Internal scanning is done from the internal network perspective with the ability to also authenticate to the target host for patch scanning. An internal scan runs from an Alert Logic® appliance in your environment. When you define a scan, you can specify credentials to use with the internal scan. If you provide credentials, Alert Logic will attempt to log on to each host on your network and collect additional detailed information about the host while it performs comprehensive vulnerability checks. This includes registry checks, file system checks, WMI calls, Linux/Cisco patch scanning, and more. Credentialed scans will not execute on hosts with agent-based scanning enabled. If you do not provide credentials, the Alert Logic scanning appliance scans your network without logging on to each host and performs as many checks as possible. These checks are limited compared to a credentialed scan, but may better simulate what an attacker can observe of your network. If agent-based scanning is enabled for the target host, after the network scan, results will be consolidated with the most recent host scan results after the network scan completes.
An external scan runs from the Alert Logic data centers against your environment. External scans will simulate what an external attacker can see and how the attacker may attempt to infiltrate your environment. The attack surface for an external scan is limited to only externally-facing components in your infrastructure, which are often the most attacked and targeted.
For more information about the types of supported scans and scanning best practices, see our Scans documentation.