Catalyst / admin/Synapse-NetscanXi 14.8 GB / 57.8 GB 40.0 GB free
Help Sign in

admin / Synapse-NetscanXi

public

Network Scanning, Vulnerability and Compliance Application

Code Issues Pull requests Pipelines Packages Security Insights Wiki Settings
Synapse-NetscanXi / NetscanXiVersion13 / docs / training-guide.html 38912 B · main
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>NetscanXi Version 13 - Training &amp; Reference Guide</title>
<style>
  @page { size: A4; margin: 18mm 16mm 18mm 16mm; }
  * { box-sizing: border-box; }
  html { -webkit-print-color-adjust: exact; print-color-adjust: exact; }
  body {
    font-family: "Segoe UI", -apple-system, Roboto, Helvetica, Arial, sans-serif;
    color: #1c2430; font-size: 10.5pt; line-height: 1.5; margin: 0;
  }
  h1, h2, h3 { color: #0f2a47; font-weight: 700; }
  h2 { font-size: 15pt; margin: 22px 0 8px; padding-bottom: 5px;
       border-bottom: 2px solid #2496ed; }
  h3 { font-size: 12pt; margin: 16px 0 4px; color: #14507a; }
  p { margin: 6px 0; }
  ul, ol { margin: 6px 0 6px 0; padding-left: 20px; }
  li { margin: 3px 0; }
  code { font-family: "Consolas", "SF Mono", monospace; background: #eef3f8;
         padding: 1px 5px; border-radius: 4px; font-size: 9.5pt; color: #0a3d62; }
  pre { background: #0f1419; color: #e6edf3; padding: 12px 14px; border-radius: 7px;
        font-family: "Consolas", monospace; font-size: 9pt; line-height: 1.45;
        overflow-x: auto; white-space: pre-wrap; }
  pre code { background: none; color: inherit; padding: 0; }
  .keep { page-break-inside: avoid; }
  .pagebreak { page-break-before: always; }

  /* Cover */
  .cover { height: 247mm; display: flex; flex-direction: column;
           justify-content: center; align-items: center; text-align: center;
           page-break-after: always; }
  .cover .logo { font-size: 54pt; margin-bottom: 4px; }
  .cover .official { letter-spacing: 6px; font-size: 10pt; font-weight: 700;
           color: #2496ed; margin-bottom: 18px; }
  .cover h1 { font-size: 40pt; margin: 0; color: #0f2a47; letter-spacing: -1px; }
  .cover h1 .x { color: #1f9d3a; }
  .cover .doctype { font-size: 18pt; color: #14507a; font-weight: 700; margin-top: 6px; }
  .cover .ver { display: inline-block; margin-top: 12px; background: #1f9d3a;
                color: #fff; font-weight: 700; padding: 4px 16px; border-radius: 20px;
                font-size: 13pt; }
  .cover .tag { color: #5a6675; font-size: 13pt; margin-top: 18px; max-width: 135mm; }
  .cover .foot { position: absolute; bottom: 22mm; color: #8b97a5; font-size: 9.5pt; }

  /* Feature badges */
  .badges { margin: 4px 0 0; }
  .badge { display: inline-block; background: #eef3f8; border: 1px solid #cfe0f0;
           color: #14507a; border-radius: 14px; padding: 2px 10px; font-size: 9pt;
           margin: 3px 4px 3px 0; font-weight: 600; }

  /* Part divider */
  .part { background: #0f2a47; color: #fff; border-radius: 9px; padding: 14px 18px;
          margin: 26px 0 12px; page-break-inside: avoid; }
  .part h2 { color: #fff; border: none; margin: 0; padding: 0; font-size: 17pt; }
  .part p { margin: 4px 0 0; color: #b9c7d8; font-size: 10pt; }

  /* Callout boxes */
  .note, .warn, .tip, .role {
    border-radius: 7px; padding: 9px 12px; margin: 10px 0; font-size: 9.8pt;
    border-left: 4px solid; page-break-inside: avoid;
  }
  .note { background: #eef3f8; border-color: #2496ed; }
  .warn { background: #fdeceb; border-color: #d12d24; }
  .tip  { background: #eafaf0; border-color: #1f9d3a; }
  .role { background: #f3eefe; border-color: #7b46d1; }
  .note b, .tip b, .warn b, .role b { color: #0f2a47; }

  /* Tables */
  table { width: 100%; border-collapse: collapse; margin: 8px 0; font-size: 9.5pt; }
  th, td { text-align: left; padding: 6px 9px; border: 1px solid #d4dae0;
           vertical-align: top; }
  th { background: #0f2a47; color: #fff; font-weight: 600; }
  tr:nth-child(even) td { background: #f4f7fa; }

  .toc li { margin: 4px 0; }
  .toc a { color: #14507a; text-decoration: none; }
  .toc .grp { font-weight: 700; color: #0f2a47; margin-top: 8px; }
  .lead { font-size: 11pt; color: #34404e; }
  .pill { display:inline-block; background:#0f2a47; color:#fff; border-radius:5px;
          padding:1px 7px; font-size:9pt; font-weight:600; }
  .pill.green { background:#1f9d3a; } .pill.amber { background:#9a6700; }
  .pill.red { background:#d12d24; } .pill.purple { background:#7b46d1; }
  .num { display:inline-block; min-width:20px; height:20px; line-height:20px;
         text-align:center; background:#2496ed; color:#fff; border-radius:50%;
         font-size:9pt; font-weight:700; margin-right:6px; }
</style>
</head>
<body>

<!-- ============ COVER ============ -->
<div class="cover">
  <div class="logo">🛰️</div>
  <div class="official">OFFICIAL DOCUMENTATION</div>
  <h1><span class="x">N</span>etscanXi</h1>
  <div class="doctype">Training &amp; Reference Guide</div>
  <div class="ver">Version 13</div>
  <div class="tag">Includes Operator Training, Administrator Guidelines,
    Troubleshooting, and FAQ.</div>
  <div class="badges" style="margin-top:24px; max-width:160mm;">
    <span class="badge">Operator Training</span>
    <span class="badge">Administrator Guidelines</span>
    <span class="badge">Account Security &amp; MFA</span>
    <span class="badge">Scan Profiles</span>
    <span class="badge">Compliance Mapping</span>
    <span class="badge">🐳 Docker Detection</span>
    <span class="badge">🏢 Multi-Tenancy</span>
    <span class="badge">📋 Activity Log</span>
    <span class="badge">📡 Passive Scanning</span>
    <span class="badge">🆔 Asset IDs</span>
    <span class="badge">🗓️ Day/Time Schedules</span>
    <span class="badge">🐳 Deep Docker Scanning</span>
    <span class="badge">🔎 Image CVE Scanning</span>
    <span class="badge">🛡️ CIS Docker Audit</span>
    <span class="badge">🔧 Patching &amp; Remediation</span>
    <span class="badge">Troubleshooting &amp; FAQ</span>
  </div>
  <div class="foot">Self-hosted · Flask + nmap · Built for Debian &nbsp;|&nbsp; © 2026</div>
</div>

<!-- ============ INTRO ============ -->
<h2>Welcome</h2>
<p class="lead">Welcome to NetscanXi, your self-hosted network intelligence and
vulnerability management dashboard.</p>
<p>This platform is designed to give you continuous visibility into your infrastructure,
mapping software, open ports, Docker environments, and regulatory compliance posture.
This guide covers daily operator workflows, administrator responsibilities,
troubleshooting, and frequently asked questions.</p>
<div class="tip"><b>New in Version 13:</b> <b>Patch and Remedy</b> - apply
<b>operating-system updates &amp; upgrades</b> (apt / dnf / yum / zypper / apk,
auto-detected) over SSH to a single asset, an asset group, or all assets - or
update Docker images. NetscanXi <b>auto-creates and updates a remediation item</b>
for every run, and uses <b>per-run credentials that are never stored</b>.
Hands-on lessons are in <b>Part 6</b>.</div>
<div class="tip"><b>New in Version 10r1:</b> deep <b>Docker container scanning</b> -
authenticated Engine API inventory (containers + images), per-image <b>CVE
scanning</b> (Trivy/Grype) with KEV flagging, a <b>CIS Docker audit</b>, a Docker
dashboard panel and container drift detection. Hands-on lessons are in <b>Part 5</b>.</div>
<div class="tip"><b>New in Version 9.1:</b> one-click <b>Passive Scanning</b> (zero-probe
asset discovery), a stable <b>8-character Asset ID</b> bound to each device's MAC,
<b>day &amp; time scheduling</b> (tick days + set a clock time), an <b>editable device
Type</b> that sticks across scans, and a <b>Passive/Active scan-type label</b> on every
exported report.</div>

<!-- ============ TOC ============ -->
<h2>Contents</h2>
<ol class="toc">
  <li class="grp">Part 1 - Operator &amp; Viewer Training</li>
  <li><a href="#secure">1. Securing Your Account</a></li>
  <li><a href="#scans">2. Running &amp; Managing Scans</a></li>
  <li><a href="#dashboard">3. Reading the Dashboard &amp; Data Tabs</a></li>
  <li><a href="#export">4. Exporting Reports</a></li>
  <li class="grp">Part 2 - Administrator Training</li>
  <li><a href="#users">5. User &amp; Role Management</a></li>
  <li><a href="#tenancy">6. Managing Multi-Tenancy (Data Separation)</a></li>
  <li><a href="#activity">7. Monitoring the Activity Log</a></li>
  <li class="grp">Part 3 - Troubleshooting &amp; FAQ</li>
  <li><a href="#trouble">8. Troubleshooting Guide</a></li>
  <li class="grp">Part 4 - Version 9.1 &mdash; What's New</li>
  <li><a href="#v91-charts">9. Interactive Dashboard Charts</a></li>
  <li><a href="#v91-lifecycle">10. CVE Finding Lifecycle (Status Tracking)</a></li>
  <li><a href="#v91-multiselect">11. Multi-Select Asset Table &amp; Bulk Actions</a></li>
  <li><a href="#v91-tenantadmin">12. The Tenant Admin Role</a></li>
  <li><a href="#v91-search">13. Global Search Bar</a></li>
  <li><a href="#v91-retention">14. Data-Retention Policies (Admin Panel)</a></li>
  <li><a href="#v91-patch">15. Patch-Aware Vulnerability Assessment</a></li>
  <li><a href="#v91-trends">16. Historical Trend Graphs</a></li>
  <li><a href="#v91-integrations">17. Service-Desk Integrations</a></li>
  <li><a href="#v91-customise">18. Customisable Dashboard</a></li>
  <li class="grp">Part 5 - Version 10r1 &mdash; Docker Scanning</li>
  <li><a href="#v10-overview">19. Deep Docker Scan &amp; the Host View</a></li>
  <li><a href="#v10-cve">20. Image CVEs &amp; the CIS Audit</a></li>
  <li><a href="#v10-lab">21. Hands-On Lab: Your First Deep Docker Scan</a></li>
  <li class="grp">Part 6 - Version 13 &mdash; Patch and Remedy</li>
  <li><a href="#v13-overview">22. The Patch and Remedy Console</a></li>
  <li><a href="#v13-creds">23. Credentials, Safety &amp; the Audit Trail</a></li>
  <li><a href="#v13-lab">24. Hands-On Lab: Patch an Asset's OS</a></li>
</ol>

<!-- ===================================================================== -->
<div class="part">
  <h2>Part 1 - Operator &amp; Viewer Training</h2>
  <p>Daily operations for users assigned the <b>Operator</b> (can scan and export) or
     <b>Viewer</b> (read-only) roles.</p>
</div>

<!-- ============ 1 SECURE ============ -->
<h2 id="secure">1. Securing Your Account</h2>
<p>Before diving into the network data, ensure your access is secure.</p>
<ul>
  <li><b>Changing Your Password:</b> Click <b>Security</b> in the top bar. Enter your
      current password, type a new one (minimum 8 characters), and click
      <b>Update password</b>.</li>
  <li><b>Enabling Two-Factor Authentication (TOTP):</b> In the Security panel, scan the
      displayed QR code with an authenticator app (like Authy or Google Authenticator).
      Enter the 6-digit code to confirm.</li>
</ul>
<div class="tip"><b>Tip:</b> Always save your backup codes in a secure location. They are
your way back in if you lose access to your authenticator device.</div>

<!-- ============ 2 SCANS ============ -->
<h2 id="scans">2. Running &amp; Managing Scans</h2>
<p>Operators can initiate scans to discover assets and identify risks.</p>
<ul>
  <li><span class="num">1</span><b>Set the Target:</b> The target box will automatically
      fill with your detected network, but you can edit this to target a specific IP
      range or a single host.</li>
  <li><span class="num">2</span><b>Select a Profile:</b> Choose the depth of your scan
      based on your current diagnostic requirements.</li>
  <li><span class="num">3</span><b>Execute:</b> Click <b>Scan</b> for an active scan, or
      <b>Passive Scan</b> for a zero-probe listen-only sweep. The progress bar displays
      live percentage, elapsed time, and the exact IP currently being scanned.</li>
</ul>

<h3>Active vs Passive scanning (v9)</h3>
<p>Choose the right acquisition mode for the job:</p>
<table>
  <tr><th>Mode</th><th>What it does</th><th>When to use</th></tr>
  <tr><td><b>Active</b></td>
      <td>Sends nmap probes. Returns ports, services, OS, software, vulnerabilities,
          Docker/TLS/AD findings, compliance and a risk score. Supports profiles and the
          selectable options.</td>
      <td>You need depth and risk assessment.</td></tr>
  <tr><td><b>Passive</b></td>
      <td><b>Sends no probe traffic.</b> Listens to the ARP cache and mDNS/SSDP
          announcements to harvest IP, MAC, vendor, hostname, advertised services and a
          low-confidence device type. <b>No</b> ports, services, OS accuracy,
          vulnerabilities, TLS/AD/Docker/credential findings, or risk score. No options -
          one button.</td>
      <td>You want a quiet, zero-footprint inventory or must avoid touching sensitive
          devices.</td></tr>
</table>
<div class="tip"><b>Asset continuity:</b> a device found passively shares the same
<b>8-character Asset ID</b> it will use in active scans (matched by MAC), so when you
later run an active scan its vulnerabilities attach to the same asset instead of being
duplicated.</div>

<h3>Correcting a mis-identified device Type (v9)</h3>
<p>If the scanner labels a device's <b>Type</b> incorrectly, click the <b></b> pencil
beside the type in the Assets table, enter the correct value (e.g. <code>printer</code>,
<code>nas</code>, <code>camera</code>, <code>router</code>, <code>iot</code>) and save.
The correction is bound to the device's Asset ID and re-applied automatically on every
future scan. Clear the field to revert to the scanner's guess.</p>

<h3>Scan Profiles</h3>
<table>
  <tr><th>Scan Profile</th><th>Functionality Overview</th><th>Expected Speed</th></tr>
  <tr><td><b>Quick</b></td>
      <td>Scans the top 100 ports with light service detection. Skips vulnerability
          scripts.</td>
      <td><span class="pill green">Seconds</span></td></tr>
  <tr><td><b>Standard</b></td>
      <td>Scans the top 1000 ports and includes deep OS and service detection.</td>
      <td><span class="pill amber">Minutes</span></td></tr>
  <tr><td><b>Deep</b></td>
      <td>Adds nmap vulnerability (NSE) scripts to detect specific CVEs.</td>
      <td><span class="pill red">Slower</span></td></tr>
</table>

<!-- ============ 3 DASHBOARD ============ -->
<h2 id="dashboard">3. Reading the Dashboard &amp; Data Tabs</h2>
<p>Once a scan completes, the dashboard populates with actionable intelligence.</p>
<ul>
  <li><b>Asset Details:</b> Click any row in the asset table to view an expanded panel
      showing software, open ports, and vulnerabilities.</li>
  <li><b>Vulnerabilities:</b> Findings are ranked by severity, highlighting CVSS scores
      and tagging vulnerabilities found in CISA's Known-Exploited (KEV) catalog.
      Crucially, the system provides official CISA mitigations or tailored hardening
      advice for every finding.</li>
  <li><b>Compliance:</b> NetscanXi maps your network against <b>eight</b> major
      regulatory frameworks. This includes pass/fail mappings for <b>GDPR, PCI DSS,
      ISO 27001, SOC 2, HIPAA, Cyber Essentials, NIST CSF</b>, and the
      <b>NCSC CAF</b>.</li>
  <li><b>Docker Detection:</b> Hosts running container runtimes will display a Docker
      badge. The platform probes container ports and APIs to identify engine
      versions.</li>
</ul>
<div class="warn"><b>Critical:</b> Exposed Docker APIs (ports 2375, 2376, 4243)
represent a critical risk and should be restricted immediately.</div>

<!-- ============ 4 EXPORT ============ -->
<h2 id="export">4. Exporting Reports</h2>
<p>You can export data for external audits, ticketing, or distribution to system
owners.</p>
<ul>
  <li><b>Whole-Scan Export:</b> Use the top control bar to download the entire network
      inventory as a flat CSV, a structured JSON, or a branded PDF executive
      summary.</li>
  <li><b>Single-Host Export:</b> Expand a specific host in the asset table and click the
      dedicated export buttons to generate a focused report (CSV/JSON/PDF) for just that
      machine.</li>
  <li><b>Scan-type &amp; Asset ID (v9):</b> every export states whether the data is from a
      <b>Passive</b> or <b>Active</b> scan (printed on the PDF, a leading comment line +
      column in CSV, and the <code>scan_type</code> field in JSON) and includes each
      device's Asset ID.</li>
</ul>

<!-- ===================================================================== -->
<div class="part">
  <h2>Part 2 - Administrator Training</h2>
  <p>Strictly for users assigned the <b>Admin</b> role, which provides unscoped
     visibility across all data and full control over system configuration.</p>
</div>

<!-- ============ 5 USERS ============ -->
<h2 id="sched">Scheduling scans by day &amp; time (v9)</h2>
<p>Open <b>⏱ Schedule</b> to manage recurring scans. As well as the classic “every N
minutes” interval, you can now schedule by <b>day of week and clock time</b>:</p>
<ul>
  <li><span class="num">1</span><b>Run on days:</b> tick any combination of Mon–Sun.</li>
  <li><span class="num">2</span><b>At time:</b> enter the hour (0–23) and minute (0–59) in
      local time.</li>
  <li><span class="num">3</span><b>Scan type:</b> pick <b>Active</b> or <b>Passive</b> for
      the scheduled run.</li>
  <li><span class="num">4</span>Leave the days unticked and set <b>every N minutes</b>
      instead for a plain interval.</li>
</ul>
<div class="note"><b>Example:</b> tick Mon/Wed/Fri at <b>02:30</b> with scan type
<b>Passive</b> for a zero-footprint inventory three nights a week. The schedule list shows
the next run time and an Active/Passive badge.</div>

<h2 id="users">5. User &amp; Role Management</h2>
<p>Admins have full editable control over every account to prevent lockouts and ensure
security.</p>
<ul>
  <li><b>Adding Users:</b> Navigate to <b>User Admin</b> to create accounts. You must
      assign a username, password, role, and a tenant tag.</li>
  <li><b>Resetting Passwords:</b> If a user is locked out, admins can click
      <b>"set password"</b> on their row to immediately assign a new password without
      needing the old one.</li>
  <li><b>Enforcing MFA:</b> Admins can force Multi-Factor Authentication on or off per
      user, or reset a user's MFA if they lose their authentication device (forcing them
      to re-enrol at their next login).</li>
</ul>

<!-- ============ 6 TENANCY ============ -->
<h2 id="tenancy">6. Managing Multi-Tenancy (Data Separation)</h2>
<p>NetscanXi supports <b>soft multi-tenancy</b>, allowing one installation to serve
multiple isolated teams or customers.</p>
<ul>
  <li><b>How it works:</b> Every user, scan, and schedule carries a text-based
      <span class="pill">🏢 tenant tag</span>.</li>
  <li><b>Visibility Boundaries:</b> Scoped users (Viewers and Operators) will only ever
      see scans, history, and exports that share their exact tenant tag.</li>
  <li><b>Admin Visibility:</b> Admins bypass these restrictions and can see data across
      all tenants.</li>
</ul>

<!-- ============ 7 ACTIVITY ============ -->
<h2 id="activity">7. Monitoring the Activity Log</h2>
<p>For compliance and accountability, the system maintains a timestamped audit log.
Navigate to <b>Activity</b> to view successful/failed logins, scan executions, data
exports, and administrative actions (like password resets).</p>
<div class="note"><b>Accountability:</b> Every action logs the acting user, their
tenant, and their client IP address.</div>

<!-- ===================================================================== -->
<div class="part">
  <h2>Part 3 - Troubleshooting &amp; FAQ</h2>
  <p>Common issues and their resolutions.</p>
</div>

<!-- ============ 8 TROUBLE ============ -->
<h2 id="trouble">8. Troubleshooting Guide</h2>
<table>
  <tr><th style="width:42%">Issue</th><th>Solution</th></tr>
  <tr>
    <td><b>Scans are returning empty results or missing data.</b></td>
    <td>Ensure the underlying installation has root access. If NetscanXi does not have
        <code>NET_ADMIN</code> or <code>NET_RAW</code> capabilities, it will skip OS
        detection and SYN scans.</td>
  </tr>
  <tr>
    <td><b>A passive scan found few or no devices.</b></td>
    <td>Passive scanning only sees devices that have recently talked on the LAN (ARP
        cache) or that broadcast mDNS/SSDP announcements. Give it time, ensure the
        container shares the host network so it can read the neighbour cache and receive
        multicast, then re-run. For a complete inventory, run an Active scan.</td>
  </tr>
  <tr>
    <td><b>A device's Type is wrong.</b></td>
    <td>Click the <b></b> pencil next to the Type in the Assets table and enter the
        correct value. The override is bound to the device's Asset ID and persists across
        future scans.</td>
  </tr>
  <tr>
    <td><b>A day/time schedule didn't fire.</b></td>
    <td>Times are interpreted in the server's local timezone. Confirm at least one day is
        ticked and the hour/minute are set; if no days are ticked the schedule falls back
        to the “every N minutes” interval.</td>
  </tr>
</table>

<!-- ===================================================================== -->
<div class="part pagebreak">
  <h2>Part 4 - Version 9.1 &mdash; What's New</h2>
  <p>Ten new capabilities land in Version 9.1. Each lesson below is hands-on: open the
     named control and follow the steps. Unless noted, these features respect your tenant
     scope and role.</p>
</div>

<!-- ============ 9 INTERACTIVE CHARTS ============ -->
<h2 id="v91-charts">9. Interactive Dashboard Charts</h2>
<p>The dashboard renders four equal-sized chart tiles &mdash; <b>OS Distribution</b>,
<b>Vulnerability Severity</b>, <b>Network Risk &amp; Compliance</b> and <b>Regulatory
Compliance</b> &mdash; that you can re-style, resize and rearrange. The OS and severity
charts also double as live filters for the asset table.</p>
<ul>
  <li><span class="num">1</span><b>Find the charts:</b> after a scan completes, look at the
      <b>Interactive Charts</b> block near the top of the dashboard.</li>
  <li><span class="num">2</span><b>Choose a chart type:</b> use each tile's
      <b>type selector</b> to switch between a <b>pie chart</b>, <b>horizontal bars</b> or
      <b>vertical bars</b> (the Network Risk &amp; Compliance tile also offers a
      <b>trend line</b>).</li>
  <li><span class="num">3</span><b>Resize a tile:</b> drag the <b>bottom-right corner</b> of
      any tile to make it bigger or smaller.</li>
  <li><span class="num">4</span><b>Move a tile:</b> drag the <b>&#10303; handle</b> in the
      tile header to reorder the charts.</li>
  <li><span class="num">5</span><b>Filter by clicking:</b> click a pie <b>slice</b> (e.g.
      <i>Windows</i>) or a severity <b>bar</b> (e.g. <i>Critical</i>) to filter the asset
      table to only matching assets; click again or use <b>Clear filter</b> to reset.</li>
  <li><span class="num">6</span><b>Reset charts:</b> click <b>&#8634; Reset charts</b> to
      restore the default types, sizes and order.</li>
</ul>
<div class="tip"><b>Tip:</b> your chart types, sizes and order are saved in your browser,
so the dashboard looks the way you left it next time you sign in.</div>

<!-- ============ 10 CVE LIFECYCLE ============ -->
<h2 id="v91-lifecycle">10. CVE Finding Lifecycle (Status Tracking)</h2>
<p>You can now triage individual vulnerabilities and have that decision follow the asset
across future scans, instead of re-reviewing the same finding every time.</p>
<ul>
  <li><span class="num">1</span><b>Open host detail:</b> click an asset row, then expand a
      vulnerability under its <b>Vulnerabilities</b> list.</li>
  <li><span class="num">2</span><b>Set status:</b> click <b>Set status</b> and choose one
      of <span class="pill red">Open</span> <span class="pill green">Remediated</span>
      <span class="pill amber">Accepted Risk</span>
      <span class="pill">False Positive</span>.</li>
  <li><span class="num">3</span><b>Add a note (optional):</b> record why &mdash; e.g. a
      change ticket, a compensating control, or evidence it's a false positive.</li>
  <li><span class="num">4</span><b>Choose the scope:</b> apply the status to
      <b>this asset only</b>, or <b>tenant-wide</b> so the same CVE is treated
      consistently across every host in your tenant.</li>
</ul>
<div class="note"><b>Persistence:</b> a status is bound to the asset's Asset ID, so a
finding you mark <b>Accepted Risk</b> stays that way when the host reappears in the next
scan &mdash; until the CVE is no longer detected or you change the status.</div>

<!-- ============ 11 MULTI-SELECT ============ -->
<h2 id="v91-multiselect">11. Multi-Select Asset Table &amp; Bulk Actions</h2>
<p>The asset table gains a checkbox column so you can act on many hosts at once.</p>
<ul>
  <li><span class="num">1</span><b>Select assets:</b> tick the checkbox at the start of
      each row, or use the <b>select-all</b> checkbox in the header to grab every row in
      the current (possibly filtered) view.</li>
  <li><span class="num">2</span><b>Export selected:</b> click <b>Export selected</b> and
      choose <b>CSV</b> or <b>JSON</b> to download just the chosen assets.</li>
  <li><span class="num">3</span><b>Re-scan selected:</b> click <b>Re-scan selected</b> to
      queue a fresh scan against only those hosts.</li>
</ul>
<div class="tip"><b>Tip:</b> combine with chart filters &mdash; click the <i>Critical</i>
bar, press select-all, then <b>Re-scan selected</b> to immediately re-validate every
high-risk host.</div>

<!-- ============ 12 TENANT ADMIN ============ -->
<h2 id="v91-tenantadmin">12. The Tenant Admin Role</h2>
<p>Version 9.1 adds a new RBAC role, <b>Tenant Admin</b>, sitting between Operator and the
global Admin.</p>
<div class="role"><b>Role hierarchy:</b>
  <span class="pill">viewer</span> &lt;
  <span class="pill">operator</span> &lt;
  <span class="pill purple">tenant_admin</span> &lt;
  <span class="pill">admin</span></div>
<ul>
  <li><b>What they can do:</b> a Tenant Admin has full administrative control
      <b>within their own tenant</b> &mdash; managing users, scans, schedules, retention,
      and integrations for that tenant.</li>
  <li><b>What they cannot do:</b> they <b>cannot</b> see other tenants' data and
      <b>cannot</b> create global Admins.</li>
  <li><b>Assigning it:</b> a global Admin opens <b>User Admin</b>, edits the user, and sets
      the role to <code>tenant_admin</code>.</li>
</ul>
<div class="warn"><b>Least privilege:</b> prefer Tenant Admin over global Admin for
per-customer or per-team administrators &mdash; it confines blast radius to a single
tenant.</div>

<!-- ============ 13 GLOBAL SEARCH ============ -->
<h2 id="v91-search">13. Global Search Bar</h2>
<p>A search box now lives in the top navigation bar for fast lookups.</p>
<ul>
  <li><span class="num">1</span><b>Type a query:</b> click the search bar in the top nav
      and enter an IP, hostname, CVE ID, or software name.</li>
  <li><span class="num">2</span><b>What it searches:</b> assets, CVEs, and software in the
      <b>latest scan</b>.</li>
  <li><span class="num">3</span><b>Jump to the asset:</b> click any result to open the
      associated asset's detail panel directly.</li>
</ul>
<div class="note"><b>Scope:</b> results obey your tenant boundary, so scoped users only
match assets, CVEs, and software within their own tenant.</div>

<!-- ============ 14 RETENTION ============ -->
<h2 id="v91-retention">14. Data-Retention Policies (Admin Panel)</h2>
<p>The new <b>⚙ Admin</b> panel lets administrators control how long scan history is
kept.</p>
<ul>
  <li><span class="num">1</span><b>Open the panel:</b> go to <b>⚙ Admin</b> and find the
      <b>Data Retention</b> section.</li>
  <li><span class="num">2</span><b>Set the rules:</b> choose <b>delete scans older than
      N days</b> and/or <b>keep the M most-recent</b> scans. You can use either or both.</li>
  <li><span class="num">3</span><b>Auto-apply (optional):</b> tick <b>auto-apply</b> to
      enforce the policy automatically after each scan.</li>
  <li><span class="num">4</span><b>Purge now:</b> click <b>Save &amp; purge now</b> to save
      the policy and immediately remove out-of-policy scans.</li>
</ul>
<div class="warn"><b>Preserved data:</b> purging removes only scan results. The
<b>asset registry</b> (Asset IDs, Type overrides, finding statuses) and the
<b>audit log</b> are always preserved.</div>

<!-- ============ 15 PATCH-AWARE ============ -->
<h2 id="v91-patch">15. Patch-Aware Vulnerability Assessment</h2>
<p>A new scan toggle improves accuracy by confirming findings against captured patch
levels.</p>
<ul>
  <li><span class="num">1</span><b>Enable the toggle:</b> before running a scan, switch on
      <b>Patch-aware vulns</b>. This adds the <code>vulners</code> NSE script to the scan.</li>
  <li><span class="num">2</span><b>Run the scan:</b> NetscanXi captures patch and build
      tokens into a per-host <b>patch-level list</b> visible in host detail.</li>
  <li><span class="num">3</span><b>Read the tags:</b> each finding is labelled
      <span class="pill red">version-confirmed</span> (matched against the detected
      build) or <span class="pill amber">heuristic</span> (banner/inference only).</li>
</ul>
<div class="tip"><b>Why it matters:</b> version-confirmed findings dramatically cut false
positives &mdash; prioritise remediation on those first.</div>

<!-- ============ 16 TRENDS ============ -->
<h2 id="v91-trends">16. Historical Trend Graphs</h2>
<p>The dashboard plots how your posture changes over time.</p>
<ul>
  <li><span class="num">1</span><b>Open the trend chart:</b> set the <b>Network Risk &amp;
      Compliance</b> tile's type selector to <b>Trend (line)</b> to plot <b>network risk
      score</b> and <b>compliance posture</b> across your full scan history.</li>
  <li><span class="num">2</span><b>Switch views:</b> change the same tile to a <b>pie</b> or
      <b>bar</b> view to see the latest posture values instead of the time series.</li>
  <li><span class="num">3</span><b>Understand the data:</b> a snapshot is recorded
      automatically <b>after each scan</b>, so the line fills in as you scan over time.</li>
</ul>
<div class="note"><b>Tip:</b> use the trend line in management reviews to show risk
trending down after a remediation push.</div>

<!-- ============ 17 INTEGRATIONS ============ -->
<h2 id="v91-integrations">17. Service-Desk Integrations</h2>
<p>Open tickets for findings directly in <b>Jira</b>, <b>ServiceNow</b>, or
<b>Zendesk</b>.</p>
<ul>
  <li><span class="num">1</span><b>Configure:</b> go to the <b>🔗 Integrations</b> panel,
      pick your service desk, and enter the connection details (URL, project/queue,
      credentials or API token).</li>
  <li><span class="num">2</span><b>Test:</b> click <b>Test</b> to verify the connection
      before saving.</li>
  <li><span class="num">3</span><b>Create a ticket:</b> in host detail, expand a CVE finding
      and click <b>Create ticket</b> to open a pre-filled ticket in your service desk.</li>
</ul>
<div class="tip"><b>Workflow:</b> pair this with the finding lifecycle &mdash; raise a
ticket, then mark the CVE <b>Open</b> with the ticket reference in the note for full
traceability.</div>

<!-- ============ 18 CUSTOMISABLE DASHBOARD ============ -->
<h2 id="v91-customise">18. Customisable Dashboard</h2>
<p>Tailor the dashboard layout to the way you work.</p>
<ul>
  <li><span class="num">1</span><b>Enter edit mode:</b> click <b>✎ Customise</b> in the
      dashboard toolbar.</li>
  <li><span class="num">2</span><b>Rearrange:</b> <b>drag</b> components to reorder them,
      <b>pin</b> the ones you always want on top, or <b>hide</b> components you don't
      need.</li>
  <li><span class="num">3</span><b>Exit:</b> leave Customise mode to lock in your layout;
      it persists for your account.</li>
  <li><span class="num">4</span><b>Start over:</b> click <b>↺ Reset layout</b> to return
      to the default arrangement at any time.</li>
  <li><span class="num">5</span><b>Customise the charts too:</b> inside the <b>Interactive
      Charts</b> block you can change each chart's type, resize it and reorder it
      independently &mdash; see &sect;9.</li>
</ul>
<div class="note"><b>Per-user:</b> your customised layout is saved to your account and
doesn't affect what other users see.</div>

<!-- ===================================================================== -->
<div class="part pagebreak">
  <h2>Part 5 - Version 10r1: Docker Scanning</h2>
  <p>Hands-on training for deep Docker container scanning &amp; vulnerability
     assessment.</p>
</div>

<h2 id="v10-overview">19. Deep Docker Scan &amp; the Host View</h2>
<p>Version 10r1 looks <i>inside</i> the Docker hosts NetscanXi finds. With the
   <b>Deep Docker scan</b> option enabled (default on), NetscanXi connects to each
   host's Docker Engine API and pulls the container and image inventory.</p>
<ul>
  <li><span class="num">1</span><b>Run a scan:</b> on the scan bar keep
      <b>Docker hosts</b> and <b>Deep Docker scan</b> ticked, then run an Active
      scan.</li>
  <li><span class="num">2</span><b>Open a Docker host:</b> its detail panel now
      shows API status, engine info and a <b>Containers</b> list with risk badges
      (privileged, docker.sock, host-net, host-pid, +caps).</li>
  <li><span class="num">3</span><b>Dashboard:</b> the <b>🐳 Docker &amp;
      Containers</b> panel summarises hosts, containers, images, image CVEs,
      privileged containers, docker.sock mounts and CIS failures.</li>
</ul>
<div class="tip"><b>Read-only:</b> NetscanXi only reads from the Docker API - it
   never starts/stops containers or changes configuration.</div>

<h2 id="v10-cve">20. Image CVEs &amp; the CIS Audit</h2>
<ul>
  <li><span class="num">1</span><b>Image CVEs:</b> if Trivy or Grype is installed,
      each image is scanned for CVEs. The host view shows a severity strip and
      per-image CVE chips; <b>known-exploited (KEV)</b> CVEs are flagged 🔥 and
      sorted first.</li>
  <li><span class="num">2</span><b>CIS audit:</b> review the pass/warn/fail checks
      - exposed API, no TLS, privileged containers, docker.sock mounts, host
      network/PID, insecure registry, :latest tags. Fix the <b>fail</b> items
      first.</li>
  <li><span class="num">3</span><b>Exports &amp; drift:</b> CSV/JSON/PDF now carry
      container &amp; image data, and change detection flags new containers,
      new-privileged / docker.sock changes and new KEV container CVEs.</li>
</ul>

<h2 id="v10-lab" class="pagebreak">21. Hands-On Lab: Your First Deep Docker Scan</h2>
<ol>
  <li>(Optional) install <b>Trivy</b> on the NetscanXi host so images get CVE
      results (the bundled Docker image already includes it).</li>
  <li>Run an Active scan of a range that includes a Docker host.</li>
  <li>Open the <b>🐳 Docker &amp; Containers</b> dashboard panel and note the
      counts.</li>
  <li>Open a Docker host → review Containers, Image Vulnerabilities and the CIS
      audit.</li>
  <li>Pick your top 3 actions: a KEV image CVE, a privileged container, and any
      docker.sock mount. Export a per-host PDF to share.</li>
</ol>
<div class="warn"><b>Authorisation:</b> only scan hosts you are authorised to
   assess; use read-only Docker API access.</div>

<!-- ===================================================================== -->
<h2 class="pagebreak">Part 6 - Version 13: Patch and Remedy</h2>
<p>Version 13 lets NetscanXi <b>act</b> on what it finds. It applies
<b>operating-system updates and upgrades</b> over SSH, and can also update
Docker images. Patching is an <b>operator</b>-level action and is fully
tenant-separated.</p>

<h2 id="v13-overview">22. The Patch and Remedy Console</h2>
<p>Open the <b>Patch and Remedy</b> tab. Choose a <b>Patch type</b> &mdash;
<b>Operating system (SSH)</b> or <b>Docker images</b> &mdash; then a target:</p>
<ul>
  <li><b>Single asset</b> - patch one asset from the latest scan.</li>
  <li><b>Asset group</b> - patch every asset in a tenant asset group.</li>
  <li><b>All assets in scope</b> - patch every asset found (OS patching is not
      limited to Docker hosts).</li>
</ul>
<p><b>Operating-system patching</b> connects over SSH, auto-detects the package
manager (<code>apt</code>, <code>dnf</code>, <code>yum</code>, <code>zypper</code>
or <code>apk</code>) and runs an update + upgrade. Tick <b>Full distribution
upgrade</b> for a heavier dist-upgrade, or <b>Simulate only</b> to run the
package manager in dry-run mode so nothing is changed.</p>
<p><b>Docker patching</b> instead pulls the latest image for each running
container over the same authenticated Docker Engine API used for scanning, with
an optional experimental <b>Recreate containers after pull</b>.</p>
<div class="tip"><b>Preview first.</b> <b>Preview (dry run)</b> lists the targeted
assets and their detected OS (or images) with <b>no side effects</b> &mdash; the
OS preview does not even contact SSH &mdash; and creates no remediation items.</div>

<h2 id="v13-creds">23. Credentials, Safety &amp; the Audit Trail</h2>
<p><b>SSH and sudo credentials</b> (for OS patching) and <b>registry
credentials</b> (for Docker) are entered <b>per patch run</b>. They are used
once and are <b>never written to the database, never logged, and never
returned</b>. Password fields are cleared in the browser the moment the request
is sent.</p>
<p>Every patch run is recorded two ways:</p>
<ul>
  <li><b>Remediation Tracking</b> - one item per targeted asset is auto-created
      (status <i>in progress</i>) and then updated to <b>resolved</b> or
      <b>blocked</b> with a result summary, assignee and timestamp.</li>
  <li><b>Activity log</b> - an <code>os_patch</code> (or <code>docker_patch</code>)
      entry records who patched what, with counts only (e.g.
      <code>targets=3 ok=2 simulate=False</code>) &mdash; never any credential
      material.</li>
</ul>
<div class="warn"><b>Authorisation &amp; change control:</b> OS patching performs
<b>privileged remote execution</b> and makes live changes to running systems.
Patch only assets you are authorised to change, prefer the simulate/dry-run
preview, and use a maintenance window for production hosts.</div>

<h2 id="v13-lab" class="pagebreak">24. Hands-On Lab: Patch an Asset's OS</h2>
<ol>
  <li>Run an Active scan of a range containing a Linux host you may change.</li>
  <li>Open the <b>Patch and Remedy</b> tab; keep <b>Patch type =
      Operating system</b>.</li>
  <li>Choose <b>Single asset</b> and pick your Linux host (it now appears
      whether or not it runs Docker).</li>
  <li>Click <b>Preview (dry run)</b> and confirm the detected OS / package
      manager.</li>
  <li>Enter the <b>SSH username/password</b> (and sudo password if different) &mdash;
      note they are not stored.</li>
  <li>Tick <b>Simulate only</b> first, click <b>Patch now</b>, and review what
      <i>would</i> change.</li>
  <li>Untick Simulate and run again to apply the updates; watch the per-asset
      log.</li>
  <li>Open <b>Remediation Tracking</b> and confirm the item was created and
      updated; (admins) check the <code>os_patch</code> activity entry shows no
      credentials.</li>
</ol>

</body>
</html>