Every check Noxen runs

One scan per host runs every check below in parallel. A typical host finishes in 10–60 seconds depending on open-port count. Findings diff against the previous scan, so you only see what changed.

Inventory & CVEs

• SSH inventory — reads /etc/os-release, kernel version, dpkg/rpm package list, sshd_config, authorized_keys. All read-only.
• CPE → CVE matching — installed packages cross-referenced against a signed feed sourced from VulnCheck NVD++ (primary) and OSV.dev (Debian + Ubuntu + Rocky/AlmaLinux). See the live feed dashboard for current totals and top recent critical/high CVEs.
• Severity bucketing — distro-tagged labels first (Ubuntu / Debian triage), CVSS v3 vector parsed for the rest. Severity bucket and the numeric score both surfaced in the UI.

Network exposure

• Port scan — top 1000 TCP ports via Apple's Network framework. Sandboxed-safe; no nmap binary required.
• TLS audit — weak ciphers, deprecated protocols (TLS 1.0/1.1, SSLv3), HSTS, OCSP stapling, near-expiry certs. Runs against any TLS-capable open port.
• HTTP security headers — CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, HSTS, X-Content-Type-Options.
• Exposed admin surfaces — fingerprints 70+ services: Home Assistant, Plex, Jellyfin, Sonarr/Radarr, Pi-hole, pfSense, OPNsense, UniFi, Mikrotik, Proxmox, TrueNAS, Synology, QNAP, Gitea, Jenkins, Grafana, Prometheus, Uptime Kuma, Netdata, Portainer, Kubernetes, Docker, Consul, Vault, Traefik, phpMyAdmin, Kibana, unauth Elasticsearch / Redis / Mongo, Git config leaks, .env file leaks. Flag only — never authenticates against the surface.

Workflow

• Diff-from-yesterday — each scan compares to the previous scan; UI defaults to "what's new" rather than "everything we know about this host."
• Scheduled nightly scans — registered via SMAppService; survive sleep / wake, run on AC power only by default.
• Batch scan — "Scan all" toolbar button runs every enrolled host sequentially with a live progress banner. Cancellable.
• iOS view-only companion — host list, dashboard, and push notifications for critical findings. No scan logic on iOS (raw sockets blocked).
• iCloud sync — host catalog + scan history sync to your private CloudKit container. SSH keys stay in Keychain, never synced.

Reporting & integration

• PDF report export — summary, per-host detail, remediation hints. Suitable for client deliverables.
• SIEM export (NDJSON) — JSON Lines for Wazuh / Splunk / ELK / Loki ingest. Supports global tags (env, region, etc.).
• Compliance mapping — CIS Controls v8, SOC 2, ISO 27001:2022 control references per scan. CSV export. Evidence supplement, not a compliance claim.
• Webhooks — Slack / Discord / Teams / generic JSON; payload auto-formatted per sink. Live Feed and MSP tiers.

Customisation

• Custom checks — drop *.json files into ~/Library/Application Support/app.noxen/custom-checks/. HTTP path + markers, or TCP send + markers. Schema in the docs.
• Multi-tenant host catalogs — group hosts by client / environment. MSP tier.
• Command palette — ⌘⇧P opens a fuzzy-searchable action list. Every shortcut is discoverable here.

What Noxen does not do

• No default-credential testing. Noxen will flag an exposed admin surface; it will never try to authenticate against it. Why.
• No agent. Everything runs over SSH using a key you already have in ~/.ssh/config.
• No SaaS round-trip. Scan results live in your local SwiftData store and (if enabled) sync via your own iCloud account. Noxen's servers only host the signed CVE feed.

See pricing →