DefectDojo vs Greenbone vs Faraday: Best Self-Hosted Vulnerability Management 2026

Vulnerability management is the backbone of any serious security program. Rather than running scanners in isolation and drowning in CSV reports, a dedicated vulnerability management platform aggregates findings from multiple sources, deduplicates results, tracks remediation progress, and generates compliance-ready reports — all from a single self-hosted dashboard.

In this guide, we compare three leading open-source vulnerability management platforms you can deploy on your own infrastructure: OWASP DefectDojo, Greenbone Community Edition (the open-source successor to openVAS), and Faraday IDE. Each takes a different approach to vulnerability management, and the right choice depends on your team size, workflow, and security maturity.

Why Self-Host Vulnerability Management

Running vulnerability management on SaaS platforms means sending your scan results, asset inventories, and remediation data to third-party servers. For organizations in regulated industries (finance, healthcare, government), this creates compliance and data sovereignty risks.

Self-hosted vulnerability management gives you:

• Full data control — scan results, asset data, and remediation timelines never leave your infrastructure
• No per-seat licensing — open-source platforms scale with your team without per-user costs
• Custom integrations — hook into your internal ticketing systems, SIEM, and CI/CD pipelines
• Air-gapped operation — run in isolated environments with no external connectivity required
• Audit-ready reporting — generate compliance reports (SOC 2, ISO 27001, PCI DSS) on your own schedule

For teams already running self-hosted threat intelligence platforms or secrets scanning pipelines, adding a vulnerability management platform completes the security testing stack.

OWASP DefectDojo

GitHub: DefectDojo/django-DefectDojo · Stars: 4,641 · Language: Python/HTML · Updated: April 2026

DefectDojo is the most widely adopted open-source vulnerability management platform. Originally developed by DevSecure, it became an OWASP Flagship Project and is now used by organizations ranging from startups to Fortune 500 companies.

Architecture

DefectDojo follows a microservices architecture:

• Django backend — REST API, authentication, business logic
• Celery workers — async task processing for imports and integrations
• PostgreSQL — primary data store for findings, engagements, and products
• Redis — task queue and cache
• uWSGI/nginx — web server and reverse proxy

Key Features

• 120+ parser integrations — imports results from nearly every security tool (SAST, DAST, SCA, container scanners, infrastructure scanners)
• Product/Engagement/Testing hierarchy — organize findings by application, project, and scan instance
• Deduplication engine — automatically deduplicates findings across scans using configurable algorithms
• Jira, GitHub, GitLab, Slack integration — push findings to ticketing systems and notify teams
• Metrics dashboard — track MTTR, finding trends, and compliance posture over time
• RBAC — role-based access control with user, team, and product-level permissions
• API-first — comprehensive REST API for automation and CI/CD integration

docker Compose Deployment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

services:
  defectdojo:
    image: defectdojo/defectdojo-django:latest
    command: uwsgi --ini /app/docker/entrypoint_scripts/uwsgi.ini
    volumes:
      - media_root:/app/media
    environment:
      - DD_DATABASE_URL=postgresql://defectdojo:defectdojo@postgres:5432/defectdojo
      - DD_CELERY_BROKER_URL=redis://redis:6379/0
      - DD_CELERY_BROKER_SCHEME=redis
      - DD_SECRET_KEY=replace-with-a-secure-random-key
      - DD_CREDENTIAL_AES_256_KEY=replace-with-another-secure-key
    depends_on:
      - postgres
      - redis
      - celerybeat
      - celeryworker
    ports:
      - "8080:8080"

  celeryworker:
    image: defectdojo/defectdojo-django:latest
    command: celery -A dojo worker --loglevel=info --pool=solo
    environment:
      - DD_DATABASE_URL=postgresql://defectdojo:defectdojo@postgres:5432/defectdojo
      - DD_CELERY_BROKER_URL=redis://redis:6379/0
      - DD_SECRET_KEY=replace-with-a-secure-random-key
      - DD_CREDENTIAL_AES_256_KEY=replace-with-another-secure-key
    depends_on:
      - postgres
      - redis

  celerybeat:
    image: defectdojo/defectdojo-django:latest
    command: celery -A dojo beat --loglevel=info
    environment:
      - DD_DATABASE_URL=postgresql://defectdojo:defectdojo@postgres:5432/defectdojo
      - DD_CELERY_BROKER_URL=redis://redis:6379/0
      - DD_SECRET_KEY=replace-with-a-secure-random-key
    depends_on:
      - postgres
      - redis

  postgres:
    image: postgres:16-alpine
    environment:
      - POSTGRES_DB=defectdojo
      - POSTGRES_USER=defectdojo
      - POSTGRES_PASSWORD=defectdojo
    volumes:
      - postgres_data:/var/lib/postgresql/data

  redis:
    image: redis:7-alpine

volumes:
  postgres_data:
  media_root:

1
2
3
4
5

# Start DefectDojo
docker compose up -d

# Default credentials: admin / admin (change immediately)
# Access at http://localhost:8080

When to Choose DefectDojo

DefectDojo is the best choice when you need to aggregate results from many different scanners into a single platform. Its 120+ parsers mean you can import findings from Trivy, Nuclei, ZAP, Semgrep, SonarQube, Nessus, Burp Suite, and dozens more — all into one unified dashboard. If your security program involves multiple tool categories (SAST, DAST, SCA, container scanning, infrastructure scanning), DefectDojo’s aggregation and deduplication capabilities make it the clear winner.

Greenbone Community Edition (openVAS)

GitHub: greenbone/gvmd · Stars: 357 (gvmd), 4,545 (scanner) · Language: C/Rust · Updated: April 2026

Greenbone Community Edition (formerly known as openVAS — Open Vulnerability Assessment System) is the most mature open-source vulnerability scanner and management platform. It combines a network vulnerability scanner (openVAS Scanner), a management daemon (gvmd), and a web interface (Greenbone Security Assistant) into a complete vulnerability assessment solution.

Architecture

Greenbone CE is a tightly integrated stack:

• openVAS Scanner — network vulnerability scanner with 88,000+ NVTs (Network Vulnerability Tests)
• gvmd (Greenbone Vulnerability Manager) — management daemon handling scan scheduling, result storage, and reporting
• GSA (Greenbone Security Assistant) — web-based user interface
• PostgreSQL — configuration and result database
• Redis — scanner communication and NVT caching
• Notus Scanner — product detection for installed software on scanned hosts

Key Features

• 88,000+ NVTs — one of the largest open-source vulnerability test databases, updated daily via Greenbone Community Feed
• Built-in scanning — no external scanner needed; the platform includes its own network vulnerability scanner
• Credential-based scanning — authenticate to target hosts via SSH/SMB for deeper vulnerability detection
• Compliance reporting — generate reports aligned with IT-Grundschutz, BSI, and ISO 27001
• Scan configurations — predefined scan profiles (fast, full, discovery) with customizable NVT selection
• Target and asset management — organize hosts, credentials, and scan targets
• Scheduled scanning — run recurring scans on a timetable

Docker Compose Deployment

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111

services:
  vulnerability-tests:
    image: greenbone/vulnerability-tests
    environment:
      - STORAGE_PATH=/var/lib/openvas/22.04
    volumes:
      - vt_data_vol:/mnt

  notus-data:
    image: greenbone/notus-data
    volumes:
      - notus_data_vol:/mnt

  scap-data:
    image: greenbone/scap-data
    volumes:
      - scap_data_vol:/mnt

  cert-bund:
    image: greenbone/cert-bund
    volumes:
      - cert_data_vol:/mnt

  dfn-cert:
    image: greenbone/dfn-cert
    volumes:
      - cert_data_vol:/mnt

  data-objects:
    image: greenbone/data-objects
    volumes:
      - data_objects_vol:/mnt

  redis-server:
    image: greenbone/redis-server
    volumes:
      - redis_socket_vol:/run/redis/
    depends_on:
      - vulnerability-tests
      - notus-data
      - scap-data
      - cert-bund
      - dfn-cert
      - data-objects

  pg-gvm:
    image: greenbone/pg-gvm
    environment:
      - POSTGRES_PASSWORD=gvm
    volumes:
      - psql_data_vol:/var/lib/postgresql
      - psql_socket_vol:/run/postgresql

  gvmd:
    image: greenbone/gvmd
    environment:
      - POSTGRES_PASSWORD=gvm
      - GVMD_DEBUG=1
    volumes:
      - gvmd_data_vol:/var/lib/gvm
      - scap_data_vol:/var/lib/gvm/scap-data/
      - cert_data_vol:/var/lib/gvm/cert-data
      - data_objects_vol:/var/lib/gvm/data-objects/gvmd
      - vt_data_vol:/var/lib/openvas
      - psql_socket_vol:/run/postgresql
    depends_on:
      - pg-gvm
      - scap-data
      - cert-bund
      - dfn-cert
      - data-objects

  gsa:
    image: greenbone/gsa
    ports:
      - "8080:80"
    volumes:
      - gvmd_data_vol:/var/lib/gvm
    depends_on:
      - gvmd

  ospd-openvas:
    image: greenbone/ospd-openvas
    cap_add:
      - NET_ADMIN
      - NET_RAW
    security_opt:
      - seccomp=unconfined
      - apparmor=unconfined
    volumes:
      - vt_data_vol:/var/lib/openvas
      - notus_data_vol:/var/lib/notus
      - redis_socket_vol:/run/redis/
    depends_on:
      - redis-server
      - scap-data
      - cert-bund
      - dfn-cert
      - data-objects
      - notus-data

volumes:
  vt_data_vol:
  notus_data_vol:
  scap_data_vol:
  cert_data_vol:
  data_objects_vol:
  redis_socket_vol:
  psql_data_vol:
  psql_socket_vol:
  gvmd_data_vol:

1
2
3
4
5

# Start Greenbone CE (initial feed sync takes 15-30 minutes)
docker compose up -d

# Default credentials: admin / admin
# Access at http://localhost:8080

When to Choose Greenbone

Greenbone is the right choice when you need an all-in-one vulnerability scanning and management solution with the largest open-source vulnerability test database. Unlike DefectDojo (which aggregates results from external scanners), Greenbone performs the scanning itself. If your goal is to run regular network vulnerability assessments without purchasing a commercial scanner license, Greenbone Community Edition provides enterprise-grade scanning capabilities at zero cost. For teams that also want to aggregate results from other tools, Greenbone’s results can be exported and imported into DefectDojo for unified management.

Faraday IDE

GitHub: infobyte/faraday · Stars: 6,336 · Language: Python · Updated: April 2026

Faraday IDE (formerly FaradaySec) is an open-source multi-user security collaboration platform designed for penetration testers and red teams. It focuses on organizing, visualizing, and sharing findings from security assessments in real time. While DefectDojo targets vulnerability management at the organizational level, Faraday targets the penetration testing workflow.

Architecture

• Faraday Server — PostgreSQL-backed backend with REST API
• Faraday Web — modern React-based web interface
• Faraday Agent — optional distributed scanning agent for remote execution
• Plugins — 80+ tool integrations for importing results from security tools

Key Features

• Multi-user collaboration — real-time workspace sharing for penetration testing teams
• 80+ tool integrations — import results from Nmap, Burp Suite, Nessus, ZAP, Metasploit, Nikto, and more
• Vulnerability templates — customizable vulnerability definitions with CVSS scoring, remediation advice, and custom fields
• Workspace organization — separate workspaces per engagement or client
• Executive and technical reports — generate PDF/HTML reports with charts, graphs, and vulnerability summaries
• Host and service mapping — automatic topology visualization of discovered hosts and services
• API and CLI — automate imports, exports, and workspace management

Docker Compose Deployment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

services:
  faraday:
    image: faradaysec/faraday:latest
    environment:
      - FARADAY_SERVER_USER=admin
      - FARADAY_SERVER_PASS=changeme-secure-password
    volumes:
      - faraday_data:/home/faraday/.faraday
    ports:
      - "5985:5985"
      - "5986:5986"

  faraday-postgres:
    image: postgres:15-alpine
    environment:
      - POSTGRES_DB=faraday
      - POSTGRES_USER=faraday
      - POSTGRES_PASSWORD=faraday-secure-pg
    volumes:
      - pg_data:/var/lib/postgresql/data

volumes:
  faraday_data:
  pg_data:

1
2
3
4
5

# Start Faraday
docker compose up -d

# Access web interface at http://localhost:5985
# CLI: faraday-manage createsuperuser

When to Choose Faraday

Faraday is the best choice for penetration testing teams that need real-time collaboration during security assessments. Its workspace model, host/service visualization, and report generation are designed around the penetration testing workflow — not continuous vulnerability monitoring. If your primary use case is running periodic penetration tests and sharing findings among team members, Faraday’s collaboration features and report templates make it more suitable than DefectDojo or Greenbone.

Comparison Table

Choosing the Right Platform

Your choice depends on your team’s primary workflow:

• Security engineering / AppSec teams → DefectDojo. If you run SAST, DAST, SCA, and container scanners in CI/CD pipelines and need a single dashboard to track all findings, DefectDojo’s aggregation and deduplication capabilities are unmatched. It pairs well with SBOM tracking pipelines for a complete software supply chain security posture.

• Infrastructure / operations teams → Greenbone CE. If you need to regularly scan your network, servers, and cloud infrastructure for known vulnerabilities without buying a commercial scanner, Greenbone provides the most comprehensive open-source scanning engine available.

• Penetration testing / red teams → Faraday IDE. If your team conducts periodic security assessments and needs to collaborate in real time, share workspaces, and generate client-facing reports, Faraday’s workflow is purpose-built for this use case.

Many mature security operations use a combination: Greenbone for infrastructure scanning, with results imported into DefectDojo alongside SAST and SCA findings for unified tracking and remediation management.

FAQ

What is the difference between vulnerability scanning and vulnerability management?

Vulnerability scanning is the process of actively probing systems to discover security weaknesses (e.g., openVAS, Nmap, Trivy). Vulnerability management is the broader process of tracking, prioritizing, assigning, and remediating those findings over time. A scanner finds vulnerabilities; a management platform ensures they get fixed. DefectDojo and Faraday are management platforms that aggregate results from scanners. Greenbone combines both scanning and management in a single platform.

Can I use DefectDojo with Greenbone?

Yes. This is a common pattern: run Greenbone Community Edition for infrastructure vulnerability scanning, then export the scan results and import them into DefectDojo. DefectDojo has a built-in Greenbone/GVM parser, so the import is seamless. This gives you Greenbone’s scanning power combined with DefectDojo’s aggregation, deduplication, and Jira integration.

How many users do these platforms support?

All three platforms support multiple concurrent users. DefectDojo uses role-based access control (RBAC) with product-level permissions, making it suitable for large organizations with hundreds of users. Greenbone supports user accounts with configurable roles. Faraday supports multi-user workspaces with real-time collaboration, designed for penetration testing teams of 5-20 people.

Do these platforms support CVSS scoring?

Yes, all three support CVSS v2 and v3 scoring. DefectDojo automatically calculates CVSS scores from imported findings. Greenbone includes CVSS scores in its NVT definitions and scan results. Faraday allows you to set custom CVSS scores and vulnerability severity classifications through its template system.

Which platform is easiest to deploy with Docker?

Faraday IDE has the simplest Docker deployment (2 containers). DefectDojo requires 6 containers (backend, workers, beat, PostgreSQL, Redis, and optionally Nginx). Greenbone CE is the most complex with 10+ containers for its various components (scanner, gvmd, GSA, PostgreSQL, Redis, feed sync). However, all three can be deployed with a single docker compose up -d command once the compose files are configured.

Are these platforms suitable for compliance reporting?

Yes. DefectDojo generates reports for SOC 2, ISO 27001, PCI DSS, and custom compliance frameworks. Greenbone CE includes built-in compliance reports for IT-Grundschutz, BSI standards, and ISO 27001. Faraday generates customizable PDF and HTML reports suitable for client deliverables and internal audit documentation.