VulniosVulnios
Back to Blog
self-hostedon-premisevulnerability scannerair-gappedworker

Self-Hosted Vulnerability Scanner: Deploy Vulnios Workers On-Premise (2026)

Setup guide for running Vulnios self-hosted workers in air-gapped environments. Scan local files, containers, and USB drives without sending data to the cloud.

Vulnios Security TeamApril 12, 20264 min read

Why Self-Hosted Vulnerability Scanning?

Cloud-based scanning tools require uploading your files, code, and binaries to a third-party server. For many organizations, this is a non-starter:

  • Government and defense — classified data cannot leave the network
  • Healthcare — HIPAA restrictions on data transmission
  • Financial services — regulatory requirements for data residency
  • Manufacturing — proprietary designs and source code
  • Air-gapped environments — no internet connectivity at all

    • Vulnios Hybrid Architecture

    Vulnios uses a hybrid model that solves this problem:

  • Cloud dashboard — Management console, intelligence feeds, CVE tracking, reports
  • Self-hosted workers — All scanning happens on your infrastructure. Only scan results (not source data) are sent back

    • This means you can scan local drives, USB devices, containers, and proprietary code without any data leaving your environment.

    What Self-Hosted Workers Can Scan

    | Target Type | Supported | Engines Used |

    |---|---|---|

    | Local files | ✅ | ClamAV, YARA, capa, PE-sieve |

    | Archives (ZIP, TAR, 7z) | ✅ | All malware engines |

    | USB drives | ✅ | Mount scan mode |

    | Container images | ✅ | Trivy, Grype, Syft |

    | Git repositories | ✅ | Gitleaks, TruffleHog, Semgrep |

    | Directories | ✅ | All 48 engines |

    | Docker registries | ✅ | Container engines |

    | IaC templates | ✅ | Checkov, KICS, Terrascan |

    Deployment Options

    Docker Worker (Recommended)

    The fastest way to deploy. Runs all 48 engines in isolated containers:

    docker pull vulnios/worker:latest

    docker run -d \
    

      --name vulnios-worker \
    

      -e VULNIOS_API_KEY=your_api_key \
    

      -e VULNIOS_ORG_ID=your_org_id \
    

      -v /path/to/scan:/scan \
    

      vulnios/worker:latest

    Windows Native Worker

    For scanning Windows environments, Defender integration, and Sysinternals tools:

  • Download the worker installer from your Vulnios dashboard
  • Run vulnios-worker-setup.exe
  • Enter your API key and organization ID
  • The worker registers automatically and appears in your dashboard

    • GCE Auto-Scaled Workers

    For high-volume scanning, Vulnios supports auto-scaled workers on GCE:

  • Upload the worker package to your GCS bucket
  • Configure the instance template
  • Workers scale based on scan queue depth

    • Data Flow: What Stays Local

    [Your Infrastructure]                    [Vulnios Cloud]

                                             
    

    Local files ──→ Worker ──→ Scan results ──→ Dashboard
    

    USB drives  ──→ (scanning) ──→ Findings  ──→ Reports
    

    Container   ──→            ──→ CVE maps   ──→ Intelligence
    

                                             
    

    ▲ Your data NEVER leaves              ▲ Only results are sent

    Key Security Properties

  • Zero data exfiltration — source files never leave your network
  • Ephemeral containers — each scan runs in a fresh container, destroyed after
  • Encrypted transit — results are encrypted with TLS 1.3
  • API key rotation — rotate worker API keys without downtime
  • Audit logging — every scan logged with user, timestamp, and target

    • Air-Gapped Mode

    For fully air-gapped environments:

  • Deploy the worker with pre-downloaded engine images
  • Scan results are stored locally in SQLite
  • Periodically export results via removable media
  • Import into the cloud dashboard when connectivity is available

    • Getting Started

  • Sign up at vulnios.com/sign-up (free tier includes worker support)
  • Navigate to Settings → Workers in your dashboard
  • Download the worker for your platform
  • Deploy and start scanning

    • Workers are available on all plans, including the free tier (5 scans/month limit applies).

    Self-Hosted vs Cloud-Only: Comparison

    | Aspect | Cloud-Only (Tenable, Qualys) | Vulnios Self-Hosted |

    |---|---|---|

    | Data residency | Data leaves your network | Data stays on-premise |

    | Air-gapped support | ❌ | ✅ |

    | USB/local file scanning | ❌ | ✅ |

    | Container scanning | Upload required | Scan locally |

    | Management | Fully cloud | Hybrid (cloud dashboard + local worker) |

    | Starting price | $4,000+/yr | $0/month |

    Bottom Line

    Self-hosted vulnerability scanning gives you enterprise-grade security without compromising data sovereignty. Vulnios's hybrid architecture means you get the best of both worlds: a modern cloud dashboard with intelligence feeds, and local scanning that keeps your sensitive data where it belongs.

    Try it free: vulnios.com/sign-up — includes self-hosted worker support on all plans.

    Ready to secure your organization?

    Start scanning with 32 security engines — free tier available.

    Get Started Free