Vulnerability Scanner
What the scanner checks
Port & service discovery
We scan the top 1000 ports (TCP) and identify:
- Service name and version (via banner grabbing)
- Whether the service should be exposed or is misconfigured
- Known CVEs for that service version
Risk ratings for common exposed services:
| Service | Port | Risk if public |
|---|---|---|
| SSH | 22 | Medium — brute force surface |
| MySQL | 3306 | Critical — database exposed |
| Redis | 6379 | Critical — often unauthenticated |
| MongoDB | 27017 | Critical — often no auth |
| Elasticsearch | 9200 | High — data exposure |
| phpMyAdmin | 80/443 | High — brute force / exploits |
| RDP | 3389 | High — ransomware vector |
| FTP | 21 | High — cleartext credentials |
CVE matching
After identifying services and versions, we cross-reference against:
- NVD (National Vulnerability Database)
- MITRE CVE feed
- ExploitDB for publicly known exploits
- WPScan DB (WordPress-specific)
Results include:
- CVE ID
- CVSS score (0–10) and severity label
- Whether a public exploit exists
- Remediation guidance
DNS security
| Check | What we verify |
|---|---|
| SPF | Valid record exists, ~all or -all qualifier |
| DKIM | Selector present, valid signature |
| DMARC | Policy present (quarantine or reject preferred) |
| CAA | Certificate Authority Authorization record |
| DNSSEC | Signed and validated |
| Zone transfer | AXFR restricted |
Scan frequency
| Trigger | When |
|---|---|
| Manual | On-demand from Scanner page |
| Scheduled | Daily (Pro) or weekly (Free) |
| On new resource | Automatically on integration sync |
| On CVE publish | When a new CVE matches your software |
The scanner runs from dedicated egress IPs. You can allowlist them in your firewall to ensure scans always complete. Find the IPs in Settings → Scanner IPs.