Noxen vs OpenVAS / Greenbone
OpenVAS — these days packaged as Greenbone Community Edition, under the broader Greenbone Vulnerability Management (GVM) umbrella — is the open-source elder of network vulnerability scanners. Free, capable, deeply customisable. Also: a 4-container Docker stack, a Postgres database, a feed sync that takes hours on first run, and a web UI you will be talking to for the rest of the relationship. The trade-off is real. Let's name it.
What OpenVAS is
OpenVAS is the scanner engine; Greenbone Community Edition is the packaging; GVM is the management framework around it. It runs on Linux as a stack of services (scanner, manager, GSA web UI, Redis, Postgres). The vulnerability feed — Network Vulnerability Tests (NVTs) — is community-maintained and synced via Greenbone's feed-sync tooling. The community feed contains well over 100,000 NVTs and grows weekly. Greenbone Enterprise is the paid sibling with a deeper, faster-updated feed and vendor support.
When OpenVAS is the right choice
- The licensing cost has to be zero. Academic, research, public-sector budget-zero contexts. OpenVAS is GPL-licensed. You can run it forever for free.
- You want the source. Audit it. Fork it. Write your own NVTs in NASL. OpenVAS is hackable in a way that no commercial scanner is.
- You're already running a Linux server. If you have a homelab Proxmox box with spare capacity, standing up a Greenbone container stack is a reasonable evening.
- You want broad network coverage out of the box. NVTs cover Windows, Linux, network gear, and a long tail of services. Noxen covers Linux/Unix over SSH plus admin-surface fingerprinting on ~70 services. Different scope.
- You want unauthenticated network scanning. OpenVAS is built around that. Noxen is built around credentialed SSH scanning; the port scan is a small part of what it does.
When Noxen is the right choice
- Your time is more expensive than $79. OpenVAS first-run sync routinely takes hours. Tuning false positives is its own minor career. Noxen sets up in under ten minutes and the feed is a signed SQLite snapshot that downloads in seconds.
- You want a Mac-native control plane. Noxen is a SwiftUI app. OpenVAS is a Linux web UI; the Mac is just a browser tab in that relationship.
-
You don't want to run another server. Noxen
runs on your existing Mac. Your scan target list is read from
~/.ssh/config. There is nothing else to host. - You want curated coverage instead of a firehose. OpenVAS will tell you everything it can think of. Noxen makes opinionated choices — package CVEs, SSH config, TLS, HTTP headers, ~70 admin surfaces — and ships a UI that defaults to what changed since yesterday.
- You want a signed, reproducible feed. Noxen's feed is an Ed25519-signed SQLite snapshot from VulnCheck NVD++ and OSV (with GHSA on the ingest side). The Mac verifies the signature with CryptoKit before swapping the local copy. OpenVAS's NVT sync is rsync-based; integrity rests on transport trust.
Side-by-side
| OpenVAS / Greenbone CE | Noxen | |
|---|---|---|
| Platform | Linux server (Docker stack) | macOS 26+ native app |
| Pricing | Free (GPL); Greenbone Enterprise quote-based | $79 one-time / $19/mo / $149/mo |
| Agent vs agentless | Agentless (network + credentialed) | Agentless only (SSH) |
| Scan target | Windows, Linux, network gear, ICS | Linux / Unix / BSD over SSH |
| Feed | 100,000+ community NVTs via Greenbone feed sync | VulnCheck NVD++ / OSV / GHSA, Ed25519-signed SQLite |
| UI | Greenbone Security Assistant (web) | SwiftUI Mac app, ⌘⇧P palette |
| Reporting | HTML, PDF, XML, CSV | PDF, SIEM NDJSON, CSV compliance map |
| Setup time | Hours (first sync) to days (tuning) | Under 10 minutes to first scan |
| Best for | Budget-zero, source-available, deep customisation | Mac-using ops folks with Linux fleets |
What we don't try to be
Noxen is not open source. The CVE feed is signed and built by us; you cannot fork our ingest pipeline and run it locally. We do not let you write custom NASL plugins — the closest thing is the custom checks system, which is a small JSON schema for HTTP/TCP probes, not a full scripting environment. Noxen does not scan Windows. It does not do continuous SaaS monitoring. The compliance mapping is evidence supplement, not a certification. If any of those gaps matter, OpenVAS / Greenbone is genuinely the better tool.
For more on why we picked credentialed SSH scanning over network probing, see agent vs agentless security scanning.
Frequently asked
Is Noxen a free OpenVAS alternative?
Noxen is free for 3 hosts forever, then $79 one-time. OpenVAS / Greenbone Community Edition is free of charge but costs you a 4-container Docker stack, a Postgres database, and an hours-long first feed sync to keep running. Noxen trades a small licence fee for zero setup and a Mac-native UI.
Does Noxen do credentialed scanning like OpenVAS?
Noxen logs into each host with your existing SSH key to read installed-package state and match it against a signed CVE feed. It does not run OpenVAS-style unauthenticated network NVTs or remote exploit probes — it reads package and service state, and never sends an exploit at the target.
Can Noxen replace a Greenbone deployment?
For a homelab or small Linux fleet, often yes — same installed-package CVE outcome without maintaining the Greenbone stack. For broad network-device coverage, Windows, or custom NASL tests, keep Greenbone for that breadth.
Try Noxen
Three hosts free, forever, on macOS 26+. $79 one-time unlocks 25 hosts and scheduled scans. If your homelab is small and you're tired of Greenbone's container stack, this is the smaller, faster, paid alternative.