How Scanning Works
NetVigil uses a sequential, multi-phase pipeline to discover and assess your external attack surface. Each phase feeds into the next, ensuring thorough coverage without redundant scanning.
Overview
When you add a domain, NetVigil runs through these phases in order:
- DNS Verification → resolves domain to IP addresses
- Port & Service Scanning → probes each IP for open ports
- Web Fingerprinting → identifies technologies, CMS, headers
- Vulnerability Matching → cross-references with known CVEs
Phase 1: DNS Verification
NetVigil resolves your domain's DNS records to discover all associated IP addresses. This step distinguishes between:
- Direct IPs — your own servers, scanned for open ports and services
- CDN IPs — infrastructure behind Cloudflare, AWS CloudFront, etc., which are scanned differently
DNS results are stored and tracked over time, so you can see when your domain's resolution changes.
Phase 2: Port & Service Scanning
Each discovered IP is probed for open ports using nmap. This reveals:
- Which ports are exposed to the internet
- What service is running on each port (SSH, HTTP, HTTPS, databases, etc.)
- Service version information where detectable
CDN-hosted IPs are handled separately — instead of port scanning the CDN edge, NetVigil scans the domain directly for web-specific information.
Phase 3: Web Fingerprinting
NetVigil uses multiple tools to fingerprint web applications:
- WhatWeb — identifies web frameworks, servers, JavaScript libraries, and CMS platforms
- httpx — probes for HTTP/HTTPS availability, TLS certificate details, and response headers
- WPScan — deep WordPress scanning (core version, plugins, themes, and known vulnerabilities)
Phase 4: Vulnerability Matching
Discovered software and versions are cross-referenced against the National Vulnerability Database (NVD) to identify known CVEs. Vulnerabilities are categorized by:
- Critical — CVSS score 9.0–10.0 (remote code execution, authentication bypass)
- High — CVSS score 7.0–8.9 (significant data exposure or privilege escalation)
- Medium — CVSS score 4.0–6.9 (limited impact vulnerabilities)
- Low — CVSS score 0.1–3.9 (informational, minor issues)
Rescanning
Assets can be rescanned at any time. NetVigil compares new results against previous scans to surface changes — new open ports, changed services, or newly discovered vulnerabilities.