OFFICIAL DOCUMENTATION

NetscanXi

Training & Reference Guide
Version 13
Includes Operator Training, Administrator Guidelines, Troubleshooting, and FAQ.
Operator Training Administrator Guidelines Account Security & MFA Scan Profiles Compliance Mapping 🐳 Docker Detection 🏢 Multi-Tenancy 📋 Activity Log 📡 Passive Scanning 🆔 Asset IDs 🗓️ Day/Time Schedules 🐳 Deep Docker Scanning 🔎 Image CVE Scanning 🛡️ CIS Docker Audit 🔧 Patching & Remediation Troubleshooting & FAQ
Self-hosted · Flask + nmap · Built for Debian  |  © 2026

Welcome

Welcome to NetscanXi, your self-hosted network intelligence and vulnerability management dashboard.

This platform is designed to give you continuous visibility into your infrastructure, mapping software, open ports, Docker environments, and regulatory compliance posture. This guide covers daily operator workflows, administrator responsibilities, troubleshooting, and frequently asked questions.

New in Version 13: Patch and Remedy - apply operating-system updates & upgrades (apt / dnf / yum / zypper / apk, auto-detected) over SSH to a single asset, an asset group, or all assets - or update Docker images. NetscanXi auto-creates and updates a remediation item for every run, and uses per-run credentials that are never stored. Hands-on lessons are in Part 6.
New in Version 10r1: deep Docker container scanning - authenticated Engine API inventory (containers + images), per-image CVE scanning (Trivy/Grype) with KEV flagging, a CIS Docker audit, a Docker dashboard panel and container drift detection. Hands-on lessons are in Part 5.
New in Version 9.1: one-click Passive Scanning (zero-probe asset discovery), a stable 8-character Asset ID bound to each device's MAC, day & time scheduling (tick days + set a clock time), an editable device Type that sticks across scans, and a Passive/Active scan-type label on every exported report.

Contents

  1. Part 1 - Operator & Viewer Training
  2. 1. Securing Your Account
  3. 2. Running & Managing Scans
  4. 3. Reading the Dashboard & Data Tabs
  5. 4. Exporting Reports
  6. Part 2 - Administrator Training
  7. 5. User & Role Management
  8. 6. Managing Multi-Tenancy (Data Separation)
  9. 7. Monitoring the Activity Log
  10. Part 3 - Troubleshooting & FAQ
  11. 8. Troubleshooting Guide
  12. Part 4 - Version 9.1 — What's New
  13. 9. Interactive Dashboard Charts
  14. 10. CVE Finding Lifecycle (Status Tracking)
  15. 11. Multi-Select Asset Table & Bulk Actions
  16. 12. The Tenant Admin Role
  17. 13. Global Search Bar
  18. 14. Data-Retention Policies (Admin Panel)
  19. 15. Patch-Aware Vulnerability Assessment
  20. 16. Historical Trend Graphs
  21. 17. Service-Desk Integrations
  22. 18. Customisable Dashboard
  23. Part 5 - Version 10r1 — Docker Scanning
  24. 19. Deep Docker Scan & the Host View
  25. 20. Image CVEs & the CIS Audit
  26. 21. Hands-On Lab: Your First Deep Docker Scan
  27. Part 6 - Version 13 — Patch and Remedy
  28. 22. The Patch and Remedy Console
  29. 23. Credentials, Safety & the Audit Trail
  30. 24. Hands-On Lab: Patch an Asset's OS

Part 1 - Operator & Viewer Training

Daily operations for users assigned the Operator (can scan and export) or Viewer (read-only) roles.

1. Securing Your Account

Before diving into the network data, ensure your access is secure.

Tip: Always save your backup codes in a secure location. They are your way back in if you lose access to your authenticator device.

2. Running & Managing Scans

Operators can initiate scans to discover assets and identify risks.

Active vs Passive scanning (v9)

Choose the right acquisition mode for the job:

ModeWhat it doesWhen to use
Active Sends nmap probes. Returns ports, services, OS, software, vulnerabilities, Docker/TLS/AD findings, compliance and a risk score. Supports profiles and the selectable options. You need depth and risk assessment.
Passive Sends no probe traffic. Listens to the ARP cache and mDNS/SSDP announcements to harvest IP, MAC, vendor, hostname, advertised services and a low-confidence device type. No ports, services, OS accuracy, vulnerabilities, TLS/AD/Docker/credential findings, or risk score. No options - one button. You want a quiet, zero-footprint inventory or must avoid touching sensitive devices.
Asset continuity: a device found passively shares the same 8-character Asset ID it will use in active scans (matched by MAC), so when you later run an active scan its vulnerabilities attach to the same asset instead of being duplicated.

Correcting a mis-identified device Type (v9)

If the scanner labels a device's Type incorrectly, click the pencil beside the type in the Assets table, enter the correct value (e.g. printer, nas, camera, router, iot) and save. The correction is bound to the device's Asset ID and re-applied automatically on every future scan. Clear the field to revert to the scanner's guess.

Scan Profiles

Scan ProfileFunctionality OverviewExpected Speed
Quick Scans the top 100 ports with light service detection. Skips vulnerability scripts. Seconds
Standard Scans the top 1000 ports and includes deep OS and service detection. Minutes
Deep Adds nmap vulnerability (NSE) scripts to detect specific CVEs. Slower

3. Reading the Dashboard & Data Tabs

Once a scan completes, the dashboard populates with actionable intelligence.

Critical: Exposed Docker APIs (ports 2375, 2376, 4243) represent a critical risk and should be restricted immediately.

4. Exporting Reports

You can export data for external audits, ticketing, or distribution to system owners.

Part 2 - Administrator Training

Strictly for users assigned the Admin role, which provides unscoped visibility across all data and full control over system configuration.

Scheduling scans by day & time (v9)

Open ⏱ Schedule to manage recurring scans. As well as the classic “every N minutes” interval, you can now schedule by day of week and clock time:

Example: tick Mon/Wed/Fri at 02:30 with scan type Passive for a zero-footprint inventory three nights a week. The schedule list shows the next run time and an Active/Passive badge.

5. User & Role Management

Admins have full editable control over every account to prevent lockouts and ensure security.

6. Managing Multi-Tenancy (Data Separation)

NetscanXi supports soft multi-tenancy, allowing one installation to serve multiple isolated teams or customers.

7. Monitoring the Activity Log

For compliance and accountability, the system maintains a timestamped audit log. Navigate to Activity to view successful/failed logins, scan executions, data exports, and administrative actions (like password resets).

Accountability: Every action logs the acting user, their tenant, and their client IP address.

Part 3 - Troubleshooting & FAQ

Common issues and their resolutions.

8. Troubleshooting Guide

IssueSolution
Scans are returning empty results or missing data. Ensure the underlying installation has root access. If NetscanXi does not have NET_ADMIN or NET_RAW capabilities, it will skip OS detection and SYN scans.
A passive scan found few or no devices. Passive scanning only sees devices that have recently talked on the LAN (ARP cache) or that broadcast mDNS/SSDP announcements. Give it time, ensure the container shares the host network so it can read the neighbour cache and receive multicast, then re-run. For a complete inventory, run an Active scan.
A device's Type is wrong. Click the pencil next to the Type in the Assets table and enter the correct value. The override is bound to the device's Asset ID and persists across future scans.
A day/time schedule didn't fire. Times are interpreted in the server's local timezone. Confirm at least one day is ticked and the hour/minute are set; if no days are ticked the schedule falls back to the “every N minutes” interval.

Part 4 - Version 9.1 — What's New

Ten new capabilities land in Version 9.1. Each lesson below is hands-on: open the named control and follow the steps. Unless noted, these features respect your tenant scope and role.

9. Interactive Dashboard Charts

The dashboard renders four equal-sized chart tiles — OS Distribution, Vulnerability Severity, Network Risk & Compliance and Regulatory Compliance — that you can re-style, resize and rearrange. The OS and severity charts also double as live filters for the asset table.

Tip: your chart types, sizes and order are saved in your browser, so the dashboard looks the way you left it next time you sign in.

10. CVE Finding Lifecycle (Status Tracking)

You can now triage individual vulnerabilities and have that decision follow the asset across future scans, instead of re-reviewing the same finding every time.

Persistence: a status is bound to the asset's Asset ID, so a finding you mark Accepted Risk stays that way when the host reappears in the next scan — until the CVE is no longer detected or you change the status.

11. Multi-Select Asset Table & Bulk Actions

The asset table gains a checkbox column so you can act on many hosts at once.

Tip: combine with chart filters — click the Critical bar, press select-all, then Re-scan selected to immediately re-validate every high-risk host.

12. The Tenant Admin Role

Version 9.1 adds a new RBAC role, Tenant Admin, sitting between Operator and the global Admin.

Role hierarchy: viewer < operator < tenant_admin < admin
Least privilege: prefer Tenant Admin over global Admin for per-customer or per-team administrators — it confines blast radius to a single tenant.

A search box now lives in the top navigation bar for fast lookups.

Scope: results obey your tenant boundary, so scoped users only match assets, CVEs, and software within their own tenant.

14. Data-Retention Policies (Admin Panel)

The new ⚙ Admin panel lets administrators control how long scan history is kept.

Preserved data: purging removes only scan results. The asset registry (Asset IDs, Type overrides, finding statuses) and the audit log are always preserved.

15. Patch-Aware Vulnerability Assessment

A new scan toggle improves accuracy by confirming findings against captured patch levels.

Why it matters: version-confirmed findings dramatically cut false positives — prioritise remediation on those first.

The dashboard plots how your posture changes over time.

Tip: use the trend line in management reviews to show risk trending down after a remediation push.

17. Service-Desk Integrations

Open tickets for findings directly in Jira, ServiceNow, or Zendesk.

Workflow: pair this with the finding lifecycle — raise a ticket, then mark the CVE Open with the ticket reference in the note for full traceability.

18. Customisable Dashboard

Tailor the dashboard layout to the way you work.

Per-user: your customised layout is saved to your account and doesn't affect what other users see.

Part 5 - Version 10r1: Docker Scanning

Hands-on training for deep Docker container scanning & vulnerability assessment.

19. Deep Docker Scan & the Host View

Version 10r1 looks inside the Docker hosts NetscanXi finds. With the Deep Docker scan option enabled (default on), NetscanXi connects to each host's Docker Engine API and pulls the container and image inventory.

Read-only: NetscanXi only reads from the Docker API - it never starts/stops containers or changes configuration.

20. Image CVEs & the CIS Audit

21. Hands-On Lab: Your First Deep Docker Scan

  1. (Optional) install Trivy on the NetscanXi host so images get CVE results (the bundled Docker image already includes it).
  2. Run an Active scan of a range that includes a Docker host.
  3. Open the 🐳 Docker & Containers dashboard panel and note the counts.
  4. Open a Docker host → review Containers, Image Vulnerabilities and the CIS audit.
  5. Pick your top 3 actions: a KEV image CVE, a privileged container, and any docker.sock mount. Export a per-host PDF to share.
Authorisation: only scan hosts you are authorised to assess; use read-only Docker API access.

Part 6 - Version 13: Patch and Remedy

Version 13 lets NetscanXi act on what it finds. It applies operating-system updates and upgrades over SSH, and can also update Docker images. Patching is an operator-level action and is fully tenant-separated.

22. The Patch and Remedy Console

Open the Patch and Remedy tab. Choose a Patch typeOperating system (SSH) or Docker images — then a target:

Operating-system patching connects over SSH, auto-detects the package manager (apt, dnf, yum, zypper or apk) and runs an update + upgrade. Tick Full distribution upgrade for a heavier dist-upgrade, or Simulate only to run the package manager in dry-run mode so nothing is changed.

Docker patching instead pulls the latest image for each running container over the same authenticated Docker Engine API used for scanning, with an optional experimental Recreate containers after pull.

Preview first. Preview (dry run) lists the targeted assets and their detected OS (or images) with no side effects — the OS preview does not even contact SSH — and creates no remediation items.

23. Credentials, Safety & the Audit Trail

SSH and sudo credentials (for OS patching) and registry credentials (for Docker) are entered per patch run. They are used once and are never written to the database, never logged, and never returned. Password fields are cleared in the browser the moment the request is sent.

Every patch run is recorded two ways:

Authorisation & change control: OS patching performs privileged remote execution and makes live changes to running systems. Patch only assets you are authorised to change, prefer the simulate/dry-run preview, and use a maintenance window for production hosts.

24. Hands-On Lab: Patch an Asset's OS

  1. Run an Active scan of a range containing a Linux host you may change.
  2. Open the Patch and Remedy tab; keep Patch type = Operating system.
  3. Choose Single asset and pick your Linux host (it now appears whether or not it runs Docker).
  4. Click Preview (dry run) and confirm the detected OS / package manager.
  5. Enter the SSH username/password (and sudo password if different) — note they are not stored.
  6. Tick Simulate only first, click Patch now, and review what would change.
  7. Untick Simulate and run again to apply the updates; watch the per-asset log.
  8. Open Remediation Tracking and confirm the item was created and updated; (admins) check the os_patch activity entry shows no credentials.