FeaturesNetwork VA

Network Vulnerability Assessment

Pencheff ships a host vulnerability assessment engine that complements the web DAST with host-level CVE discovery, unauthenticated-service misconfig probes, authenticated package audits, and industrial-protocol exposure checks.

Modules

ModuleWhat it does
scan_host_vulnsPencheff service detection → derive package/version → OSV CVE lookup → EPSS + KEV enrichment.
scan_network_misconfigUnauthenticated probes for Redis, MongoDB, Elasticsearch, Memcached, Docker-over-TCP, MySQL, PostgreSQL, SNMP.
scan_authenticated_hostSSH (paramiko) / WinRM / SMB package enumeration → per-package CVE lookup. Use for patch-management visibility.
scan_industrial_protocolsModbus, BACnet, Siemens S7, EtherNet/IP, DNP3 exposure check. Passive exposure check only; never sends protocol commands.
refresh_cve_feedPulls CISA KEV + EPSS CSV into the local SQLite cache.

Example

Host CVE scan:

scan_host_vulns(session_id=sid, host='10.0.0.42', ports='top-1000')
→ { findings_added: 12, total: 12 }

Unauthenticated misconfig pass:

scan_network_misconfig(session_id=sid, host='10.0.0.42')
→ {
    findings_added: 3,
    findings: [
      "Redis exposed without authentication",
      "MongoDB accessible without authentication",
      "Elasticsearch exposed without authentication"
    ]
  }

Authenticated host scan with an SSH key:

# First load credentials
pentest_configure(session_id=sid, updates={
  "credentials": {
    "name": "infra",
    "username": "deploy",
    "custom_headers": { "ssh_key_path": "/home/me/.ssh/id_ed25519" }
  }
})

# Then run the authenticated scan
scan_authenticated_host(
  session_id=sid,
  host='10.0.0.42',
  protocol='ssh',
  credentials_ref='infra'
)
→ {
    findings_added: 18,
    os_name: "Ubuntu",
    package_count: 1247
  }

How It Fits With Dedicated Network Scanners

FeatureDedicated network scannersPencheff Network VA
Unauthenticated service probesLarge feed-backed rule librariesTargeted probes for Redis/Mongo/Elastic/Memcached/Docker/MySQL/PG/SNMP + optional network templates
Authenticated scansSSH/SMB-based patch auditSSH (paramiko) / WinRM (pywinrm) / SMB (impacket optional)
CVE feedTool-specific CVE and advisory feedsOSV.dev + CISA KEV + EPSS (daily refresh)
ReportingTool-specific report formatsUnified Finding model with CVSS + compliance mapping
IntegrationStandalonePlugs into the same session as DAST + SCA + IaC

Dedicated network-scanning platforms remain the right fit for large-scale pure-network scans over millions of assets; Pencheff Network VA is designed to be part of a mixed-surface pentest where you want web, network, SCA, and IaC findings in one session.

Compliance mapping

Network VA findings map to:

  • OWASP A06 — Vulnerable & Outdated Components
  • A05 — Security Misconfiguration
  • PCI-DSS 2.2, 6.2, 11.3
  • NIST 800-53 SI-2, CM-6, RA-5
  • SOC 2 CC7.1
  • ISO 27001 A.8.8, A.8.9, A.5.32
  • HIPAA 164.308(a)(8)

What’s next