SecurityScorecard scans approximately 1,500 ports in domains throughout the entire internet every day. These scans detect open ports and vulnerabilities, and collect other security-relevant data. To accomplish this high-velocity task and produce accurate results, we use a two-step process.
First, we use Masscan to scan for open ports. Masscan sends TCP SYN packets to request connections with internet ports and then analyzes the responses. Masscan can scan the entire Internet in less than five minutes, transmitting 10 million packets per second from a single machine.
Then, to test for vulnerabilities, we apply our own scanning framework that incorporates Nmap, a popular and widely trusted open-source scanner. Nmap collects more detailed information than Masscan. Our threat research team writes custom scripts using the Nmap Scripting Engine (NSE) to probe network services without disrupting them and to find out:
- What services are running
- What versions of services are running
- What security-relevant information HTTP headers contain
- Whether scanned assets contain vulnerabilities, and what kind
- Whether assets contain evidence of "back doors", which threat actors install to gain network access
To increase our scanning speed and accuracy, we have deployed more than 50 scanning agents across five continents. In addition, we continuously tune and augment our framework with customizations and new modules.
For more information on our scanning cadence, see this article.