Question 1

Is WinSentinel like OpenVAS?

Accepted Answer

Not really - they work at different layers. OpenVAS (the scanner inside Greenbone Vulnerability Management) is an open-source network vulnerability scanner: you stand up a Greenbone server, point it at a range of hosts, and it probes them over the network against 100,000+ Network Vulnerability Tests to report known CVEs, missing patches and exposed services. WinSentinel runs on the Windows machine itself, audits how that machine is configured for security, scores it 0-100, maps findings to compliance frameworks, and one-click fixes the misconfigurations it finds. OpenVAS tells you which hosts are running vulnerable, unpatched software; WinSentinel tells you whether each Windows machine is securely configured and fixes it. A host with zero outstanding CVEs can still have SMBv1 on, BitLocker off and UAC weakened - so the two are complementary rather than substitutes.

Question 2

Doesn't OpenVAS already find Windows security problems?

Accepted Answer

OpenVAS finds known vulnerabilities - CVEs in installed software, missing security updates, weak SSL/TLS, default credentials and exposed services - primarily by probing the host over the network (with deeper checks when you give it authenticated/credentialed access). That is genuinely valuable, but it is CVE-and-patch oriented. WinSentinel audits configuration hardening: SMBv1, SMB signing, BitLocker and TPM state, UAC level, firewall profiles, PowerShell script-block logging, LLMNR/NBT-NS, stale local-admin accounts, RDP/NLA, and 30+ more checks - scores them into one number, and remediates them in one click, mapped to CIS / SOC 2 / HIPAA. Knowing a box is fully patched does not tell you it is hardened, and OpenVAS does not turn on BitLocker or disable SMBv1 for you.

Question 3

Isn't running a vulnerability scanner enough to stay secure?

Accepted Answer

Vulnerability scanning is necessary but not sufficient. A machine can pass an OpenVAS scan with no outstanding CVEs and still expose SMBv1, run with BitLocker off, have UAC weakened, leave the public firewall profile disabled, skip PowerShell logging, or carry stale local-admin accounts - none of which is a CVE and none of which a scan remediates. Those configuration weaknesses are exactly what WinSentinel audits, scores, and fixes by default. OpenVAS finds the missing patches and exposed services across your network; WinSentinel closes the configuration-hardening gap on each Windows machine and gives you a one-click fix for it.

Question 4

Does WinSentinel give a posture score like a vulnerability scanner's risk rating?

Accepted Answer

Yes, but it measures a different thing. WinSentinel produces a single 0-100 configuration-posture score with a letter grade and maps every finding to CIS Windows L1, SOC 2, HIPAA and Essential 8 controls. OpenVAS/Greenbone reports per-vulnerability CVSS severities and a host/report risk level driven by the CVEs it detected. One scores how exposed a host is to known vulnerabilities; the other scores how well a single Windows machine is hardened. They answer different questions and read well side by side.

Question 5

How much does WinSentinel cost compared to OpenVAS?

Accepted Answer

Both have a free, open-source core. OpenVAS is the free GPL scanner at the heart of the Greenbone Community Edition, which you self-host (Greenbone also sells commercial appliances and the enterprise feed). WinSentinel is free for unlimited use on a single machine - all 33 audit modules, the real-time monitor, scheduled scans and PDF reports, with no account or server to run. The real cost difference is operational: OpenVAS means standing up and maintaining a Greenbone server and feed; WinSentinel is one command and runs locally. WinSentinel Pro - which adds fleet management across many machines - is $29/mo for up to 25 nodes or $79/mo for up to 100 nodes, with annual billing saving 17%. Many teams run a network scanner like OpenVAS to find CVEs across the estate and WinSentinel to harden each Windows machine.

Question 6

Does WinSentinel need a server like Greenbone does?

Accepted Answer

No. OpenVAS runs as part of a Greenbone stack - a scanner, a manager, a feed of vulnerability tests and a web UI you deploy and keep updated, usually on a dedicated Linux host or appliance, then scan other machines from it. WinSentinel is a single CLI you install on the Windows machine itself; it runs locally in about 30 seconds with no server, no account and no network exposure. That makes WinSentinel trivial to run on one laptop or workstation, while a network scanner is built to sweep many hosts from a central point - another reason the two complement each other.

Question 7

Does it only work on Windows?

Accepted Answer

Yes. WinSentinel is built specifically for Windows 10 and Windows 11 (and Windows Server). It uses native Windows APIs to audit configuration that a network scanner can only infer remotely, which is why its hardening checks are deeper on Windows. OpenVAS is platform-agnostic: it scans anything with an IP - Windows, Linux, network gear, appliances - for known vulnerabilities, which is a strength for sweeping a mixed network but means it is not a Windows-specialised hardening tool.

Capability	WinSentinel	OpenVAS / Greenbone
Primary Purpose	Security hardening & compliance	Network vulnerability scanning (CVEs)
Security Posture Score	✓ 0-100 config score with grade (A-F)	CVSS risk per host, not a config score
Built-in Hardening Checks	✓ 33 audit modules out of the box	✗ CVE/patch tests, not config hardening
Auto-Remediation	✓ One-click fix for findings	✗ Reports only, no remediation
Compliance Mapping	✓ CIS, SOC2, HIPAA, Essential 8	CVE/CVSS reporting; some policy scans
CVE / Missing-Patch Detection	Flags missing updates only	✓ Core strength (100k+ NVTs)
How It Runs	✓ On the machine, locally	Scans hosts over the network
Server / Infrastructure	✓ None — single CLI	✗ Greenbone server + feed to maintain
Misconfiguration Detection	✓ SMBv1, BitLocker, UAC, firewall…	Limited; mostly with credentialed scans
Cross-Platform	Windows-specialised (10/11/Server)	✓ Any host with an IP
Real-Time Monitoring	✓ Continuous agent mode	Scheduled scans, not continuous
Setup Time	✓ One command, ~30 seconds	Deploy & update a Greenbone stack
Open Source	✓ MIT licensed	✓ GPL (Greenbone Community)
Local-Only / No Account	✓ Runs fully offline, no signup	Self-hosted; no SaaS account needed
CI/CD Integration	✓ GitHub Action + SARIF	Scriptable via GMP API

WinSentinel vs OpenVAS

Pricing Comparison

WinSentinel Free

OpenVAS / Greenbone

When WinSentinel is the right tool

When OpenVAS makes sense

What WinSentinel hardens that a CVE scan won't flag

See your Windows security score in 30 seconds.