Skip to main content
CyStack VulnScan is not a single check runner. It is a multi-stage scanner that combines attack-surface discovery, service fingerprinting, web crawling, active verification, CVE intelligence, and reporting into one workflow.

Scan Pipeline

StageWhat HappensWhy It Matters
Target normalizationURLs are reduced to domains/IPs where appropriate; CIDR/ranges are preserved.Prevents duplicate assets and makes license checks consistent.
Scope validationDomain, wildcard, IP, CIDR, activation, and target-count limits are checked before scanning.Helps users keep scans inside the purchased and approved scope.
Host discoveryICMP, TCP ping ports, and range probing identify live hosts.Avoids wasting time on dead hosts in large scopes.
Port scanCommon TCP ports and configured port sets are tested with rate limits.Finds exposed services beyond HTTP/HTTPS.
Service fingerprintingBanners, HTTP metadata, TLS, SSH, SMB, SNMP, CMS and web technology fingerprints are collected.Enables accurate CVE matching and targeted checks.
Web/API crawlingHTML links, forms, JavaScript paths, common API patterns, OpenAPI/Swagger, GraphQL, and hidden parameters are discovered.Increases endpoint coverage for modern applications.
Active checksDAST checks, high-confidence CyStack verification checks, and optional AI-assisted evidence analysis run against discovered endpoints/services.Finds exploitable classes such as injection, SSRF, exposed panels, weak auth, misconfiguration, and suspicious application behavior.
CVE matchingConcrete CPE/version evidence is matched against the local NVD index.Detects vulnerable and outdated components without relying only on handcrafted checks.
EnrichmentCVSS, EPSS, CISA KEV, public exploit indicators, CWE, OWASP Top 10, WSTG, and remediation text are added.Converts raw findings into remediation-ready work items.
Storage and reportingResults are persisted to the database and exported as CSV, JSON, or PDF.Keeps Web UI, CLI, history, and reports consistent.

Discovery Technologies

VulnScan uses several discovery techniques in one pipeline:
  • DNS and passive/active subdomain enumeration.
  • Live host probing for IP, CIDR, and range targets.
  • TCP port scanning with configurable rate limits.
  • HTTP probing for status, redirects, titles, headers, and technologies.
  • TLS certificate inspection including issuer, subject, SANs, validity window, protocol, and cipher.
  • WAF/CDN detection and server/provider enrichment.
  • Service banner grabbing and protocol-specific fingerprinting.
  • Web crawling with HTML, form, JavaScript path, API route, and common path extraction.
  • CMS/component discovery for widely used web platforms and extensions.
  • Optional AI-assisted analysis for endpoint patterns, response anomalies, parameter context, evidence quality, and false-positive review when configured.

Verification Model

VulnScan uses multiple evidence levels:
  • Verified findings: a check safely confirms the issue with direct evidence.
  • High-confidence findings: a detector matches strong signals such as exact vulnerable behavior, exposed files, or verified service state.
  • CPE/CVE findings: a detected product and concrete version match a vulnerable CPE entry in the local NVD index.
  • Informational findings: metadata such as services, technologies, WAF/CDN, TLS, and DNS context that helps interpret risk.
  • AI-assisted signals: optional analysis that helps identify suspicious evidence, explain context, and flag findings that may need human validation.
The scanner deliberately avoids broad wildcard version matches because they create excessive false positives. If a product version is unknown or too generic, VulnScan favors not reporting the CVE unless another detector provides stronger evidence.

Database-First Workflow

Standard scans from the Web UI, CLI, or scheduler are persisted to the database. Each scan records:
  • Asset and target.
  • Scan source: Web UI, CLI, or scheduled.
  • Profile and mode.
  • Authentication configuration type.
  • Status, phase, progress, start time, completion time, and duration.
  • Finding counts by severity.
  • Technologies and discovery metadata.
  • Findings, evidence, triage state, and report jobs.
This is important operationally: the Web UI is not a separate reporting layer over temporary files. It reads the same scan history that CLI workflows write.

Operational Controls

VulnScan includes controls that matter in production deployments:
  • License activation and deactivation.
  • Target scope enforcement for domains, wildcards, IP addresses, and CIDR ranges.
  • Maximum target and activation limits.
  • Workspace member roles: admin and member.
  • Mail providers for notifications: SendGrid API, AWS SES, and custom SMTP.
  • PDF report jobs that continue after the browser page is closed.
  • Offline preparation for scanner artifacts and vulnerability intelligence data.