Exposure Scanning
On-demand and scheduled vulnerability scans: open ports, amplification risk, TLS/SSH hardening, and 10 active CVE checks
Overview
Exposure Scanning performs automated security assessments of your nodes directly from the Flowtriq agent. Each scan runs locally on the monitored server, meaning results reflect the actual attack surface visible to the internet — not a remote probe's view through network filtering.
Scans cover 7 categories with 40+ individual checks, including 10 CVE-specific checks sourced from the NIST NVD and CISA Known Exploited Vulnerabilities (KEV) catalog.
Scan Categories
| Category | What is checked |
|---|---|
| Open Ports | All listening TCP/UDP ports, identifying unnecessary exposure (e.g. databases, admin UIs open to 0.0.0.0) |
| Amplification Risk | UDP services that can be used for amplification attacks: DNS (53), NTP (123), Memcached (11211), SSDP (1900), CharGen, TFTP |
| TLS / SSL | Certificate validity and expiry, protocol versions (SSLv3/TLSv1.0/TLSv1.1 flagged), weak ciphers, HSTS, OCSP stapling |
| SSH Hardening | Root login enabled, password auth enabled, port 22 open, weak kex algorithms, CBC cipher modes |
| HTTP Security Headers | Missing X-Frame-Options, X-Content-Type-Options, Content-Security-Policy, Referrer-Policy, Permissions-Policy, HSTS |
| System Configuration | IP forwarding, ICMP redirects, source routing, kernel hardening sysctl values |
| CVE Checks | 10 active CVE checks for software versions detected on the system (see below) |
CVE Checks
Flowtriq checks for 10 actively exploited or high-impact CVEs sourced from NIST NVD and the CISA KEV catalog. The scanner detects installed software versions and flags matches:
| CVE | Affected Software | Severity |
|---|---|---|
| CVE-2021-44228 | Log4Shell (Apache Log4j 2.x) | Critical |
| CVE-2021-45046 | Log4j 2.x (bypass of 44228 fix) | Critical |
| CVE-2022-0847 | Dirty Pipe (Linux kernel < 5.16.11) | High |
| CVE-2021-4034 | PwnKit (polkit pkexec) | High |
| CVE-2023-44487 | HTTP/2 Rapid Reset (nginx/Apache) | High |
| CVE-2024-3094 | XZ Utils backdoor (liblzma 5.6.0-5.6.1) | Critical |
| CVE-2023-23397 | Microsoft Outlook NTLM relay | Critical |
| CVE-2024-21762 | Fortinet FortiOS SSL-VPN RCE | Critical |
| CVE-2025-24813 | Apache Tomcat partial PUT RCE | Critical |
| CVE-2026-41940 | cPanel WHM API authentication bypass | Critical |
Running a Scan
Go to Dashboard → Exposure and click Run Scan on any node. Scans take 30–90 seconds depending on the number of open services.
Scheduled Scans
Configure automatic rescans on a schedule from the Exposure dashboard:
- Schedules available: every 6 hours, 12 hours, 24 hours, 48 hours, or weekly
- Results are stored per-node with full history
- Alert notification fires when new findings appear (configurable per severity)
Alert Notifications
When a scheduled scan finds new issues not present in the previous scan, Flowtriq sends an alert to all configured channels. Alert payload includes:
- Node name and scan timestamp
- Count of new findings by severity (critical, high, medium, info)
- Top 3 new findings with description and remediation link
Findings Format
Each finding includes:
| Field | Description |
|---|---|
| severity | critical / high / medium / info |
| category | Scan category (e.g. amplification_risk, tls, cve) |
| title | Short description of the finding |
| detail | Technical detail (e.g. service version, port number, CVE ID) |
| remediation | Suggested fix or hardening action |
Scan Safety
All checks are passive reads or loopback-only probes — no exploit attempts, no outbound scanning, and no modification of system state. The scan will not disrupt running services. It is safe to run in production at any time.