Skip to main content
CyStack VulnScan is distributed as a binary application for Windows, macOS, and Linux. The same binary can run the Web UI, execute CLI scans, manage licensing, prepare offline artifacts, and export reports.

Deployment Models

ModelBest ForNotes
Single analyst workstationEvaluation, small assessments, local CLI usage.Simple to start, but not ideal for team workflow.
Shared Web UI serverTeam usage, recurring scans, centralized reports.Recommended for production.
Automation runnerScheduled CLI scans, CI/security pipeline integration.Use the same workspace configuration if results should appear in the Web UI.
Offline or restricted networkEnvironments without direct Internet access.Requires offline activation and prepared scanner/intelligence artifacts.
For a shared deployment:
  1. Install the VulnScan binary on a stable server.
  2. Create a dedicated data directory, for example /var/lib/cystack-vulnscan.
  3. Activate the license.
  4. Start the Web UI with an explicit bind address.
  5. Place VulnScan behind an internal reverse proxy if HTTPS termination and access control are required.
  6. Configure mail delivery.
  7. Create named administrator and member accounts.
  8. Add assets and validate discovery before broad scanning.
vulnscan web --bind 0.0.0.0:8080 --data-dir /var/lib/cystack-vulnscan

Data Directory

The data directory stores workspace state:
  • Workspace database.
  • Assets, scans, findings, and report job metadata.
  • Exported reports.
  • License state.
  • Mail configuration.
  • Runtime logs and scanner state.
Back up this directory according to your organization’s recovery policy. If CLI automation must write results into the same workspace, run it with the same configuration and data location.

Network Requirements

The VulnScan host needs:
  • Access to target assets on the required ports.
  • DNS resolution for domain and subdomain discovery.
  • Outbound access for license activation and updates, unless the deployment is offline.
  • Outbound mail provider access if email notifications are enabled.
  • Inbound access from user browsers to the Web UI.
For externally hosted targets, make sure the VulnScan server’s egress IP is allowed by the target owner and not blocked by staging firewalls.

Online and Offline Activation

Online activation: 
vulnscan activate --license CYSTACK-XXXX-XXXX-XXXX-XXXX
Offline activation: 
vulnscan fingerprint
vulnscan activate --file activation.dat
Offline environments should also prepare scanner artifacts and vulnerability intelligence data before entering the restricted network: 
vulnscan prep-offline

Performance and Scale

VulnScan is designed for large external attack surfaces. Default configuration uses concurrent discovery, port scanning, fingerprinting, detection, and enrichment workers. Actual throughput depends on host CPU, memory, network latency, target responsiveness, license limits, and safe scanning policy. Recommended scale practices:
  • Start with a root domain discovery pass before scanning all subdomains.
  • Split very large portfolios by business owner, environment, or risk tier.
  • Use schedules for recurring production scans.
  • Run large PDF exports as background jobs.
  • Use CSV/JSON for high-volume integration.
  • Monitor scan duration and reduce scope where target systems are fragile.

Security Hardening

For shared deployments:
  • Run VulnScan under a dedicated operating-system account.
  • Restrict access to the data directory.
  • Put the Web UI behind HTTPS in production.
  • Limit Web UI access to trusted networks or an identity-aware proxy.
  • Use named user accounts.
  • Rotate mail provider credentials.
  • Remove inactive workspace members.
  • Deactivate the license before permanently moving the instance to a new host.

Updates

Use the update command when your deployment policy allows direct updates: 
vulnscan update
Restricted environments should use CyStack-provided update packages or offline preparation workflows according to the deployment notes supplied with the license.