Greenbone Cloud Service (GCS)
The Greenbone Cloud Service (GCS) is the hosted, subscription-based version of Greenbone vulnerability management: you log in to a web platform and scan your systems, with no appliance of your own to install or maintain. This chapter covers how GCS differs from the self-hosted appliance, account creation and login with two-factor authentication, the platform UI, user/team/account and subscription/billing settings, running external and internal scans (including the cloud gateway needed for internal targets), authenticated scans and per-OS credential requirements, reports and vulnerability management, and the key networking FAQ items.
Based on the official Greenbone Cloud Service manual at docs.greenbone.net (GCS-Manual, English edition), retrieved June 2026. GCS is the SaaS option - distinct from the self-hosted Greenbone Enterprise Appliance and the free Community Edition. UI labels, menu paths, and technical values below are taken from that manual; where the manual does not state a detail, the text is kept general rather than invented.
1. What GCS is and how it differs from the appliance​
Vulnerability management, in Greenbone's framing, means looking at your IT infrastructure from the outside - the way a potential attacker would - to identify weaknesses, assess their risk, and recommend remediation, then repeating the cycle continuously. GCS delivers that as a service: the manual describes it as "an easy-to-use high-quality service for vulnerability management." You register, log in, and work from anywhere through a browser. Subscriptions are package-based and can be cancelled monthly, and they let you scan external, DMZ, and internal networks.
The practical contrast with the self-hosted product:
| Aspect | Greenbone Cloud Service (SaaS) | Self-hosted appliance / Community Edition |
|---|---|---|
| Who runs the scanner | Greenbone hosts and maintains the scanning infrastructure | You install, run, and update the appliance or Community Edition yourself |
| What you operate | A web platform plus, for internal scans, a small gateway VM in your network | The full scanner host (physical, virtual, or container) |
| Where you start scans | The GCS web platform (browser) | The appliance web interface (GSA) on your own host |
| Reaching internal targets | Requires a downloadable gateway virtual appliance that connects out to the cloud | The appliance already sits inside your network |
| Commercial model | Subscription packages, cancellable monthly; billing and invoices handled in the platform | Appliance subscription/feed for Enterprise; the Community Edition is free |
The introduction in the GCS manual does not itself spell out a feature-by-feature comparison against the appliance or the Community Edition, so treat the table above as the architectural difference rather than a quoted matrix. For the self-hosted side, see the Greenbone / OpenVAS Guide.
2. Read before use​
A vulnerability scan is an active interaction with the target. The manual is explicit that the scanner "still needs to interact and communicate with the target systems being analyzed during a scan," including protocol probes (for example HTTP and FTP) to identify services. Expect side effects:
- Log and alert entries on target systems and network devices.
- Triggered security measures (firewall rules, IDS/IPS reactions).
- Increased latency on the target and on the scanned network.
- Possible crashes of fragile applications, especially embedded systems.
- Banner grabbing over SSH/FTP and possible account lockouts from password tests.
Before scanning, obtain explicit authorization and add the scanner IP addresses to your allowlists. The manual's reasoning is blunt: triggering faults, crashes, or lockouts with default settings means an attacker could do the very same thing. For external targets, GCS additionally enforces ownership through host validation (section 5.2).
3. Accessing the platform​
3.1 Creating a user account​
New accounts are created on the registration page:
Open the browser and go to the Greenbone Cloud Service URL
-> Register
-> enter e-mail and password (optionally enable "Security News")
-> Next
-> enter company details
-> Next
-> tick the consent boxes for terms of use and privacy policy
-> Create free account
New accounts start as free trial accounts and can later be converted to paid accounts. The main user can invite additional users into their team.
3.2 Logging in​
Open the browser, enter the GCS URL, and log in with the e-mail address and password. After a successful login the Scan Management page is shown. The display language can be switched from the top of the page, and a forgotten password is reset via Forgotten your password?.
3.3 Structure of the platform​
The platform is built from two recurring UI patterns:
- List pages show all objects of one type - scans, scan tasks, targets, login credentials, schedules, and gateways. You can search by object name and sort ascending/descending by clicking a column header.
- Detail overlays open when you click an underlined object name, revealing additional information without leaving the list page.
3.4 Getting support​
The Help menu provides the glossary (basic terms), the user manual (step-by-step instructions), and legal information (terms and privacy policy).
4. User, team, account, and subscription settings​
The settings area (manual chapter 4) covers personal, security, team, and commercial configuration:
- Language - change the platform language.
- Notifications - enable scan summaries and completed-scan notifications (see section 8).
- Security - change your password and set up two-factor authentication.
- Teams - add users, (de)activate team members, change the main user, and delete the account.
- Subscription - change the subscription scope or terminate the subscription.
- Billing - change billing information and download invoices.
- Managed-security settings - configure the managed-security options where applicable.
4.1 Two-factor authentication​
Two-factor authentication (2FA) is configured under the security settings (Setting up Two-Factor Authentication). Enabling it adds a second factor on top of the e-mail/password login.
The main user controls the team, the subscription scope, and billing. Protecting that account with 2FA limits the blast radius if a password leaks.
4.2 Subscription and billing​
Subscriptions are package-based and cancellable monthly. From the settings you can change the subscription scope (for example the size of the network you are licensed to scan), terminate the subscription, edit billing information, and download invoices. What happens when a subscription ends is covered in the FAQ (section 10).
5. Running scans​
GCS offers two entry points: a guided Task Wizard and a manual configuration with full control. Both build on the same objects - target, task, credentials, gateway, and schedule.
5.1 The Task Wizard​
Scan Management
-> + Prepare New Scan Task with Wizard
-> Let's go!
-> enter a task name and choose a scan configuration -> Save and Continue
-> select an existing target OR + Create New Target -> Save and Continue
-> (optional) select or create login credentials -> Save and Continue
-> (optional) select or create a schedule -> Save and Continue
-> for an external target: Request Host Validation
-> Prepare Scan
The task then appears on Scan Management with status Available; click the start icon to run it. The page auto-refreshes as the scan progresses.
The Task Wizard supports external (internet-facing) targets only. To scan internal systems you must configure a target and a gateway manually (sections 5.3 and 5.4).
5.2 External targets and host validation​
External targets are created under Scan Configuration > Targets > External Targets > + Create New External Target. Key fields include the target name, an optional description, the Target mode (IP Address or Hostname, fixed after creation), the hosts to be scanned, an optional excluded-hosts list, the Alive test method, a Port list, and optional login credentials for SSH, SMB, and ESXi.
Hosts can be entered as single addresses, ranges, CIDR blocks, or IPv6 addresses, for example:
192.168.15.5
192.168.15.5-192.168.15.27
192.168.15.0/24
fe80::222:64ff:fe76:4cea
Scanning an external target is not possible until its ownership is validated. There are three validation paths:
- Owner self-validation - open
Request Host Validation, tickI Am The Owner, thenValidate Host. You confirm you are authorized and accept responsibility for the scan's effects. - Contact via RIPE NCC - GCS looks up the registered contact for the address in the RIPE NCC registry and sends a request to that contact.
- Manual check by the security team - request a manual review by the Greenbone security team.
The Verified column shows the state as pending, verified, or rejected.
5.3 Internal targets​
Internal targets are created under Targets > Internal Targets > + Create New Internal Target. The fields mirror external targets, but no host validation is required - instead the scan reaches the internal network through a gateway.
5.4 The gateway for internal targets​
GCS itself runs in the cloud and cannot reach private addresses directly. To scan internal targets you deploy a small gateway virtual appliance inside your network; it connects outward to the cloud and relays the scan into the internal network.
The gateway is a virtual appliance with modest requirements: at least 1 vCPU, at least 512 MB RAM, and at least 8 GB disk, running on Microsoft Hyper-V v5.0+ or VMware vSphere ESXi v6.0+.
Setup outline:
Gateways -> Download (choose your hypervisor) -> import and boot the appliance
CLI login: user admin / password admin
-> Gateway configuration -> Set web password (>=8 chars, upper/lower, digit, special)
-> Network configuration -> note the gateway IP address
On the platform: Gateways -> + Create New Gateway
-> Location (describe the network site)
-> IP address/network (a free IP in the target network with prefix, e.g. 10.0.1.50/24)
-> DNS Server (a DNS server in the target network)
-> Use MAC-NAT (enabled by default; disable only if needed)
-> (optional) + Create New Route for multi-subnet routing
-> save the new gateway
The IP you assign to the gateway object must differ from the appliance's own management IP noted during network configuration. The gateway is then registered with an API key (via its web UI at https://<gateway-ip>, Settings > paste API key > Save) or via the CLI connection token. Once registered, its status on the platform changes to CONNECTED.
5.5 Authenticated scans and credentials​
An authenticated scan logs in to the host (Local Security Checks, LSC) for far more accurate results than a network-only scan - it can read patch levels, registry keys, and installed packages, and produces fewer false negatives. Credentials are managed under Scan Configuration > Login Credentials > + Create New Login Credentials, in two types:
- Login and password - for SMB (Windows), SSH (Linux/Unix), ESXi, and Cisco.
- Login, passphrase, and private key - for SSH key authentication on Linux/Unix.
The manual notes that German umlauts do not work in credentials - use ae, oe, ue, and ss instead of the umlaut forms. A credential cannot be deleted while it is still in use.
Per-OS requirements​
| Target OS | Credential / access requirement (from the manual) |
|---|---|
| Microsoft Windows | Remote Registry service must start; File and Printer Sharing enabled; for local accounts set LocalAccountTokenFilterPolicy=1 in the registry. A domain admin gives the best registry access; the recommended setup is a dedicated domain account placed in a Greenbone Local Scan group, granted local admin via a GPO while being denied local and remote-desktop logon. |
| Linux / Unix | SSH access via password or key. PubkeyAuthentication must not be set to no. Ed25519 or RSA keys (RFC 4716 compliant) are recommended. A regular user is usually sufficient; some policy checks may need elevated rights. |
| VMware ESXi | A user created locally per ESXi host (not via vCenter). Either the admin account or a custom role with read-only plus the System > Global > Settings privilege, assigned to the scan user on the host. |
| Cisco OS | A least-privilege SSH user (for example limited to show version) created with AAA and a parser view; add it as an SSH credential and assign it to the target. |
5.6 Schedules​
Scheduled scans are defined under Scan Configuration > Schedules > + Create New Schedule, with a name, optional description, Start Time, optional End Time, an Execution Interval (Daily, Weekly, or Monthly), and Interval Spacing (for example 2 with Weekly runs every two weeks). The schedule is then selected when creating a task.
5.7 Port lists​
A port list narrows the scan to the ports that matter, which shortens scan time. GCS ships predefined lists, including:
| Port list | Coverage |
|---|---|
| All IANA assigned TCP | IANA-registered TCP ports (a common default) |
| All privileged TCP | TCP 0-1023 |
| All privileged TCP and UDP | TCP and UDP 0-1023 |
| All TCP | TCP 0-65535 (exhaustive, slow) |
| OpenVAS Default | The default scanner port set |
| All IANA assigned TCP and UDP | Registered TCP and UDP services |
| All TCP and Nmap top 100 UDP | All TCP plus the 100 most common UDP ports |
| All TCP and Nmap top 1000 UDP | All TCP plus the 1000 most common UDP ports |
| Web services | HTTP/HTTPS and related ports |
UDP scans are slower than TCP, so excluding UDP ports is one lever for faster scans.
5.8 Notifications​
Notifications are enabled in the user settings (section 4): a periodic summary of configured scans and a notification when a scan completes.
5.9 Scan troubleshooting​
- Hosts reported as dead - if targets do not answer ping, the scanner treats them as dead. Change the Alive test method on the target to
TCP ack service,TCP syn service, orConsider alive. - Scans take too long - firewalls that drop (rather than reject) packets cause port timeouts. Reduce the port list, review firewall policies, and consider excluding UDP ports. Running a discovery scan first to skip inactive addresses also helps.
6. Reports and vulnerability management​
Scan results are collected into reports that can be viewed in three ways and exported in several formats.
6.1 Dashboard, grid, and table views​
- Dashboard - a summary: total vulnerabilities, distribution by solution type and by severity, the two solutions with the highest fix percentage, the overall risk level (highest severity found), and the top 10 hosts by number of vulnerabilities.
- Grid overview - every finding sorted highest to lowest severity, each showing name, severity, Quality of Detection (QoD), solution type, host, port and protocol, hostname, and operating system.
- Table overview - three tables: an Overview table of all findings; a Host table grouped by host (IP, highest severity, counts per severity); and a Vulnerability table grouped by vulnerability (name, severity, affected hosts and ports, solution type).
6.2 Quality of Detection and severity​
QoD is a 0-100% reliability score for a detection. The default filter shows only findings at 70% or higher. By default, Low and Log results are filtered out so you focus on the higher-severity findings first; address Critical before Medium. Solution types are reported as Official Fix, Temporary Fix, Risk Reduction, No Fix Available, and Searching for Fix.
6.3 Filtering and export​
Filters are applied via Filter + and include a QoD range slider, a severity slider, solution-type buttons, and dropdowns for port, host, hostname, and operating system. Reports export as:
- Executive report (PDF or JSON) - general scan information and hosts sorted by severity.
- Technical report (PDF or JSON) - scan information plus host and vulnerability detail.
- XML - for further processing.
IP addresses can be anonymized in the download.
6.4 Report notifications​
GCS can send periodic report summaries or a notification when a report is ready, configured in the user settings.
For the appliance equivalent of this workflow, see Reports and Vulnerability Management.
7. Frequently asked questions​
7.1 Which firewall rules does GCS need?​
The manual lists outbound rules for the gateway-to-cloud and cloud-to-target communication. Treat the specific addresses below as the values published in the manual at retrieval time, and re-check the current FAQ before opening rules, since hosted endpoints change:
Gateway -> cloud (outbound 443/TCP):
GCS 45.135.106.140
Greenbone Cloud 217.72.202.36
Update service gpublic.azurecr.io
Azure Blob storage *.blob.core.windows.net
DNS (if using an external DNS server): 53/UDP and 53/TCP
Cloud -> external targets:
Scan traffic source range 45.135.106.0/25
Destination ports follow the configured port list
7.2 What VPN technology does the gateway use?​
An SSH Layer 2 based VPN, connecting outbound on 443/TCP to GCS (45.135.106.140).
7.3 Gateway and NAT troubleshooting​
With gateway v1.5 and later, MAC-NAT is usually unproblematic. If needed, disable MAC-NAT and make the matching hypervisor adjustments - on VMware ESXi, enable Promiscuous Mode and Forged Transmits; Oracle VirtualBox has an equivalent setting.
7.4 What happens to my account when the subscription ends?​
Users can still log in and download reports they have already created, but new scans are no longer possible. The account is deleted after a defined period, with prior notification.
7.5 Why are scans slow?​
Slow scans usually come from time spent on inactive IP addresses. Run a discovery scan beforehand to identify live hosts, and trim the port list.
8. Glossary pointers​
The platform Help menu includes a glossary covering the core terms used throughout GCS - target, task, credential, gateway, schedule, port list, QoD, severity, and report. When a term in this chapter is unfamiliar, the in-product glossary is the authoritative definition.