Exposure Scanning
Find what attackers see
before they use it.
Flowtriq scans each node for open services, amplification risks, weak TLS configurations, missing security headers, and exposed management interfaces. Every check runs from your server locally, with no external probes that could increase your attack surface.
How It Works
One click, full audit. Scheduled or on-demand.
Click "Run Scan" on any node in your dashboard, or enable scheduled automatic rescans to run daily, weekly, or monthly. The agent runs all checks locally on the server, probing its own ports, services, and configuration. Results are sent back to your dashboard with severity ratings, descriptions, and remediation steps.
No external scanning services are used. No ports are opened. No traffic leaves your network. The scan runs entirely on the node itself, checking what services are accessible and how they respond.
Each finding is rated Critical, Warning, Info, or Pass, and the overall node receives a letter grade (A through F) based on its exposure profile. New findings trigger alert notifications to all configured channels.
What We Scan
Seven categories, 40+ individual checks
Every check runs on the node itself. No external services, no third-party APIs, no additional attack surface.
Open Ports
Scans for risky open TCP ports: Telnet (23), RDP (3389), SMB (445), MySQL (3306), PostgreSQL (5432), Redis (6379), Memcached (11211), and more. Flags services that should not be internet-facing.
Amplification Risks
Checks for UDP services that can be abused for amplification attacks: DNS open resolver, NTP monlist, SSDP/UPnP, SNMP, Memcached UDP, CharGEN, LDAP, mDNS, and TFTP. These turn your server into an unwitting attack amplifier.
DNS Configuration
Detects open DNS resolvers (anyone can query your server), zone transfer leaks (AXFR), and DNS recursion settings. Open resolvers are a top vector for DNS amplification attacks.
HTTP Security Headers
Checks for missing security headers: X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security (HSTS), Content-Security-Policy, and X-XSS-Protection. Also detects server version leaks in response headers.
SSL/TLS Health
Validates TLS certificates: expiration dates, self-signed certs, certificate chain completeness, and HTTPS availability. Alerts when certificates are expiring soon or already expired.
CDN and Proxy Detection
Detects whether your server is behind a CDN (Cloudflare, AWS CloudFront, Akamai) or reverse proxy that provides DDoS protection. Flags direct IP exposure when CDN should be in front.
CVE & Known Vulnerabilities
Checks for 10 CVEs relevant to DDoS and server exposure: cPanel CVE-2026-41940 (unauthenticated reset), DNS amplification CVEs, NTP reflection CVEs, memcached UDP exploit checks, and Nginx/Apache misconfig CVEs. Database updated from NIST NVD and CISA KEV feeds.
SIEM & IDS/IPS Integration
Export findings to your security stack
Exposure scan findings and live attack events can be forwarded to your existing SIEM, SOAR, or IDS/IPS platform. Flowtriq supports push delivery to 8 destinations so your security team works in the tools they already use.
For Suricata and Zeek deployments, Flowtriq generates compatible rule/intelligence files from active attack data, keeping your on-premise IDS signatures current with real attacks against your infrastructure.
| Splunk HEC | HTTP Event Collector push, JSON events |
| Elasticsearch | Bulk index API, configurable index name |
| Microsoft Sentinel | Log Analytics workspace via DCR |
| Syslog CEF | RFC 5424 + CEF extension format |
| Wazuh | Manager API integration, custom rule IDs |
| MISP | Event and attribute push, threat sharing |
| Suricata | Compatible rules export from attack events |
| Zeek | Intelligence feed files (IP, domain, cert) |
POST https://splunk:8088/services/collector
200 OK (3 events queued)
Event 1:
{
"sourcetype": "flowtriq:exposure",
"check": "cve_cpanel_2026_41940",
"severity": "critical",
"node": "nyc-web-01",
"remediation": "Patch cPanel"
}
Also sent to: Elastic, Sentinel, Wazuh
_
FAQ
Common questions
Does the scan open ports or expose my server?
No. The scan runs entirely on the node itself, checking its own services. It does not open ports, install listeners, or send traffic to external services. It is a passive audit of what is already running.
What CVEs does Flowtriq scan for?
Flowtriq currently scans for 10 CVEs relevant to DDoS and server exposure, including cPanel CVE-2026-41940, DNS amplification CVEs, NTP reflection vulnerabilities, memcached UDP exploit checks, and Nginx/Apache misconfig CVEs. The CVE database is updated automatically from NIST NVD and CISA KEV feeds.
How often should I scan?
Run a scan after any infrastructure change. You can also enable scheduled automatic rescans (daily, weekly, or monthly) from the dashboard so new findings surface without manual intervention.
What SIEM and IDS/IPS integrations are available?
Flowtriq exports findings to: Splunk HEC, Elasticsearch, Microsoft Sentinel (Log Analytics), Syslog CEF, Wazuh, and MISP threat sharing. Attack-time events can also be streamed as Suricata-compatible rules and Zeek intelligence feeds for your on-premise IDS/IPS.
Can attackers use the scan results against me?
Scan results are only visible to your workspace members in the Flowtriq dashboard. They are never shared, published, or sent to third parties.
Related Features
Works with
FAQ