Monitoring, Alerts & Allowed Ports
How endpoints are scanned, how findings become alerts, what the severity levels mean, and how Allowed Ports keep the noise down.
Endpoints and groups
An endpoint is one monitored server, identified by IP address (hostnames are resolved when added). Endpoints belong to a customer, can be paused and resumed individually or in bulk, and can be organized into groups with one-click scan-all. Scan history per endpoint exports to CSV.
How scanning works
| Source | What it does |
|---|---|
nmap | Active scans across the full port range, run by the platform's scanning service on demand and on schedule. |
shodan | Passive internet-wide exposure data and continuous monitor alerts per IP. |
Scanning is continuous: background discovery runs on a schedule that scales with the customer's plan, and full scans verify findings. Customers (and you) can also trigger an on-demand scan per endpoint, subject to a per-endpoint cooldown.
From open port to alert
- A scan finds the endpoint's open ports.
- Each open port is checked against the customer's Allowed Ports rules.
- Every open port with no matching rule raises an alert (duplicates are suppressed: an existing open alert is updated, not repeated).
- When a later scan shows the port closed, the alert resolves itself.
Severity levels
Severity comes from what the exposed port implies, escalated further when banners reveal outdated software:
| Severity | Triggered by |
|---|---|
| Critical | Exposed data stores and remote access: ports 3306 (MySQL), 5432 (PostgreSQL), 27017 (MongoDB), 6379 (Redis), 3389 (RDP), 5900 (VNC), 23 (Telnet), 445 (SMB), 139 (NetBIOS). |
| High | Unencrypted or commonly attacked services: ports 22 (SSH (assume no key auth)), 21 (FTP), 25 (SMTP), 110 (POP3), 143 (IMAP), 8080 (HTTP Alt), 8443 (HTTPS Alt). |
| Medium | Application and development servers: ports 8000 (Common dev port), 3000 (Node.js), 5000 (Flask), 9000 (PHP-FPM), 4000 (Development), 5001 (Development). |
| Low | Standard web ports (80, 443) and anything not in a higher tier. |
Alerts move through the statuses open → acknowledged → resolved (or false_positive), and every alert carries a plain-language explanation plus copy-paste remediation commands for common firewalls.
Allowed Ports
Allowed Ports rules declare which ports are supposed to be open, so expected services never alert. A rule covers a port or range plus protocol, applies to one endpoint or globally, requires a written justification, and can expire. Creating a rule that matches an open alert resolves that alert automatically; rules can be bulk-imported and exported as CSV.
Alert emails include one-click links to view, allow the port, or acknowledge. Customers can act without signing in first.
The firewall map
For each customer you can visualize firewall connectivity as an interactive map: which endpoints accept what, focus views per endpoint, and reachability analysis. Feed it by pasting firewall rules in the portal, or install the collector script (downloadable from the portal) which submits iptables/nftables/ufw/firewalld dumps on a schedule via the Firewall Ingest API.