NetscanXi

Self-hosted network discovery, vulnerability & compliance intelligence
Version 13
Turn one network scan into a board-ready compliance posture.

NetscanXi maps every device, service, container and vulnerability on your network — then cross-references each finding against eight regulatory frameworks. Self-hosted, multi-tenant, and deployed with a single docker compose up. Your data never leaves your infrastructure.

New in Version 13: ๐Ÿ”ง Patch and Remedy — apply operating-system updates & upgrades (apt / dnf / yum / zypper / apk, auto-detected) over SSH to a single asset, an asset group, or every asset — or update Docker images. NetscanXi now acts on what it finds, auto-creates and updates a remediation record for every run, and uses per-run credentials that are never stored. Don't just find the risk — fix it.
NCSC CAFNIST CSFPCI DSSGDPRISO 27001SOC 2HIPAACyber Essentials

Why NetscanXi

Compliance, not just a scan Every finding maps to named controls across 8 frameworks — the only affordable self-hosted tool with native NCSC CAF mapping.
Built for MSPs & multi-team True multi-tenancy: one install, many isolated client tenants with scoped data. White-label-friendly recurring revenue.
Your data stays yours 100% self-hosted on Debian. No cloud, no per-asset metering, no data egress — ideal for public sector & CNI.
Evidence on demand Branded executive & per-host PDF reports for audits, ticketing and system owners — generated from a single scan.

Capabilities

Who it's for

BuyerThe win
MSPs / MSSPs One install, many tenants. Resell continuous scanning & compliance as a managed service.
UK public sector & OES NCSC CAF posture from a scan. Fully self-hosted — data never leaves the network.
Enterprise security NIST CSF + PCI / ISO / SOC 2 / HIPAA mapping without a per-asset cloud bill.
SMB & IT teams Enterprise-grade visibility from docker compose up — no heavy tooling.

How it compares

 NetscanXiTypical scanner
Self-hostedโœ“ YesOften cloud
Multi-tenantโœ“ Built-inAdd-on / no
8-framework mappingโœ“ Incl. CAFRare
Passive (zero-probe) modeโœ“ Built-inRare
Deep container scanningโœ“ Built-inAdd-on / no
Per-asset feesโœ— NoneCommon
Deploy timeMinutesHours+

Deploy in minutes

One command: docker compose up on Debian. Then point it at your network and export your first branded compliance report the same day.
Flask + nmap Single-container No cloud dependency Free community tier Pro & MSP licensing

๐Ÿ”ง New in Version 13 — Patching & Remediation

๐Ÿ–ฅ๏ธ OS updates & upgrades over SSHThe Patch and Remedy tab auto-detects the package manager (apt / dnf / yum / zypper / apk) and applies updates — with optional full distribution upgrade and a simulate (no-change) mode.
๐Ÿณ Docker image updatesOr update Docker images: pulls the latest image for every running container over the same authenticated Engine API used for scanning, with an optional experimental recreate.
๐Ÿ”’ Credentials never storedSSH/sudo and registry credentials are entered per run, used once, then discarded — never written to the database, never logged, never returned.
๐Ÿงพ Auto-tracked remediationEvery patch run creates a remediation item per asset and updates it to resolved or blocked — one source of truth for what was fixed, by whom.
๐Ÿ‘๏ธ Dry-run previewPreview the targeted assets and detected OS (or images) with zero side effects — OS preview doesn't even contact SSH — before you commit.
๐Ÿ›ก๏ธ Role-gated & tenant-safePatching requires the operator role; scoped users can only ever target their own tenant's assets.

๐Ÿณ New in Version 10r1 — Deep Docker Container Scanning

๐Ÿ“ฆ Authenticated container & image inventoryAgentless Docker Engine API inventory — containers, images, ports, privileged flags, docker.sock mounts and engine posture.
๐Ÿ”Ž Image vulnerability scanningPer-image CVE scanning via Trivy/Grype, enriched with CISA KEV so exploited container CVEs rank first.
๐Ÿ›ก๏ธ CIS Docker benchmark auditExposed API, no-TLS daemon, privileged containers, socket mounts, host net/PID, insecure registries — pass/warn/fail.
๐Ÿ“Š Docker dashboard & host viewsA dedicated Docker dashboard panel plus deep per-host container detail — with every existing view kept.
๐Ÿ”„ Container drift detectionFlags new/removed containers, new-privileged or socket-mount changes, and new known-exploited image CVEs between scans.
๐Ÿงพ SBOM, registry & orchestrationSBOM-capable scanning, insecure-registry flags and Swarm / Kubernetes awareness.

โœจ New in Version 9.1

๐Ÿ“Š Customisable interactive charts OS distribution, vulnerability severity, network risk & compliance and regulatory compliance now sit in equal-sized tiles — switch any chart between pie, horizontal or vertical bars, resize and rearrange the tiles, then click a slice to filter the asset table.
โœ… Vulnerability lifecycle management Mark CVE findings Remediated, Accepted Risk or False Positive — cut the noise, track remediation and prove progress to auditors.
โ˜‘๏ธ Multi-select asset table Act on many assets at once: bulk export and bulk re-scan in a couple of clicks instead of one host at a time.
๐Ÿ‘ฅ Tenant Admin role Delegate full administration inside a tenant for true multi-tenant operations — MSP/MSSP-friendly, with hard tenant isolation.
๐Ÿ” Global search Find any asset, CVE or software across the whole estate instantly from the top bar.
๐Ÿ—„๏ธ Configurable data retention Set retention policies right in the Admin UI — control database growth and meet data-governance requirements.
๐Ÿฉน Patch-aware scanning Assess against installed patch levels, not just the distro version — dramatically more accurate results with far fewer false positives.
๐Ÿ“ˆ Historical trend graphs Track network risk score and compliance posture as a historical trend line — or switch the same tile to a pie or bar view — to show measurable improvement over time.
๐ŸŽŸ๏ธ Native ITSM integrations Jira, ServiceNow and Zendesk — open remediation tickets for findings without ever leaving NetscanXi.
๐Ÿงฉ Customisable dashboard Drag, drop, pin or hide components — and resize, reorder and re-style each chart tile — so every team sees exactly what matters to them. Layout persists per user.
NetscanXi Version 13 — see your network and your containers the way an auditor would.
Free community tier ยท Pro (per-install) ยท MSP licensing (per managed network). Self-hosted — your data, your infrastructure.
Book a demo
Self-hosted ยท Flask + nmap ยท Built for Debian  |  Findings are advisory and support — not a substitute for — formal assessment.  |  ยฉ 2026