Skip to main content

Greenbone Cloud Service (GCS)

What this covers

The Greenbone Cloud Service (GCS) is the hosted, subscription-based version of Greenbone vulnerability management: you log in to a web platform and scan your systems, with no appliance of your own to install or maintain. This chapter covers how GCS differs from the self-hosted appliance, account creation and login with two-factor authentication, the platform UI, user/team/account and subscription/billing settings, running external and internal scans (including the cloud gateway needed for internal targets), authenticated scans and per-OS credential requirements, reports and vulnerability management, and the key networking FAQ items.

Source scope

Based on the official Greenbone Cloud Service manual at docs.greenbone.net (GCS-Manual, English edition), retrieved June 2026. GCS is the SaaS option - distinct from the self-hosted Greenbone Enterprise Appliance and the free Community Edition. UI labels, menu paths, and technical values below are taken from that manual; where the manual does not state a detail, the text is kept general rather than invented.


1. What GCS is and how it differs from the appliance​

Vulnerability management, in Greenbone's framing, means looking at your IT infrastructure from the outside - the way a potential attacker would - to identify weaknesses, assess their risk, and recommend remediation, then repeating the cycle continuously. GCS delivers that as a service: the manual describes it as "an easy-to-use high-quality service for vulnerability management." You register, log in, and work from anywhere through a browser. Subscriptions are package-based and can be cancelled monthly, and they let you scan external, DMZ, and internal networks.

The practical contrast with the self-hosted product:

AspectGreenbone Cloud Service (SaaS)Self-hosted appliance / Community Edition
Who runs the scannerGreenbone hosts and maintains the scanning infrastructureYou install, run, and update the appliance or Community Edition yourself
What you operateA web platform plus, for internal scans, a small gateway VM in your networkThe full scanner host (physical, virtual, or container)
Where you start scansThe GCS web platform (browser)The appliance web interface (GSA) on your own host
Reaching internal targetsRequires a downloadable gateway virtual appliance that connects out to the cloudThe appliance already sits inside your network
Commercial modelSubscription packages, cancellable monthly; billing and invoices handled in the platformAppliance subscription/feed for Enterprise; the Community Edition is free

The introduction in the GCS manual does not itself spell out a feature-by-feature comparison against the appliance or the Community Edition, so treat the table above as the architectural difference rather than a quoted matrix. For the self-hosted side, see the Greenbone / OpenVAS Guide.


2. Read before use​

A vulnerability scan is an active interaction with the target. The manual is explicit that the scanner "still needs to interact and communicate with the target systems being analyzed during a scan," including protocol probes (for example HTTP and FTP) to identify services. Expect side effects:

  • Log and alert entries on target systems and network devices.
  • Triggered security measures (firewall rules, IDS/IPS reactions).
  • Increased latency on the target and on the scanned network.
  • Possible crashes of fragile applications, especially embedded systems.
  • Banner grabbing over SSH/FTP and possible account lockouts from password tests.
Only scan systems you are authorized to scan

Before scanning, obtain explicit authorization and add the scanner IP addresses to your allowlists. The manual's reasoning is blunt: triggering faults, crashes, or lockouts with default settings means an attacker could do the very same thing. For external targets, GCS additionally enforces ownership through host validation (section 5.2).


3. Accessing the platform​

3.1 Creating a user account​

New accounts are created on the registration page:

Open the browser and go to the Greenbone Cloud Service URL
-> Register
-> enter e-mail and password (optionally enable "Security News")
-> Next
-> enter company details
-> Next
-> tick the consent boxes for terms of use and privacy policy
-> Create free account

New accounts start as free trial accounts and can later be converted to paid accounts. The main user can invite additional users into their team.

3.2 Logging in​

Open the browser, enter the GCS URL, and log in with the e-mail address and password. After a successful login the Scan Management page is shown. The display language can be switched from the top of the page, and a forgotten password is reset via Forgotten your password?.

3.3 Structure of the platform​

The platform is built from two recurring UI patterns:

  • List pages show all objects of one type - scans, scan tasks, targets, login credentials, schedules, and gateways. You can search by object name and sort ascending/descending by clicking a column header.
  • Detail overlays open when you click an underlined object name, revealing additional information without leaving the list page.

3.4 Getting support​

The Help menu provides the glossary (basic terms), the user manual (step-by-step instructions), and legal information (terms and privacy policy).


4. User, team, account, and subscription settings​

The settings area (manual chapter 4) covers personal, security, team, and commercial configuration:

  • Language - change the platform language.
  • Notifications - enable scan summaries and completed-scan notifications (see section 8).
  • Security - change your password and set up two-factor authentication.
  • Teams - add users, (de)activate team members, change the main user, and delete the account.
  • Subscription - change the subscription scope or terminate the subscription.
  • Billing - change billing information and download invoices.
  • Managed-security settings - configure the managed-security options where applicable.

4.1 Two-factor authentication​

Two-factor authentication (2FA) is configured under the security settings (Setting up Two-Factor Authentication). Enabling it adds a second factor on top of the e-mail/password login.

Turn on 2FA for the main user first

The main user controls the team, the subscription scope, and billing. Protecting that account with 2FA limits the blast radius if a password leaks.

4.2 Subscription and billing​

Subscriptions are package-based and cancellable monthly. From the settings you can change the subscription scope (for example the size of the network you are licensed to scan), terminate the subscription, edit billing information, and download invoices. What happens when a subscription ends is covered in the FAQ (section 10).


5. Running scans​

GCS offers two entry points: a guided Task Wizard and a manual configuration with full control. Both build on the same objects - target, task, credentials, gateway, and schedule.

5.1 The Task Wizard​

Scan Management
-> + Prepare New Scan Task with Wizard
-> Let's go!
-> enter a task name and choose a scan configuration -> Save and Continue
-> select an existing target OR + Create New Target -> Save and Continue
-> (optional) select or create login credentials -> Save and Continue
-> (optional) select or create a schedule -> Save and Continue
-> for an external target: Request Host Validation
-> Prepare Scan

The task then appears on Scan Management with status Available; click the start icon to run it. The page auto-refreshes as the scan progresses.

The wizard only handles external targets

The Task Wizard supports external (internet-facing) targets only. To scan internal systems you must configure a target and a gateway manually (sections 5.3 and 5.4).

5.2 External targets and host validation​

External targets are created under Scan Configuration > Targets > External Targets > + Create New External Target. Key fields include the target name, an optional description, the Target mode (IP Address or Hostname, fixed after creation), the hosts to be scanned, an optional excluded-hosts list, the Alive test method, a Port list, and optional login credentials for SSH, SMB, and ESXi.

Hosts can be entered as single addresses, ranges, CIDR blocks, or IPv6 addresses, for example:

192.168.15.5
192.168.15.5-192.168.15.27
192.168.15.0/24
fe80::222:64ff:fe76:4cea

Scanning an external target is not possible until its ownership is validated. There are three validation paths:

  1. Owner self-validation - open Request Host Validation, tick I Am The Owner, then Validate Host. You confirm you are authorized and accept responsibility for the scan's effects.
  2. Contact via RIPE NCC - GCS looks up the registered contact for the address in the RIPE NCC registry and sends a request to that contact.
  3. Manual check by the security team - request a manual review by the Greenbone security team.

The Verified column shows the state as pending, verified, or rejected.

5.3 Internal targets​

Internal targets are created under Targets > Internal Targets > + Create New Internal Target. The fields mirror external targets, but no host validation is required - instead the scan reaches the internal network through a gateway.

5.4 The gateway for internal targets​

A gateway is required for every internal scan

GCS itself runs in the cloud and cannot reach private addresses directly. To scan internal targets you deploy a small gateway virtual appliance inside your network; it connects outward to the cloud and relays the scan into the internal network.

The gateway is a virtual appliance with modest requirements: at least 1 vCPU, at least 512 MB RAM, and at least 8 GB disk, running on Microsoft Hyper-V v5.0+ or VMware vSphere ESXi v6.0+.

Setup outline:

Gateways -> Download (choose your hypervisor) -> import and boot the appliance
CLI login: user admin / password admin
-> Gateway configuration -> Set web password (>=8 chars, upper/lower, digit, special)
-> Network configuration -> note the gateway IP address

On the platform: Gateways -> + Create New Gateway
-> Location (describe the network site)
-> IP address/network (a free IP in the target network with prefix, e.g. 10.0.1.50/24)
-> DNS Server (a DNS server in the target network)
-> Use MAC-NAT (enabled by default; disable only if needed)
-> (optional) + Create New Route for multi-subnet routing
-> save the new gateway

The IP you assign to the gateway object must differ from the appliance's own management IP noted during network configuration. The gateway is then registered with an API key (via its web UI at https://<gateway-ip>, Settings > paste API key > Save) or via the CLI connection token. Once registered, its status on the platform changes to CONNECTED.

5.5 Authenticated scans and credentials​

An authenticated scan logs in to the host (Local Security Checks, LSC) for far more accurate results than a network-only scan - it can read patch levels, registry keys, and installed packages, and produces fewer false negatives. Credentials are managed under Scan Configuration > Login Credentials > + Create New Login Credentials, in two types:

  • Login and password - for SMB (Windows), SSH (Linux/Unix), ESXi, and Cisco.
  • Login, passphrase, and private key - for SSH key authentication on Linux/Unix.
No German special characters in credentials

The manual notes that German umlauts do not work in credentials - use ae, oe, ue, and ss instead of the umlaut forms. A credential cannot be deleted while it is still in use.

Per-OS requirements​

Target OSCredential / access requirement (from the manual)
Microsoft WindowsRemote Registry service must start; File and Printer Sharing enabled; for local accounts set LocalAccountTokenFilterPolicy=1 in the registry. A domain admin gives the best registry access; the recommended setup is a dedicated domain account placed in a Greenbone Local Scan group, granted local admin via a GPO while being denied local and remote-desktop logon.
Linux / UnixSSH access via password or key. PubkeyAuthentication must not be set to no. Ed25519 or RSA keys (RFC 4716 compliant) are recommended. A regular user is usually sufficient; some policy checks may need elevated rights.
VMware ESXiA user created locally per ESXi host (not via vCenter). Either the admin account or a custom role with read-only plus the System > Global > Settings privilege, assigned to the scan user on the host.
Cisco OSA least-privilege SSH user (for example limited to show version) created with AAA and a parser view; add it as an SSH credential and assign it to the target.

5.6 Schedules​

Scheduled scans are defined under Scan Configuration > Schedules > + Create New Schedule, with a name, optional description, Start Time, optional End Time, an Execution Interval (Daily, Weekly, or Monthly), and Interval Spacing (for example 2 with Weekly runs every two weeks). The schedule is then selected when creating a task.

5.7 Port lists​

A port list narrows the scan to the ports that matter, which shortens scan time. GCS ships predefined lists, including:

Port listCoverage
All IANA assigned TCPIANA-registered TCP ports (a common default)
All privileged TCPTCP 0-1023
All privileged TCP and UDPTCP and UDP 0-1023
All TCPTCP 0-65535 (exhaustive, slow)
OpenVAS DefaultThe default scanner port set
All IANA assigned TCP and UDPRegistered TCP and UDP services
All TCP and Nmap top 100 UDPAll TCP plus the 100 most common UDP ports
All TCP and Nmap top 1000 UDPAll TCP plus the 1000 most common UDP ports
Web servicesHTTP/HTTPS and related ports

UDP scans are slower than TCP, so excluding UDP ports is one lever for faster scans.

5.8 Notifications​

Notifications are enabled in the user settings (section 4): a periodic summary of configured scans and a notification when a scan completes.

5.9 Scan troubleshooting​

  • Hosts reported as dead - if targets do not answer ping, the scanner treats them as dead. Change the Alive test method on the target to TCP ack service, TCP syn service, or Consider alive.
  • Scans take too long - firewalls that drop (rather than reject) packets cause port timeouts. Reduce the port list, review firewall policies, and consider excluding UDP ports. Running a discovery scan first to skip inactive addresses also helps.

6. Reports and vulnerability management​

Scan results are collected into reports that can be viewed in three ways and exported in several formats.

6.1 Dashboard, grid, and table views​

  • Dashboard - a summary: total vulnerabilities, distribution by solution type and by severity, the two solutions with the highest fix percentage, the overall risk level (highest severity found), and the top 10 hosts by number of vulnerabilities.
  • Grid overview - every finding sorted highest to lowest severity, each showing name, severity, Quality of Detection (QoD), solution type, host, port and protocol, hostname, and operating system.
  • Table overview - three tables: an Overview table of all findings; a Host table grouped by host (IP, highest severity, counts per severity); and a Vulnerability table grouped by vulnerability (name, severity, affected hosts and ports, solution type).

6.2 Quality of Detection and severity​

QoD is a 0-100% reliability score for a detection. The default filter shows only findings at 70% or higher. By default, Low and Log results are filtered out so you focus on the higher-severity findings first; address Critical before Medium. Solution types are reported as Official Fix, Temporary Fix, Risk Reduction, No Fix Available, and Searching for Fix.

6.3 Filtering and export​

Filters are applied via Filter + and include a QoD range slider, a severity slider, solution-type buttons, and dropdowns for port, host, hostname, and operating system. Reports export as:

  • Executive report (PDF or JSON) - general scan information and hosts sorted by severity.
  • Technical report (PDF or JSON) - scan information plus host and vulnerability detail.
  • XML - for further processing.

IP addresses can be anonymized in the download.

6.4 Report notifications​

GCS can send periodic report summaries or a notification when a report is ready, configured in the user settings.

For the appliance equivalent of this workflow, see Reports and Vulnerability Management.


7. Frequently asked questions​

7.1 Which firewall rules does GCS need?​

The manual lists outbound rules for the gateway-to-cloud and cloud-to-target communication. Treat the specific addresses below as the values published in the manual at retrieval time, and re-check the current FAQ before opening rules, since hosted endpoints change:

Gateway -> cloud (outbound 443/TCP):
GCS 45.135.106.140
Greenbone Cloud 217.72.202.36
Update service gpublic.azurecr.io
Azure Blob storage *.blob.core.windows.net
DNS (if using an external DNS server): 53/UDP and 53/TCP

Cloud -> external targets:
Scan traffic source range 45.135.106.0/25
Destination ports follow the configured port list

7.2 What VPN technology does the gateway use?​

An SSH Layer 2 based VPN, connecting outbound on 443/TCP to GCS (45.135.106.140).

7.3 Gateway and NAT troubleshooting​

With gateway v1.5 and later, MAC-NAT is usually unproblematic. If needed, disable MAC-NAT and make the matching hypervisor adjustments - on VMware ESXi, enable Promiscuous Mode and Forged Transmits; Oracle VirtualBox has an equivalent setting.

7.4 What happens to my account when the subscription ends?​

Users can still log in and download reports they have already created, but new scans are no longer possible. The account is deleted after a defined period, with prior notification.

7.5 Why are scans slow?​

Slow scans usually come from time spent on inactive IP addresses. Run a discovery scan beforehand to identify live hosts, and trim the port list.


8. Glossary pointers​

The platform Help menu includes a glossary covering the core terms used throughout GCS - target, task, credential, gateway, schedule, port list, QoD, severity, and report. When a term in this chapter is unfamiliar, the in-product glossary is the authoritative definition.