Agent-based Scanning

Enterprise

Complement network scans with host-level visibility. Lightweight agents detect vulnerabilities from inside the system.

Why agent-based scanning?

Network-based scanning sees what is exposed over the wire. Agent-based scanning sees what is installed on the host: unpatched packages, misconfigurations, weak permissions, and local vulnerabilities invisible from the network. Together they provide comprehensive coverage.

Agent capabilities

Package vulnerability audit

Enumerate installed packages (apt, yum, apk, pacman, Windows Update) and correlate against the NVD/CVE database. Detects vulnerabilities even on services not listening on the network.

Configuration checks

CIS benchmark-aligned checks: SSH hardening, password policies, firewall rules, file permissions, sysctl parameters, cron jobs, sudoers configuration.

File integrity monitoring (FIM)

Watch critical files and directories for changes. SHA-256 checksums with configurable alert thresholds. Detects unauthorized modifications to system binaries, configs, and web roots.

Process inventory

List running processes with user, open ports, and loaded libraries. Detect unexpected services, cryptocurrency miners, and reverse shells.

Deployment

Linux agent

Static Go binary, ~10 MB. Install via one-liner, Ansible, or system package (deb/rpm). Runs as a systemd service with minimal privileges (non-root, CAP_DAC_READ_SEARCH).

Windows agent

MSI installer. Runs as a Windows service under Local Service account. Communicates with Ravenscan server over mTLS.

Communication

Agents connect outbound to the Ravenscan server over mTLS (port 8443). No inbound ports required on the agent host. Results are pushed, not pulled.

Configuration

  1. Generate enrollment token — In the Ravenscan UI, navigate to Settings → Agents and generate an enrollment token.
  2. Install the agent — Run the one-liner with the enrollment token. The agent registers itself and downloads its scan profile.
  3. Configure scan schedule — Set how often the agent scans (default: every 6 hours). FIM runs continuously.
  4. View results — Agent findings appear in the same dashboard as network scan results, tagged with the source (agent vs. network).

Security

  • Agent binary is signed with Cosign + GPG — verify integrity before deployment
  • mTLS with certificate pinning prevents MITM and unauthorized agent registration
  • Agent runs with minimal privileges — read-only access, no modification capabilities
  • Enrollment tokens are single-use and expire after 24 hours
  • Agent can be remotely deregistered from the admin console

Need help deploying agents? Contact [email protected]. For Enterprise licensing, reach out to [email protected].