Platform/ Attack-surface exposure

Open ports are noise. Reachable services are risk.

oxharden maps every listening socket, links it to the owning process and package, and shows which services are actually exposed. Confirm internet reachability with an external probe, then jump from the port to CVEs, package context, and remediation guidance.

Start free trial Explore the live demo

37 / 5,118

reachable & exploitable

142

internet-reachable, probe-confirmed

cleartext ports still serving

acme-prod / exposure

Monitor

Dashboard

Hosts347

Packages2,184

Ports4,218

CVEs189

Compliance

Exposure47

Scans

Manage

Enroll host

Organization

acme-prod › Exposure

Search hosts, packages, CVEs…⌘K

Fleet exposure

Listening sockets across 347 hosts · last external probe 6 min ago

Export scanRe-probe

Reachable & exploitable

ports · 21 hosts

Internet-reachable

142

54 hosts · probed

Cleartext proto

plaintext · 31 hosts

Open listeners

5,118

336 hosts

Coverage

97%

336 / 347

Internet-reachable servicesport · process · package

Port	Process	Package	Reachability	Risk
:5432	postgres	postgresql-server 13.7	probe-confirmed	12 CVEs
:6379	redis-server	redis 6.2.7	KEV	open auth
:9200	elasticsearch	elasticsearch 7.10	probe-confirmed	8 CVEs
:2375	dockerd	docker-ce 24.0	inferred	control plane
:23	telnetd	telnet-server 0.17	probe-confirmed	cleartext
:8080	nginx	nginx 1.20.1	inferred	http only

Open → reachablenarrowed by probe

Most open ports aren't reachable. The external probe narrows 5,118 listeners to the 37 that actually matter.

Open listeners5,118

Firewall / SG permits1,470

Internet-reachable142

Reachable & exploitable37

Open is not the same as exposed. Most tools stop at a list of listening sockets. oxharden goes further: it shows which services are reachable, what is running behind them, which package owns them, and where cleartext protocols create avoidable risk.

01 · Reachable, not just open

Turn a noisy port list into a real exposure view.

A listening socket is only risk if traffic can get to it. oxharden filters noisy listeners by bind address, host firewall, cloud security groups, and routing context, then optionally validates exposure from the outside. What remains is the smaller set of services your team should fix first.

Reachability inferred from nftables, cloud security groups, and routing

Optional external probe confirms live exposure from oxharden egress

Localhost and firewalled listeners ranked down, not treated as exposed

ATTACK SURFACEopen ≠ reachable

5,118

Open listeners

ss · /proc/net

1,470

Firewall / SG permits inbound

nftables · cloud SG

142

Internet-reachable

route + edge inference

Probe-confirmed live

external reachability probe

FIX FIRST

02 · Port → process → package

A port is only useful when you know what owns it.

oxharden traces listening sockets back to the process, binary, and package behind them. That turns exposure into action: see who owns the service, which CVEs affect it, and what package or configuration change reduces the risk.

Socket → PID → binary → owning package

Open services inherit package CVEs automatically

Unattributed listeners are flagged instead of ignored

acme-prod / ports

Monitor

Dashboard

Hosts347

Packages2,184

Ports4,218

CVEs189

Compliance

Exposure47

Scans

Manage

Enroll host

Organization

acme-prod › Ports

Search hosts, packages, CVEs…⌘K

Listening ports

Every socket traced to its process and the package behind it · 4,218 across 347 hosts

Export

Port → process → packageinternet-reachable first

Port	Process	Socket	Package	Finding	Reach
:6379	redis-server	6379/tcp	redis 6.2.7	KEV	internet
:5432	postgres: 13/main	5432/tcp	postgresql-server 13.7	12 CVEs	probe
:9200	java -Des.path…	9200/tcp	elasticsearch 7.10.2	8 CVEs	internet
:2375	dockerd	2375/tcp	docker-ce 24.0.7	control plane	internal
:23	in.telnetd	23/tcp	telnet-server 0.17	cleartext	internet
:22	sshd	22/tcp	openssh-server 8.7p1	2 CVEs	probe

03 · Cleartext & admin surfaces

Some services should never be quietly exposed.

oxharden identifies cleartext protocols, admin surfaces, datastores, and control-plane services the moment they appear. If one is reachable from the internet, it becomes a priority finding, not another row in a port inventory.

Datastores, remote admin, orchestration, and cleartext auto-classified

Telnet, FTP, HTTP, VNC, and similar services surfaced early

Internet-reachable risky services prioritized first

acme-prod / exposure

Monitor

Dashboard

Hosts347

Packages2,184

Ports4,218

CVEs189

Compliance

Exposure47

Scans

Manage

Enroll host

Organization

acme-prod › Exposure

Search hosts, packages, CVEs…⌘K

Fleet exposure

Listening sockets across 347 hosts · last scan 6 min ago

Export scan

Exposed & vulnerable

ports · 21 hosts

Open ports

5,118

336 hosts

Internet-exposed

142

54 hosts · inferred

Insecure proto

plaintext · 31 hosts

Coverage

97%

336 / 347

By categoryfindings · hosts

Exposed datastores

postgres · redis · mongo · elastic

9 findings

38 hosts

Remote-admin surfaces

ssh · telnet · rdp · vnc

6 findings

51 hosts

Orchestration / control

docker api · kubelet · etcd

4 findings

12 hosts

Cleartext protocols

http · ftp · telnet

5 findings

22 hosts

Expiring certificates

≤ 30 days · self-signed

18 findings

43 hosts

04 · TLS on the wire

Certificate risk belongs next to exposure.

oxharden checks TLS where it matters: on the live service. See expiring certificates, self-signed admin surfaces, broken chains, and weak protocol versions alongside the reachable port, owning process, package, and host.

Expiry, self-signed, and chain issues per listening service

Weak protocols and ciphers flagged, including TLS 1.0 and 1.1

Checked on the live socket, not only a side inventory

TLS HEALTHacross listening services

postgres :5432self-signedexpired 3d ago

vault :8200TLS 1.0 onlyweak protocol

nginx :443Let's Encryptexpires in 6 days

Caught on the listener itself — not waiting for a browser warning or an outage.

How it works

From open port to proven exposure.

Observe

The agent enumerates listening sockets locally from /proc and socket state, then maps each one to its owning process, binary, and package where available. No network scanning, no credentials.

/proc/netssPID → package

Infer & Probe

oxharden infers reachability from bind address, host firewall, cloud security groups, and routing context. Optional external probes confirm which services answer from outside your environment.

nftablescloud SGexternal probe

Classify & Prioritize

Reachable services are classified by risk, TLS posture is inspected on the live socket, and risky surfaces are prioritized when they become internet-reachable.

TLScleartextdrift

Under the hood

The technical details, up front.

No black box. Here's exactly what the agent reads, how reachability is determined, and how it runs.

Discovery method

Local socket enumeration from /proc and socket state: TCP/UDP listeners, owning PID, binary, and package where available. No port scanning required.

Reachability

Inferred from bind address, host firewall rules, cloud security groups, and routing context. Optional external probes confirm exposure from outside your environment.

Port → package mapping

Listening sockets are attributed to the process, binary, and owning package where available, so exposed services connect back to package CVEs and host context.

Classification

Exposed datastoresRemote adminOrchestration / controlCleartextExpiring / weak TLS

TLS inspection

Certificate expiry, self-signed certificates, chain validity, and protocol/cipher strength checked on listening TLS services. Weak versions such as TLS 1.0 and 1.1 are flagged.

Cadence & drift

Local socket maps refresh on schedule. External probes can run daily or on demand. New listeners and newly reachable services are surfaced as exposure drift.

Agent footprint

Read-only collection with a small agent footprint. Discovery reads local socket and process state; external probing is optional and not required for local inventory.

Export

JSON and CSV today. SARIF and scheduled exposure reports planned.

Deployment

SaaS today. Self-hosted or air-gapped enterprise deployment planned; external probes can use oxharden egress or your own egress when available.

The rest of the platform

One agent does more than ports.

Get started

Launch your first scan in minutes.

Not ready to install? Click around the live demo with real fleet data first. Then start a 14-day free trial on up to 30 of your own hosts.

Explore the live demo Start free

No signup, no agent, or book a guided demo with our team.

install.sh

curl -fsSL https://packages.executepath.dev/install.sh \
  | sudo EXPECTED_GPG_FINGERPRINT=13094D5AB037E6CD79CDFA3A51687EAC6B931A09 bash

✓ agent enrolled · ip-10-20-2-107
✓ inventory synced · 410 packages · 4 ports
✓ first scan complete · 12 critical · 19 vulnerable pkgs

FAQ

Attack-surface exposure, answered.

A network scanner sees ports from one vantage point and usually cannot tell you what owns them. oxharden starts from the host: it reads listening sockets locally, maps each one to the owning process, binary, and package, then layers reachability on top. You get the inside view and, with an optional external probe, the attacker's view too.

Open means a process is listening on a port. Reachable means traffic from outside can actually get to it. A socket bound to localhost, blocked by host firewall, or denied by a security group may be open but not exposed. oxharden separates local listeners from reachable services so teams can focus on real attack surface.

No. The probe only tests services that already appear exposed. It does not change firewall rules, security groups, routes, or host configuration. It is optional and can run on demand or on a schedule.

No. The agent does not sweep subnets or brute-force ports. It observes local socket state from the host, then oxharden evaluates whether those listeners appear reachable based on firewall, routing, and cloud context. External probing is optional and targeted.

The agent maps each listening socket to its owning PID, resolves the backing binary, and attributes that binary to the package that installed it. That is why an exposed service can be tied back to the right CVEs, package owner, and remediation path.

For listening TLS services, oxharden checks certificate expiry, self-signed certificates, chain validity, and weak protocol versions such as TLS 1.0 and TLS 1.1. The finding lives next to the exposed service, not in a disconnected certificate inventory.

They are still inventoried, but they are not treated the same as internet-reachable services. oxharden keeps the full socket map for visibility while ranking unreachable listeners below confirmed or likely exposure.

oxharden combines what the host reports with cloud network context such as security groups and routing where available. If that context is incomplete, the UI should say so instead of pretending the exposure decision is certain.

Turn a noisy port list into a real exposure view.

A port is only useful when you know what owns it.

Some services should never be quietly exposed.

Certificate risk belongs next to exposure.

From open port to proven exposure.

Observe

Infer & Probe

Classify & Prioritize

The technical details, up front.

One agent does more than ports.

Vulnerability scanning

Compliance & STIG

Fleet inventory

Launch your first scan in minutes.

Attack-surface exposure, answered.