Continuous external hardening checks for every production server. Catch the exposed admin panel, the leaked .env, the unpatched service version, and the weak TLS config — before anyone else finds them.
Configuration exposure, vulnerability posture, and accidental disclosure — covered in one continuous audit.
SSH banners, server signatures, default ports, exposed admin panels, missing security headers, weak TLS — every config detail an attacker uses to fingerprint your stack.
SSH on default port 22
Server header leaks nginx version
Missing HSTS header
Service versions matched against current CVE feeds. Find unpatched OpenSSH, end-of-life nginx, vulnerable PHP — flagged with severity and exploit availability.
3 critical
CVE-matched per service version
OpenSSH 7.9 — CVE-2023-38408
nginx 1.18 — 4 CVEs since EOL
PostgreSQL 14.7 — patch available
Redis 7.2 — current
The .env in webroot. The .git/config from a deploy gone wrong. The /admin route with no auth. The backup .sql in /uploads. We check the paths attackers always check.
/.env exposed
Contains DB credentials
/.git/config readable
Repository disclosure
/admin no auth wall
Login required check failing
No agents to install, no SSH access required, no internal network changes. Audit every server from the outside in under five minutes.
Step 1
Register your servers — single IPs, CIDR ranges, or seed domains for asset discovery. FortWatch picks up subdomains and related infrastructure automatically.
Step 2
Port enumeration, service fingerprinting, sensitive-file checks, header analysis, TLS audit, CVE matching — eleven scan types across every server, on a continuous schedule.
Step 3
Findings grouped by severity with concrete remediation steps per gap — config snippets, package versions, header values. Re-scan to verify the gap is closed.
FortWatch audits the externally exposed surface of every server: open ports and service versions, SSH configuration disclosed in banners, default and weak admin credentials on common services, sensitive files left in webroot (.env, .git, backup archives), missing or weak HTTP security headers, TLS/SSL misconfiguration, vulnerable software versions matched against CVE feeds, and DNS hardening (SPF, DMARC, DKIM, CAA).
FortWatch is an external attack surface platform — we audit what's reachable from the public internet. Internal-only servers behind a VPN or in a private VPC are out of scope. For internal hardening you'd combine FortWatch with a config-management tool (Ansible, Chef) or a CIS benchmark agent. The two are complementary, not competing.
CIS benchmarks and tools like Lynis run on the server itself and audit hundreds of internal config items (sysctl values, file permissions, systemd unit hardening). FortWatch audits the same servers from the outside — what an attacker actually sees. The two views catch different classes of mistakes: CIS catches the file permission you forgot, FortWatch catches the .env you accidentally committed and deployed to production.
No. Hardening scans are designed to be non-intrusive: rate-limited port enumeration, passive banner grabbing, read-only HTTP requests against known sensitive paths, and version detection without exploit payloads. We provide our scanner IP ranges so you can whitelist them on rate-limited services. Production safety is the default behaviour — there's no aggressive mode.
Audits run on a configurable schedule — daily by default, hourly for assets you mark as critical. You can also trigger an on-demand scan after a deploy. Findings track state changes over time so you can see when a misconfiguration appeared (the deploy that introduced it) and when it was resolved.
Eleven complementary scans run on every server, every audit cycle.
No software to install on servers. No SSH access. No firewall changes.
Re-audited automatically. Findings track state changes over time.
Start scanning in under 5 minutes. No credit card required. 14-day free trial included.
