Joe’s assignment is best described as network-based vulnerability scanning because the scan is mapping open ports and active services across multiple servers and identifying weaknesses visible through network exposure, such as unnecessary services, weak encryption configurations on network services, and authentication-related flaws reachable over the network. Network-based scanning focuses on discovering and evaluating network-accessible entry points by probing hosts and services, enumerating versions/configurations, and correlating findings to known weaknesses.

The scenario highlights that the scan “identifies open ports and active services throughout the environment,” producing “a clear map of potential entry points.” That is the core outcome of network-based scanning: a view of the organization’s externally or internally reachable services, where each listening port represents a possible attack path. From there, scanners can detect issues like outdated service versions (implying missing patches), insecure protocols (e.g., weak TLS ciphers), default credentials, and exposed administrative interfaces.

Why the other options are less accurate:

External scanning (B) refers to a scan performed from outside the organization’s perimeter. The scenario says he is scanning across organizational infrastructure and focuses on multiple servers; it doesn’t specify “from the Internet,” so “external” is not the best classification.

Application scanning (C) targets web applications or specific application-layer logic (e.g., SQLi, XSS, auth bypass). Joe’s focus is broader infrastructure exposure and service/port mapping.

Host-based scanning (D) typically involves local, credentialed inspection on the host (patch inventory, local config files, registry) rather than primarily mapping ports/services across many systems. While host-based scanning is valuable, the described output is network entry-point mapping.

Therefore, the scan type that best matches Joe’s task is A. Network-based Scanning.