Choosing a vulnerability scanning vendor is not as difficult as you may think.
The first option is to go to a security consultancy shop and ask for their vulnerability assessment service.
All firms and IT consultancy shops offer one product or another, the most commonly ones being PWC, Deloitte & Touché, Ernst & Young, KPMG, and Grant Thornton LLP.
To verify the efficiency of the vulnerability scanner, you should:
See for yourself how the consultants perform the scan. You should choose the consultants, not the brand.
Check the documents detailing the steps given by the consultancy shop (for example, ask for a report) to make sure that the structure is detailed enough for your own needs.
Ask from references and feedback from their past and current costumers.
The second option you have is to use regular vulnerability scanner products that are sold in boxes.
These products require your own resources but the advantage is that you can automate scheduled or event driven scans.
To verify the efficiency of the vulnerability scanner, you should
Conduct a research on the integrity of the vendor: Are they using public data or actual vulnerability research information? And so on...
Check if the vendor has the ability to support custom signatures and 3rd party signatures.
Make sure that their product is easy to use and to configure before buying it.
Ensure that the product has the ability to understand network topology (for example, hosts behind firewall, hosts that are not route able or hosts that have host firewall etc).
IMPORTANT: They must be non-intrusive.
The product must work fast enough to scan a large quantity of hosts within a limited time frame.
There is a third option: Find an "in the cloud" service offering from product companies or specialists.
Major product vendors have recently joined the long list of on-demand remote scanning providers.
It is also crucial that the scanner vendors support an internal scanning device that does not require a lot of attention, firewall configuration, and other work. Self-service providers should have state-of-the-art portal interfaces that manage your scans effectively and quickly. You must test the portals before moving forward.