How Scanning Works

How Scanning Works

FortWatch uses an automated, queue-based scanning pipeline to check your assets for vulnerabilities and exposed services. Understanding this pipeline helps you interpret results and troubleshoot any issues.

The Scanning Pipeline

1. Schedule trigger — Every 5 minutes, a cron job checks for assets that are due for a scan based on their configured schedule.
2. Queue — Due assets are added to the scan queue. Each asset gets separate jobs for Nuclei (vulnerability) and Nmap (port) scanning.
3. Execution — Scan jobs are picked up from the queue and executed against the target asset.
4. Processing — Raw scanner output is parsed, normalized, and stored as findings.
5. Issue creation — Critical and high-severity findings that do not already have an open issue are automatically promoted to tracked issues.

Scan Types

Each full scan includes two components:

• Nuclei scan — Vulnerability detection and hardening checks. This is the primary scanner for web-facing assets.
• Nmap scan — Port discovery and service identification. Essential for understanding the attack surface of an asset.

Both scan types run in parallel to minimize total scan time.

Scan Triggers

Scans can be triggered in two ways:

• Scheduled — Automatically triggered based on the asset's scan schedule. The cron job runs every 5 minutes and checks all active assets to determine which ones are due.
• Manual — Triggered on-demand by clicking Scan Now on any active asset.

Scan Duration

Scan duration varies based on the target. A typical scan takes 2-10 minutes. Factors that affect scan time include the number of open ports, the responsiveness of the target server, and whether the asset is behind a CDN or WAF.