For all signed-in users, whatever their role.
NetscanXi is a self-hosted web application that scans your local network and tells you exactly what's on it - now with full account security and multi-team data separation.
It wraps the industry-standard nmap scanner in a clean dashboard and
layers on risk scoring, vulnerability enrichment, Docker detection, regulatory
compliance mapping, Active-Directory and TLS auditing, change tracking and alerting.
Point it at your network and you get a sortable, searchable inventory of every live
host - its software, open ports, OS, known vulnerabilities (with fixes) and an
at-a-glance risk score.
docker compose up, you can run
NetscanXi.[A-Z0-9] ID bound to its MAC address and stored in
NetscanXi. The same physical device keeps the same ID across scans, so newly found
vulnerabilities are attributed to the asset rather than duplicated.Version 8 builds on accounts & roles (v4), TOTP MFA (v5), credential-exposure, software inventory, compliance and UI scheduling (v6), and Cyber-Essentials mapping, AD/DC auditing, PDF reports and TLS cert tracking (v7).
The main screen is organised top-to-bottom:
| Area | What it shows |
|---|---|
| Banner | The NetscanXi Version 13 text banner and tagline. |
| Top bar | Your username + role tag, your π’ tenant (if scoped), scheduler status, and the action buttons: π theme, β± Schedule, π Security, π₯ User Admin (admins), π Activity (admins), β Logout. |
| Controls bar | Target box, profile selector, Scan, Passive Scan, Stop buttons, and Export CSV / JSON / PDF. |
| Scan options | Checkboxes: Ports, Running services, OS detection, Docker hosts, Vulnerabilities, Credential exposure, AD/DC audit, SSL/TLS certs. |
| Progress | Live bar with start time, elapsed timer, current phase, and the IP currently being scanned. |
| Summary cards | Hosts, Vulnerabilities, Known-Exploited (KEV), High-risk assets, Docker hosts, Critical changes. |
| Compliance / Top-10 / Recent Changes | Regulatory posture, the highest-priority findings, and what changed since last scan. |
| Tabs | Assets Β· Software Β· Compliance Β· Certificates Β· Active Directory Β· Scan History. |
If your administrator has enabled authentication, you'll land on a sign-in page. Enter your username and password. If MFA is set up, you'll then be asked for a 6-digit code (see Β§4).
default tenant. Admins
should secure it before exposing it beyond localhost (Β§18).Click π Security in the top bar to open the Account Security panel, where you manage your own password and two-factor authentication.
In the Change your password section, enter your current password, then a new password (at least 8 characters) and confirm it. Click Update password. The change takes effect immediately and is recorded in the activity log. If you get the current password wrong, the update is refused.
Day-to-day scanning and reporting. Requires the operator or admin role (viewers can read and export, but not start scans).
192.168.1.0/24). Edit it for a range or single host
(192.168.1.10).NetscanXi offers two acquisition modes:
| Active Scan | Passive Scan | |
|---|---|---|
| How | Sends nmap probes (SYN, service/version, OS, NSE scripts) to targets. | Sends no probe traffic. Listens only: reads the ARP/neighbour cache and overhears mDNS / SSDP-UPnP self-announcements. |
| Options | Full set of profile + selectable options. | None - one button, fixed output. |
| Finds | IP, MAC, vendor, hostname, OS+accuracy, open ports, services/versions, software, vulnerabilities/CVEs, Docker, TLS, AD, compliance, risk score. | IP, MAC, vendor, hostname, advertised services, low-confidence device type & OS hint, first/last seen, asset ID. |
| Does not find | β | Open ports, service versions, OS accuracy, vulnerabilities/CVEs, TLS/AD/Docker/credential findings, risk score (shown as n/a). |
| Use when | You need depth: ports, vulns, compliance. | You need a zero-footprint inventory, or to discover quiet/sensitive devices without touching them. |
To run a passive scan, click Passive Scan in the controls bar. Passive assets
appear in the Assets table with a Passive badge and
β in the Ports/Vulns columns. When an active scan later runs against
the same device (matched by MAC), its full findings attach to the same asset ID.
| Profile | What it does | Speed |
|---|---|---|
| Quick | Top 100 ports, light service detection, no vuln scripts. | Seconds |
| Standard | Top 1000 ports + OS & service detection. | Minutes |
| Deep | Adds vulnerability NSE scripts for CVE detection. | Slower |
Independent of the profile, tick or untick any of these before scanning:
The asset table lists every live host. Click any column header to sort, use the filter box to search by IP, hostname, OS, port, service or vulnerability, and click any row to expand its full detail panel.
| Column | Meaning |
|---|---|
| Asset ID | (v9) The device's stable 8-character ID, bound to its MAC address and reused across every scan. |
| IP / Hostname | Address and resolved name. Passively-found assets carry a Passive badge here. |
| Type | Guessed device type with a π³ Docker badge when applicable. (v9) Click the β pencil to correct a mis-identified type - the correction sticks to the asset on future scans. |
| OS | Detected operating system with confidence %. |
| Software | Lead application detected. |
| Ports | Count of open ports. |
| Risk | 0-100 risk score (low
med high). Shows n/a for passive-only assets. |
| Vulns | Number of vulnerabilities found (β for passive assets). |
Each device gets a permanent 8-character alphanumeric asset ID the first time it's seen. The ID is keyed on the device's MAC address (or its IP when no MAC is visible, e.g. routed hosts), so the same physical device is recognised on every subsequent scan and its vulnerabilities are never double-counted.
If the scanner mislabels a device's Type (say it calls a NAS a βweb serverβ),
click the β next to the type, enter the correct value (e.g. nas,
printer, camera, router, iot) and save.
The override is stored against the asset ID and automatically re-applied whenever that
device is scanned again. Operators and admins can edit type; clearing the field reverts
to the scanner's guess.
The expanded panel shows an overview grid, the full vulnerability list, detected software with CPE identifiers, a per-port breakdown, raw script output, a Re-scan button, and per-host Export buttons (Β§12).
When vulnerability scanning is enabled, each finding shows:
The Top 10 Vulnerabilities panel ranks findings network-wide by Known-Exploited β exploit-available β CVSS β number of affected hosts. Each entry shows the CVE id (linked to NVD), CVSS score, KEV/EXPLOIT tags, the full CVE description and a 🛠 suggested mitigation - the same detail now carried into every export.
A flat, filterable, sortable list of every application/version detected across the network, with its host, service and port.
Each host is cross-referenced against eight frameworks - PCI DSS, GDPR, ISO 27001, SOC 2, HIPAA, Cyber Essentials, NIST CSF and NCSC CAF - with pass/fail per framework and a summary of at-risk hosts. Expand a row for the failing controls and remediation. Filter by host or status.
New in Release 3: the compliance engine now also maps each finding to NIST CSF (Cybersecurity Framework) outcome categories - an internationally recognised standard for private-sector enterprise buyers - and to the NCSC Cyber Assessment Framework (CAF) objectives/principles, supporting UK public-sector and operators-of-essential-services assurance requirements. Both appear automatically in the dashboard summary, the per-host grid, the expandable control detail and the PDF report.
With SSL/TLS certs enabled, this tab lists discovered certificates with subject, issuer, expiry date, days-left and a status (ok expiring expired/weak). Sort by days-left to find what to renew first.
With AD / DC audit enabled, detected Domain Controllers are listed with domain and forest names and hardening findings (e.g. SMBv1 enabled, SMB signing not required, LDAP without LDAPS).
NetscanXi flags hosts running Docker / a container runtime by combining open-port
signals (Docker API, Swarm, etcd, Kubernetes), service banners, and the
docker-version probe. Detected Docker hosts show a
π³ Docker badge, a dashboard count, and a dedicated section
with engine version, ports and indicators.
Every scan is compared to the previous one within the same tenant. The Recent Changes panel highlights new/gone devices, ports opening/closing, service or version changes, new vulnerabilities (critical if Known-Exploited), and OS changes. Notable changes can be pushed as alerts to Slack/Discord/generic webhooks or email (Β§19).
From the controls bar:
# Scan type: β¦ line plus a per-row Scan Type column, and the JSON
scan.scan_type field records it. Every export also includes each device's
Asset ID so findings can be tracked to the same physical device over time.Expand any host and use its Export: CSV / JSON / PDF buttons to download a focused report for just that host - overview, open ports/services, software and vulnerabilities (each with its CVE description and mitigation). Ideal for handing one machine's findings to its owner.
Click β± Schedule to manage recurring scans from the UI (operator+). For each schedule set a name, target (blank = auto /24), profile, scan type (Active or Passive), option toggles (credential exposure, AD/DC, SSL), and a cadence. Enable/disable, run now, or delete any schedule. Schedules you create are tagged with your tenant.
You can now schedule by day of week and clock time instead of (or as well as) a plain interval:
Example: tick Mon, Wed, Fri and set 02:30 to run a scan at 2:30 am every Monday, Wednesday and Friday. Choose Passive as the scan type for a zero-footprint nightly inventory. The schedule list shows the next run time and the Active/Passive badge. A global default interval can also be set via environment variables (Β§19).
For users with the admin role: accounts, tenants, the audit log, install and configuration.
| Role | Can do |
|---|---|
| admin | Everything: run/cancel scans, manage schedules, manage users & tenants, view the activity log, enforce MFA. Sees data across all tenants. |
| operator | Run, cancel and re-scan; manage schedules; export. Scoped to their own tenant. |
| viewer | Read-only: dashboard, all tabs, history and exports. Cannot start scans. Scoped to their own tenant. |
Click π₯ User Admin (admins only) to open the user-management modal.
NetscanXi supports soft multi-tenancy: one installation can serve multiple teams/customers while keeping their scan data separated.
default).acme, contoso,
home). They're free-text tags - just be consistent.default automatically on upgrade. Re-tag users as needed; historical scans
keep their original tag.Click π Activity (admins only) to open the audit log. It records, with a timestamp, the acting user, tenant and client IP:
| Event | When it's logged |
|---|---|
| π login / β logout | Successful sign-in and sign-out (login/logout times). |
| β login failed | A bad username/password attempt. |
| π scan / π re-scan | A scan or single-host re-scan is queued. |
| π€ export / π host export | A whole-scan or single-host export. |
| β± schedule run | A schedule is run on demand. |
| β user added / π’ tenant change | User-administration actions. |
| βοΈ username change / π admin password reset | An admin renames a user or sets/resets their password (Release 2). |
| π password changed / β password change failed | A user changes their own password via Account Security (Release 2). |
cd netscan-xi/v8
docker compose up --build
Open http://localhost:5000 (or http://<host-ip>:5000 from
the LAN). Data persists in ./data.
NET_ADMIN/NET_RAW so nmap can see your physical LAN and do
SYN/OS detection. On Docker Desktop for Mac/Windows it runs in a VM and won't reach your
real network - use the native install there.sudo apt update && sudo apt install -y nmap python3 python3-venv
cd netscan-xi/v8
chmod +x run.sh
sudo ./run.sh # http://localhost:5000
sudo ./run.sh 127.0.0.1 8080 # custom host/port
sudo? OS detection (-O) and SYN
scanning (-sS) need root for raw socket access.On a fresh install, either set the bootstrap env vars before first start:
NETSCAN_ADMIN_USER=admin
NETSCAN_ADMIN_PASSWORD=change-me-please
...or create one from the CLI:
python3 -m app.server seed-admin --username admin
Once an admin exists, manage everyone else from π₯ User Admin. For PDF export,
ensure reportlab is installed (it's in requirements.txt).
All configuration is via environment variables - everything has a safe default.
| Variable | Default | Purpose |
|---|---|---|
NETSCAN_ADMIN_USER | unset | Bootstrap first admin on a fresh install. |
NETSCAN_ADMIN_PASSWORD | unset | Password for the bootstrap admin. |
NETSCAN_SECRET | random | Flask session signing key - set this for stable logins. |
NETSCAN_PASSWORD | unset | Legacy single-password fallback (until accounts exist). |
NETSCAN_MFA_ISSUER | NetScan Xi | Issuer name shown in authenticator apps. |
NETSCAN_USE_NVD | 0 | 1 to enrich CVEs via the NVD API. |
NETSCAN_SCHEDULE_MINUTES | 0 | Global recurring scan interval (0 = off). |
NETSCAN_SCHEDULE_PROFILE | standard | Profile for the global scheduled scan. |
NETSCAN_SCHEDULE_TARGET | auto | Target for the global scheduled scan. |
NETSCAN_WEBHOOK_URL | unset | Slack/Discord/generic webhook for alerts. |
NETSCAN_ALERT_MIN_SEV | warn | Minimum severity to alert on. |
NETSCAN_SMTP_* | unset | SMTP email alerting (host/port/user/pass/from/to). |
NETSCAN_DB | ./data/netscan.db | SQLite database path. |
NETSCAN_PASSWORD)
and a stable NETSCAN_SECRET before exposing it beyond localhost; put it
behind a reverse proxy with TLS for remote access.reportlab
(pip install reportlab).The ten enhancements shipped in the 9.1 release: interactive analytics, finding lifecycle, bulk actions, a new admin role, global search, retention controls, patch-aware vulnerability assessment, trend history, service-desk integrations and a customisable dashboard.
The dashboard presents four equal-sized chart tiles: OS Distribution, Vulnerability Severity, Network Risk & Compliance and Regulatory Compliance. Together they give you an at-a-glance breakdown of what operating systems are on your network, how findings spread across Critical / High / Medium / Low severity, your overall risk and compliance posture, and pass/fail counts per regulatory framework.
Each tile is customisable. Use the type selector in a tile's header to switch it between a pie chart, horizontal bar graph or vertical bar graph (the Network Risk & Compliance tile additionally offers a historical trend line). Drag the ⠿ handle in a tile header to reorder the charts, and drag a tile's bottom-right corner to resize it. Your chosen types, sizes and order are saved in your browser, and ↺ Reset charts restores the defaults.
The OS and severity charts are not just pictures - they are filters. Click a pie slice or a legend entry to instantly filter the Assets table to just that operating system, or click a severity bar to show only assets carrying findings at that level. Click the same element again to clear the filter. All charts are drawn as inline SVG, so they render crisply at any size and work fully offline - no external chart library or internet connection required.
Every vulnerability can now be tracked through a lifecycle instead of simply reappearing on each scan. Open a host's detail panel, find the CVE, and click Set status to mark it as Open, Remediated, Accepted Risk or False Positive. You can add an optional note (for example a change-ticket reference or the reason a risk was accepted).
A status can be applied per asset or tenant-wide (so the same CVE is treated consistently everywhere it appears in your tenant). Findings marked Remediated or False Positive are de-emphasised in the host view and dropped from the active severity chart, so your dashboard reflects work you've actually done rather than noise. Because status is keyed to the stable asset ID, the lifecycle decision follows the asset across future scans - re-scanning won't reset your triage.
The Assets table gains a checkbox column and a select-all checkbox in the header, so you can act on several hosts at once. As soon as one or more rows are ticked, a bulk actions bar appears with:
Selection respects the current filter: if you've filtered the table (by typing in the filter box or clicking a chart slice), select-all ticks only the rows currently shown, so bulk actions apply to exactly the subset you're looking at.
Version 9.1 introduces a new RBAC role - tenant_admin - that sits between operator and admin. A tenant admin has full admin powers within their own tenant only: they can manage that tenant's users, schedules, scans, integrations, retention policy and activity log, without needing a global administrator.
Crucially, the boundary is strict. A tenant admin can never act across tenants and cannot create global admins - they can only manage roles up to tenant_admin within their own team. This lets you delegate day-to-day administration of a team to someone you trust with that team's data, while keeping cross-tenant control reserved for global admins.
A global search bar now lives in the top navigation. Start typing and it performs a live search across your latest scan, covering:
Results appear in a drop-down as you type; click any result to jump straight to that asset and open its detail. It's the fastest way to answer "where is host X?" or "which machines are affected by this CVE?" without manually sorting the table. Search is scoped to the data you're allowed to see.
The new β Admin panel lets you control how long scan history is kept, so the database doesn't grow forever. You can:
The asset registry (your stable asset IDs and per-asset history) and the audit log are always preserved regardless of retention settings, so you never lose accountability or device continuity. Tenant admins can manage and purge only their own tenant's scans; global admins set policy across all tenants.
A new Patch-aware vulns scan toggle enables version-aware vulnerability
assessment. When ticked it adds the vulners NSE script, and the scanner now
captures patch / build / package-release tokens (for example
4ubuntu0.5) into a per-host patch-level inventory rather than relying on
the distribution version alone.
Findings are tagged "version-confirmed" when the exact detected release proves the host is vulnerable, versus "heuristic" when the match is only inferred. Mitigations now cite the precise detected release, so advice points at the actual package on the box. The result is markedly more accurate than distro-version-only assessment, with fewer false positives for already-patched systems.
Set the Network Risk & Compliance chart tile to its Trend (line) view to plot historical trends over time: your overall network risk score and your compliance posture (%), charted across your full scan history. This turns a point-in-time snapshot into a visible direction of travel - are you getting more or less secure? Switch the same tile to a pie or bar view whenever you just want the latest values.
A snapshot is recorded automatically after every scan, so the trend builds up on its own as you keep scanning. Use it to demonstrate progress after a remediation push, or to spot a slow drift in posture before it becomes a problem.
NetscanXi can now raise tickets directly in your service desk. It ships native integrations for Jira, ServiceNow and Zendesk. Configure them in the new π Integrations admin panel: enter the base URL, authentication and the target project / table / group, then test the connection before saving.
Once configured, open any CVE finding in the host detail view and click Create ticket to file it in your chosen system - no copy-paste. Every ticket created is recorded for audit in the activity log, so there's a clear trail from finding to remediation task.
You can now tailor the dashboard to how you work. The main components - Summary, Interactive Charts and Top Vulnerabilities - can be rearranged. Click β Customise to enter customise mode, where you can drag-reorder components, pin one to the top, or hide ones you don't use.
Within the Interactive Charts block, each chart tile is independently customisable - change its type (pie / horizontal bars / vertical bars / trend), resize it by dragging its corner, and reorder the tiles via their drag handles (see §21).
Click βΊ Reset layout to restore the component defaults, or βΊ Reset charts for the chart tiles, at any time. Your layout persists per user, so each person gets the dashboard arrangement they prefer the next time they sign in.
The 9.1 features are backed by new HTTP endpoints, useful if you automate NetscanXi or build on top of it. All respect your role and tenant scope (see Β§14 and Β§24).
| Endpoint | Purpose |
|---|---|
GET /api/dashboard | Summary data for the charts:
os_distribution, severity_distribution and
lifecycle_counts (Β§21, Β§22). |
POST/GET /api/cve/lifecycle | Set and read finding status (Open / Remediated / Accepted Risk / False Positive) with optional note (Β§22). |
GET /api/trends?days= | Historical risk-score and compliance
snapshots over the requested window, e.g. ?days=90 (Β§28). |
GET /api/search?q= | Live global search across assets, CVEs and software (Β§25). |
GET/POST /api/settings/retention | Read and update the data-retention policy; updating can purge immediately (Β§26). |
/api/integrations* | Configure and test Jira / ServiceNow / Zendesk service-desk integrations (Β§29). |
/api/tickets | Create and list service-desk tickets raised from CVE findings (Β§29). |
GET/POST /api/dashboard/layout | Read and save the per-user dashboard layout (Β§30). |
Deep Docker container scanning & vulnerability assessment - look inside the Docker hosts NetscanXi finds.
Version 10r1 extends NetscanXi's Docker detection (Β§10) into deep, per-container and per-image visibility. When the Deep Docker scan option is enabled (it is on by default), for every detected Docker host NetscanXi:
NetscanXi talks to the Docker Engine API over plain HTTP (2375),
TLS (2376, with optional client certificate), the legacy
4243, or a local unix socket. From it you get:
NETSCAN_DOCKER_TLS_CA,
NETSCAN_DOCKER_TLS_CERT and NETSCAN_DOCKER_TLS_KEY to
present a client certificate to TLS-protected daemons.Open any Docker host's detail panel. Below the existing Docker section you'll now see:
Each discovered image is scanned for OS-package and language-dependency CVEs using a locally-installed scanner. The host view shows a severity strip (Critical/High/Medium/Low) and, per image, the CVE count and the top findings as chips. Container CVEs run through the same CISA KEV enrichment as host findings, so known-exploited issues are flagged (π₯) and sorted first.
NetscanXi audits each Docker host against high-signal CIS Docker controls and reports pass / warn / fail per check, including:
| Check | Why it matters |
|---|---|
| Docker API exposure | A remote API grants full control of the host. |
| Daemon TLS | Plain-HTTP API has no authentication. |
| Privileged container | Full host capabilities - a top escape risk. |
| docker.sock mount | A container with the socket can control the host. |
| Host network / PID | Removes container isolation. |
| Insecure registry / :latest | Supply-chain & reproducibility risks. |
| Rootless / live-restore | Engine hardening posture. |
A new π³ Docker & Containers panel appears on the dashboard whenever
the latest scan found Docker hosts (it auto-hides otherwise). It shows tiles
for docker hosts, running containers, images, image CVEs, critical image CVEs,
privileged containers, docker.sock mounts and CIS failures. Like
every dashboard component you can pin, hide or drag it.
Change detection now reports container/image drift between scans: new/removed containers, new images, a container becoming privileged or mounting docker.sock (flagged critical), and new known-exploited container CVEs.
Exports carry the new data: CSV gains Containers / Image CVEs / Image KEV / CIS-fail columns, JSON includes the full Docker block, and the per-host PDF gains a Docker container/image/CIS section.
| Endpoint | Purpose |
|---|---|
GET /api/docker/capabilities | Reports whether the Docker API inventory and an image scanner (Trivy/Grype) are available. |
GET /api/dashboard | Now includes a
summary.docker_stats rollup and the deep Docker block on each
host. |
Scan option: docker_deep (the βDeep Docker scanβ toggle)
enables/disables API inventory + image CVE + CIS audit per scan.
| Environment variable | Effect |
|---|---|
NETSCAN_DOCKER_API=0 | Disable authenticated API inventory. |
NETSCAN_DOCKER_IMAGE_SCAN=0 | Disable image CVE scanning. |
NETSCAN_DOCKER_SCANNER | trivy / grype / auto. |
NETSCAN_DOCKER_MAX_IMAGES | Cap images scanned per host (default 25). |
NETSCAN_DOCKER_TLS_CA|CERT|KEY | Client materials for mTLS to 2376. |
Version 13 lets NetscanXi act on what it finds. The Patch and Remedy tab (formerly the reserved "More" tab) applies operating-system updates and upgrades over SSH, and can also update Docker images.
| Endpoint | Purpose |
|---|---|
POST /api/patch/os/plan | Dry run: list targeted assets + detected OS. No SSH, no side effects, no remediation items. |
POST /api/patch/os | OS patch the target(s) over SSH:
auto-detect apt/dnf/yum/zypper/apk, update + upgrade, auto-create/update
remediation, audit. Body: mode, asset_id/
group_id, ssh
{username,password,port,sudo_password},
dist_upgrade, simulate. |
POST /api/patch/docker/plan | Dry run: which images would update on which Docker assets. No side effects. |
POST /api/patch/docker | Pull images (optional
recreate), auto-create/update remediation, audit. Body: mode,
asset_id/group_id, optional registry
{username,password,server}, recreate. |
New module: app/patcher.py; new dependency:
paramiko (SSH, imported lazily — degrades gracefully if absent).
No new database tables — patch runs reuse the Version 12
remediation table.
| Safety property | Behaviour |
|---|---|
| Credential storage | None. SSH/sudo and registry credentials are used once, then discarded. Never in the DB, logs, or responses; the browser clears password fields on send. |
| Audit | An os_patch / docker_patch
activity entry records counts and target only (e.g.
mode=all targets=3 ok=2 simulate=False). |
| Access control | Requires the operator role; tenant-scoped targeting. |
| Preview / simulate | Dry-run preview has no side effects; Simulate only runs the package manager in dry-run so nothing is changed on the host. |
The Remediation Tracking tab gains two Version 13 conveniences:
Endpoints: POST /api/remediation/bulk-delete;
GET/POST /api/remediation/<id>/comments;
DELETE /api/remediation/comments/<id>. New table:
remediation_comments (auto-created on startup).