Noxen vs OpenVAS / Greenbone
OpenVAS — these days packaged as Greenbone Community Edition, under the broader Greenbone Vulnerability Management (GVM) umbrella — is the open-source elder of network vulnerability scanners. Free, capable, deeply customisable. Also: a 4-container Docker stack, a Postgres database, a feed sync that takes hours on first run, and a web UI you will be talking to for the rest of the relationship. The trade-off is real. Let's name it.
What OpenVAS is
OpenVAS is the scanner engine; Greenbone Community Edition is the packaging; GVM is the management framework around it. It runs on Linux as a stack of services (scanner, manager, GSA web UI, Redis, Postgres). The vulnerability feed — Network Vulnerability Tests (NVTs) — is community-maintained and synced via Greenbone's feed-sync tooling. The community feed contains well over 100,000 NVTs and grows weekly. Greenbone Enterprise is the paid sibling with a deeper, faster-updated feed and vendor support.
When OpenVAS is the right choice
- The licensing cost has to be zero. Academic, research, public-sector budget-zero contexts. OpenVAS is GPL-licensed. You can run it forever for free.
- You want the source. Audit it. Fork it. Write your own NVTs in NASL. OpenVAS is hackable in a way that no commercial scanner is.
- You're already running a Linux server. If you have a homelab Proxmox box with spare capacity, standing up a Greenbone container stack is a reasonable evening.
- You want broad network coverage out of the box. NVTs cover Windows, Linux, network gear, and a long tail of services. Noxen covers Linux/Unix over SSH plus admin-surface fingerprinting on ~70 services. Different scope.
- You want unauthenticated network scanning. OpenVAS is built around that. Noxen is built around credentialed SSH scanning; the port scan is a small part of what it does.
When Noxen is the right choice
- Your time is more expensive than $79. OpenVAS first-run sync routinely takes hours. Tuning false positives is its own minor career. Noxen sets up in under ten minutes and the feed is a signed SQLite snapshot that downloads in seconds.
- You want a Mac-native control plane. Noxen is a SwiftUI app. OpenVAS is a Linux web UI; the Mac is just a browser tab in that relationship.
-
You don't want to run another server. Noxen
runs on your existing Mac. Your scan target list is read from
~/.ssh/config. There is nothing else to host. - You want curated coverage instead of a firehose. OpenVAS will tell you everything it can think of. Noxen makes opinionated choices — package CVEs, SSH config, TLS, HTTP headers, ~70 admin surfaces — and ships a UI that defaults to what changed since yesterday.
- You want a signed, reproducible feed. Noxen's feed is an Ed25519-signed SQLite snapshot from VulnCheck NVD++ and OSV (with GHSA on the ingest side). The Mac verifies the signature with CryptoKit before swapping the local copy. OpenVAS's NVT sync is rsync-based; integrity rests on transport trust.
Side-by-side
| OpenVAS / Greenbone CE | Noxen | |
|---|---|---|
| Platform | Linux server (Docker stack) | macOS 26+ native app |
| Pricing | Free (GPL); Greenbone Enterprise quote-based | $79 one-time / $19/mo / $149/mo |
| Agent vs agentless | Agentless (network + credentialed) | Agentless only (SSH) |
| Scan target | Windows, Linux, network gear, ICS | Linux / Unix / BSD over SSH |
| Feed | 100,000+ community NVTs via Greenbone feed sync | VulnCheck NVD++ / OSV / GHSA, Ed25519-signed SQLite |
| UI | Greenbone Security Assistant (web) | SwiftUI Mac app, ⌘⇧P palette |
| Reporting | HTML, PDF, XML, CSV | PDF, SIEM NDJSON, CSV compliance map |
| Setup time | Hours (first sync) to days (tuning) | Under 10 minutes to first scan |
| Best for | Budget-zero, source-available, deep customisation | Mac-using ops folks with Linux fleets |
What we don't try to be
Noxen is not open source. The CVE feed is signed and built by us; you cannot fork our ingest pipeline and run it locally. We do not let you write custom NASL plugins — the closest thing is the custom checks system, which is a small JSON schema for HTTP/TCP probes, not a full scripting environment. Noxen does not scan Windows. It does not do continuous SaaS monitoring. The compliance mapping is evidence supplement, not a certification. If any of those gaps matter, OpenVAS / Greenbone is genuinely the better tool.
For more on why we picked credentialed SSH scanning over network probing, see agent vs agentless security scanning.
Try Noxen
Three hosts free, forever, on macOS 26+. $79 one-time unlocks 25 hosts and scheduled scans. If your homelab is small and you're tired of Greenbone's container stack, this is the smaller, faster, paid alternative.