From Natural Language to Scan Results

No need to memorize nmap flags or build complex command strings. The AI interprets your intent — “scan the management VLAN for exposed services” — and translates it into the optimal nmap invocation with the right flags, timing options, and target specification. The scan executes through tli-executor, the same compiled C binary that handles all device communication, and the output is HMAC-signed before the AI ever sees it.

This means the AI can analyze and contextualize the results, but it physically cannot fabricate scan data. If nmap found 6 hosts with 14 open ports, that is exactly what you see. If a host was unreachable, the AI says so rather than guessing what might be running.

virp
you → scan the 10.0.20.0/24 management VLAN for exposed services
 
[executor] HMAC signature verified
[nmap] Starting scan: 10.0.20.0/24 — flags: -sV -sC --top-ports 1000
 
Discovered 14 hosts up
 
22/tcp open ssh OpenSSH 8.9
80/tcp open http nginx 1.24
443/tcp open https nginx 1.24
3389/tcp open rdp Microsoft RDP
23/tcp open telnet Linux telnetd
445/tcp open smb Samba 4.17
 
AI → 14 hosts discovered. 3 findings flagged: telnet on 10.0.20.7 (CRITICAL),
RDP exposed on 3 hosts (HIGH), SMB accessible cross-VLAN (MEDIUM).
See detailed findings below with remediation steps.

The AI does not just dump raw nmap output. It parses the results, cross-references them against firewall policies, SIEM alerts, and compliance requirements, and produces actionable findings ranked by severity. An operator gets a prioritized list of what to fix, not a wall of port numbers.

Kali Linux Integration

For teams that need more than port scanning, the platform integrates with Kali Linux tooling. It can orchestrate scans using tools from the Kali ecosystem — vulnerability scanners, service enumeration scripts, and protocol-specific probes — all through the same HMAC-verified execution pipeline.

This is not a full-featured pentesting platform. It is a reconnaissance and vulnerability assessment capability built into your operations workflow, so that security scanning is not a separate project that happens quarterly. It happens continuously, from the same interface your team uses for everything else.

Key distinction: The platform runs scans against your own infrastructure with your authorization. This is defensive security — identifying exposures in your own environment before an attacker does. Every scan is logged, HMAC-verified, and tied to an authenticated operator.

AI-Analyzed Findings

Raw scan output is useful to experienced operators, but the real value is contextual analysis. When the platform finds telnet running on a management VLAN host, it does not just say “port 23 open.” It flags the severity, explains why it matters, checks whether firewall policies are restricting access, and provides specific remediation steps.

virp — findings
CRITICAL Telnet service exposed on 10.0.20.7
Port 23/tcp open — Linux telnetd. Telnet transmits credentials in plaintext
and should never be used on a management network.
 
Remediation: Disable telnet, switch to SSH. Add firewall deny rule for
port 23 on the management VLAN. Verify no automation depends on telnet.
 
HIGH RDP exposed on 3 hosts (10.0.20.11, .14, .22)
Port 3389/tcp open — Microsoft RDP without NLA or gateway increases
lateral movement risk on the management network.
 
Remediation: Restrict RDP to jump-host only via firewall policy.
Enable Network Level Authentication. Consider RD Gateway.
 
Cross-reference: Checked 3 FortiGate policies — no ACL restricting RDP
between VLANs. Checked Wazuh — 12 RDP brute-force alerts in past 7 days.

Each finding includes the data source (nmap scan at a specific timestamp), cross-references against other platform data (firewall policies, SIEM alerts), and concrete remediation steps. The operator decides what to fix and when — the platform provides the intelligence to prioritize.

Scan Capabilities

The scanning subsystem supports the full range of network reconnaissance workflows:

  • Host discovery: ARP sweeps, ICMP probes, and TCP/SYN pings to find every device on a subnet, including those that block ICMP.
  • Port scanning with version detection: Full TCP and UDP port scanning with service version fingerprinting. Identify what is running, what version, and whether it is current.
  • Script scanning: NSE scripts for service enumeration, vulnerability detection, and protocol-specific probes.
  • Targeted scans: Focus on specific hosts, port ranges, or service types. “Scan all Windows hosts for SMB vulnerabilities” runs only the relevant checks.
  • Scheduled assessments: Configure recurring scans that run automatically and alert on changes. New open port on a server that had 3 yesterday? Flagged immediately.

The Trust Model

Penetration testing output is high-stakes data. A false positive wastes time. A false negative is a missed vulnerability. The platform addresses this with the same trust architecture used across every module:

  • HMAC-signed execution: Every scan command is signed before execution. The executor validates the signature before running anything.
  • Real tool output: Results come from nmap and Kali tools, not from AI inference. The AI analyzes and contextualizes, but the data is always from verified tool execution.
  • Full audit trail: Every scan is logged with the operator, timestamp, target scope, command executed, and complete results. Audit history is available for compliance reviews.
  • No fabrication pathway: The AI cannot claim a port is open or closed without scan data to back it up. If a scan fails or a host is unreachable, the system reports that honestly.

Practical Use Cases

The operators who get the most value from built-in scanning use it for:

  • Post-change validation: “Scan the DMZ after the firewall change” confirms that only intended ports are exposed.
  • New device onboarding: Before connecting a new server to the network, scan it to baseline its open ports and services.
  • Compliance audits: “Show me all hosts with telnet or FTP open on the production VLAN” directly addresses audit findings.
  • Incident investigation: During an active investigation, scan the affected subnet to map the current exposure surface and identify potential lateral movement paths.
  • Continuous monitoring: Scheduled scans that detect drift — a new open port, a changed service version, or a decommissioned host that reappeared.

Each scan is a real nmap execution returning real data. The AI formats and analyzes what the tools report, adding operational context based on the rest of your infrastructure. No simulation, no canned results.