What is the first step followed by Vulnerability Scanners when scanning a network?

Vulnerability scanning starts with identifying which hosts are actually up on the network. Before a scanner checks for weaknesses, it needs to know what machines exist and are reachable, so it doesn’t waste time probing dead hosts. This is done through host discovery methods like ICMP echo (ping), ARP requests on local segments, or TCP-based probes to common ports. If a host replies, it’s marked as alive and then the scanner proceeds to subsequent steps such as port scanning, service detection, and vulnerability checks. In networks where ping is blocked, the scanner can still infer alive hosts by other probes or by observing responses to various checks. Once the live hosts are known, later actions like enumerating accounts, password cracking, or broad port sweeps become meaningful tasks.