different question: “what cryptographic algorithms, key lengths, certificates and libraries are actually in use here, and what do they protect?” A quantum-vulnerable algorithm like RSA-2048 isn’t a “vulnerability” in the CVE sense — it’s not a bug, it’s functioning exactly as designed. It’s a structural exposure that only becomes relevant against a threat model most vulnerability scanners were never built to assess.

Why This Gap Persists in Mature Programmes

A CVE-based scanner will flag an outdated TLS library version. It generally won’t flag “this service negotiates ECDHE key exchange with no post-quantum hybrid option” — because that’s not a flaw against the scanner’s own reference database, it’s a structural property of the current cryptographic landscape that requires a different kind of assessment entirely.

Complementary, Not Competing

The two disciplines aren’t in tension — a mature security programme needs both. Vulnerability management catches known, cataloguable flaws quickly. Cryptographic discovery, structured as a continuous Enterprise CBOM rather than a signature-matching exercise, is what surfaces the exposure that vulnerability scanning was never designed to see in the first place.

Scroll to Top