Compliance scanning involves scans that verify that your network adheres to certain policy requirements. These policies can be mandated by law, industry, or individual company. Companies performing in-house compliance tests can use generic scanning tools to test their controls. Regulatory and industry compliance scanning, however, can be much more complex, with steep fines or even jail time for criminal non-compliance. For this reason, many organizations buy specialized software or even engage professional help when conducting regulatory compliance scans. Some organizations, such as the PCI Security Standards Council, publish a list of approved scanning vendors (ASVs).

You can conduct vulnerability scans to assist with compliance testing. If the compliance is regulatory, check with your legal department to help determine the scope and depth required.

Note: A control is anything, technical or non-technical, that implements a security measure. It can include policies, procedures, training, configuration, and physical devices.