Exposure Scanning
Find what attackers see
before they use it.
Flowtriq scans each node for open services, amplification risks, weak TLS configurations, missing security headers, and exposed management interfaces. Every check runs from your server locally, with no external probes that could increase your attack surface.
How It Works
One click, full audit
Click "Run Scan" on any node in your dashboard. The agent runs all checks locally on the server, probing its own ports, services, and configuration. Results are sent back to your dashboard with severity ratings, descriptions, and remediation steps.
No external scanning services are used. No ports are opened. No traffic leaves your network. The scan runs entirely on the node itself, checking what services are accessible and how they respond.
Each finding is rated Critical, Warning, Info, or Pass, and the overall node receives a letter grade (A through F) based on its exposure profile.
What We Scan
Six categories, 30+ individual checks
Every check runs on the node itself. No external services, no third-party APIs, no additional attack surface.
Open Ports
Scans for risky open TCP ports: Telnet (23), RDP (3389), SMB (445), MySQL (3306), PostgreSQL (5432), Redis (6379), Memcached (11211), and more. Flags services that should not be internet-facing.
Amplification Risks
Checks for UDP services that can be abused for amplification attacks: DNS open resolver, NTP monlist, SSDP/UPnP, SNMP, Memcached UDP, CharGEN, LDAP, mDNS, and TFTP. These turn your server into an unwitting attack amplifier.
DNS Configuration
Detects open DNS resolvers (anyone can query your server), zone transfer leaks (AXFR), and DNS recursion settings. Open resolvers are a top vector for DNS amplification attacks.
HTTP Security Headers
Checks for missing security headers: X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security (HSTS), Content-Security-Policy, and X-XSS-Protection. Also detects server version leaks in response headers.
SSL/TLS Health
Validates TLS certificates: expiration dates, self-signed certs, certificate chain completeness, and HTTPS availability. Alerts when certificates are expiring soon or already expired.
CDN and Proxy Detection
Detects whether your server is behind a CDN (Cloudflare, AWS CloudFront, Akamai) or reverse proxy that provides DDoS protection. Flags direct IP exposure when CDN should be in front.
FAQ
Common questions
Does the scan open ports or expose my server?
No. The scan runs entirely on the node itself, checking its own services. It does not open ports, install listeners, or send traffic to external services. It is a passive audit of what is already running.
Can attackers use the scan results against me?
Scan results are only visible to your workspace members in the Flowtriq dashboard. They are never shared, published, or sent to third parties. The data stays in your tenant.
How often should I scan?
Run a scan after any infrastructure change: new service deployed, firewall rule updated, or TLS certificate renewed. Many teams run weekly scans as part of their security posture baseline.
What happens if it finds an amplification risk?
The finding includes a description of the risk, the specific service and port involved, and a concrete remediation step (e.g., "Disable NTP monlist by adding 'disable monitor' to ntp.conf"). You fix it on your server, then re-scan to confirm.
Related Features