Exposure Scanner Guide
Comprehensive attack surface audit for every node
What the Scanner Checks
The Exposure Scanner runs 20 categories of checks against each node's public IP address. Checks are non-intrusive and designed to identify DDoS attack surface vulnerabilities, not penetrate the system.
| # | Category | What it checks |
|---|---|---|
| 1 | Open Ports | TCP/UDP port scan for unnecessary listening services |
| 2 | Amplification | UDP services exploitable for reflection/amplification (DNS, NTP, SSDP, Memcached, Chargen, SNMP) |
| 3 | DNS Configuration | Open resolver, zone transfer, DNSSEC status |
| 4 | HTTP Headers | Missing security headers (X-Frame-Options, CSP, HSTS, etc.) |
| 5 | SSL/TLS | Certificate validity, protocol version, cipher strength, chain completeness |
| 6 | Proxy/CDN | Whether the IP is behind a CDN or reverse proxy (Cloudflare, AWS CloudFront, Akamai) |
| 7 | Network Services | SNMP community strings, SSDP, mDNS, NTP mode 6/7 |
| 8 | IP Reputation | DNSBL lookups across multiple blocklists |
| 9 | Shodan InternetDB | Passive recon from Shodan's free InternetDB (no API key required) |
| 10 | Rate Limiting | HTTP rate-limit header detection (X-RateLimit-*, Retry-After) |
| 11 | SSH Security | SSH protocol version, key exchange algorithms, cipher audit, banner analysis |
| 12 | Service Banners | Version detection on open ports (identifies outdated software) |
| 13 | Email Security | SPF, DMARC, DKIM records via DNS; CAA records |
| 14 | Firewall Detection | Filtered vs closed port heuristics (are dropped packets visible?) |
| 15 | DNS Extended | DNSSEC validation chain, CAA records for certificate authority |
| 16 | Web Discovery | Sensitive paths (/.env, /.git/, /server-status), tech fingerprinting, directory listing |
| 17 | Web Security | Cookie flags (Secure, HttpOnly, SameSite), CORS policy, info disclosure, debug pages |
| 18 | Database Exposure | Unauthenticated access to MySQL, MongoDB, Elasticsearch, Redis |
| 19 | FTP Security | Anonymous login, bounce attack susceptibility |
| 20 | CVE Checks | Known vulnerability fingerprinting from service versions and banners |
Running a Scan
Go to Dashboard → Exposure Check. Click any node card to select it, then click Run Scan. The scan runs in the background and takes 60-120 seconds depending on the number of open ports.
Progress is shown as a percentage bar with the current check category displayed below it. Results appear automatically when the scan completes.
Understanding Results
Each scan produces:
- Score (0-100): Higher is better. Represents the overall security posture of the node.
- Grade (A-F): Derived from the score: A (90-100), B (75-89), C (60-74), D (40-59), F (0-39).
- Findings: Individual check results, each with a severity level and actionable recommendation.
Severity Levels
| Severity | Meaning | Example |
|---|---|---|
| Critical | Immediately exploitable for DDoS amplification or data exposure | Open DNS resolver, unauthenticated Redis, anonymous FTP |
| Warning | Increases attack surface but not immediately exploitable | Outdated TLS version, missing HSTS header, weak SSH ciphers |
| Info | Informational finding, no immediate risk | Server version detected in banner, no rate limiting headers |
| Pass | Check passed with no issues | Valid SSL certificate, no open amplification vectors |
Remediation Guidance
Every critical and warning finding includes a Recommendation section with specific remediation steps. For example, if the scanner detects an open DNS resolver on port 53:
Scheduling Recurring Scans
The auto-scan interval is configurable per workspace. Go to Dashboard → Exposure Check and use the Auto-Scan dropdown in the top-right corner:
| Interval | Value |
|---|---|
| Daily | 1 |
| Every 3 days | 3 |
| Weekly (default) | 7 |
| Every 2 weeks | 14 |
| Monthly | 30 |
Recurring scans are run by a background cron job. Results appear on each node card with grade badges, and stale scans (older than 7 days) are flagged with an orange "Stale" badge.
API Access to Scan Results
Scan results are available via the dashboard API. All endpoints require authentication.
Get Latest Results for All Nodes
Returns all nodes with their most recent scan grade, score, and finding counts.
Get Detailed Findings for a Scan
Returns the full scan record plus all findings (category, severity, title, description, recommendation).
Get Scan History for a Node
Returns the last 20 scans for a node with grade, score, and timestamps. Use this to track security posture over time.
Trigger a New Scan
Returns the new scan ID. Poll action=status&scan_id=X for progress updates (0-100%).
Exporting Reports
Click Export Report on any completed scan to generate a printable HTML report with all findings, severity badges, and remediation guidance. Use your browser's print function to save as PDF.