Skip to content

Software & Vulnerability Detection

May 22, 2025

Netlas uses passive scanning techniques to collect detailed intelligence about internet-facing services without introducing risk or disruption to the target systems.

Passive Scanning

Passive scanning is a non-intrusive method of gathering information about systems and services without sending any specially crafted packets or attempting to exploit weaknesses.

This means that during the scanning process, Netlas does not attempt actions beyond what the system is designed for. In other words, there are no attempts at authorization, password guessing, or any non-standard requests. Netlas.io sends requests only to publicly accessible services and saves the responses.

Technology Detection

Analyzing service responses often allows for the identification of software, in many cases down to the specific version. Netlas identifies over a thousand applications and services this way.

Detection rules are applied in different contexts. Here are a few examples:

  • Header Inspection
    Server: Apache/2.4.51
    tag.name:apache + tag.apache.version:2.4.51
  • Banner Parsing
    220 mail.example.com ESMTP Postfix
    tag.name:postfix
  • HTML Contents
    <meta name="generator" content="WordPress 6.8" />
    tag.name:wordpress + tag.wordpress.version:6.8

When a rule matches, Netlas adds a corresponding entry to the tag field. And, when available, records the version in tag.technology_name.version.

In the Responses Search tool, you can click the Search by Tag button on the right side of the search panel to access a list of detected technologies and build targeted searches.

Search by Tag button Search by Tag button

Vulnerability Detection

Netlas performs passive vulnerability detection without sending any exploit attempts or intrusive payloads. If a detected technology and version match an entry in the vulnerability database, Netlas enriches the record with detailed vulnerability information.

Each vulnerability entry includes:

  • cve.name — CVE ID (Common Vulnerabilities and Exposures).
  • cve.description — full description of the vulnerability.
  • cve.severity — severity level, if available.
  • cve.base_score — base CVSS score (version 3 or version 2 for older vulnerabilities).
  • cve.has_exploit — boolean field; true if a known public exploit exists.
  • cve.exploit_links — links to third-party tools or resources for vulnerability testing.

Click the biohazard icon under the CVE tab to view available exploit links.

Publicly available exploits links Publicly available exploits links

The primary source for vulnerability information is the NIST National Vulnerability Database (NVD).

Vulnerability Information Update

CVE information is refreshed between scans. If a new CVE is published while a scan is already in progress, it will be incorporated during the next scan cycle.

Passive vulnerability detection offers a major advantage — it has no impact on the scanned systems. Detection is based purely on information that is already publicly visible.

However, there are important limitations to consider:

  • Potential False Positives:
    Vulnerability matching is based solely on observed version numbers. If a system administrator has applied security patches without updating the reported version (e.g., via backported patches), Netlas may incorrectly report vulnerabilities that have already been mitigated.

  • No Exploitation Verification:
    Netlas does not actively verify whether a vulnerability is actually exploitable in the target environment. It only flags that the detected version is known to be affected.