Scanner Agents
Cert-IX Scanner Agents are lightweight, secure binaries that you deploy on your private network to discover, inventory, and continuously monitor internal assets. They communicate with the Cert-IX platform through an encrypted Kafka-first ingestion pipeline.
Why Deploy Agents?
External scanning can only see what is exposed to the internet. To get full visibility into your private infrastructure, you need agents running inside your network:
- Internal asset discovery — Find servers, workstations, and services that are invisible from outside
- Real-time telemetry — Continuous collection of processes, ports, software, and system metrics
- Private network scanning — Vulnerability scanning of RFC 1918 addresses and air-gapped networks
- Compliance monitoring — CIS benchmarks, STIG, PCI-DSS hardening checks from the inside
- Zero-trust verification — Verify device posture and configuration drift in real time
Available Agents
| Agent | Purpose | Collects |
|---|---|---|
| Bitcollector | Asset telemetry | Processes, ports, software inventory, system info, metrics, network traffic |
| Bitscanner | Security intelligence | Host & network vulnerability scanning, CVE detection |
| Bitmapper | Network topology | Packet capture, service discovery, network mapping |
| Bitenforcer | Compliance enforcement | CIS, STIG, PCI-DSS hardening automation and drift detection |
Architecture
┌─────────────────────────────────────────────────────────────────┐
│ Your Private Network │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Server │ │Workstation│ │ Router │ │ Database │ │
│ │ Agent │ │ Agent │ │ Agent │ │ Agent │ │
│ └────┬─────┘ └────┬─────┘ └────┬─────┘ └────┬─────┘ │
│ │ │ │ │ │
│ └──────────────┴──────┬───────┴──────────────┘ │
│ │ │
│ TLS 1.3 + JWT │
└─────────────────────────────┼────────────────────────────────────┘
│
▼
┌────────────────────────┐
│ Agent Gateway Service │ ← Registration, token refresh
└────────────┬───────────┘
│
▼
┌────────────────────────┐
│ Agent Ingestion Gateway│ ← Heartbeat, telemetry, scans
└────────────┬───────────┘
│
▼
┌────────────────────────┐
│ Apache Kafka │ ← Durable message queue
└────────────┬───────────┘
│
▼
┌────────────────────────┐
│ Stream Processor │ ← Enrichment, dedup, alerting
└────────────┬───────────┘
│
┌─────────┴─────────┐
▼ ▼
┌──────────────┐ ┌──────────────┐
│ PostgreSQL │ │ Redis │
│ (persistent) │ │ (cache) │
└──────────────┘ └──────────────┘
│
▼
┌──────────────────┐
│ Cert-IX Dashboard│ ← You see results here
└──────────────────┘
Security Model
Every aspect of agent communication is secured:
- TLS 1.3 — All connections use TLS 1.3 with certificate pinning. Non-TLS connections are rejected.
- JWT authentication — Agents receive a signed JWT token on registration, refreshed automatically.
- ECDSA identity — Each agent generates a unique ECDSA P-256 keypair. The public key fingerprint is the agent's identity.
- Tenant isolation — Agents are bound to a tenant ID. Cross-tenant data access is impossible.
- mTLS (optional) — For high-security environments, enable mutual TLS with client certificates.
- Payload signing — Telemetry payloads are signed with the agent's private key to prevent tampering.
- Replay protection — Nonce-based replay protection prevents replay attacks on the ingestion pipeline.
Supported Platforms
| Platform | Architecture | Binary |
|---|---|---|
| Linux | x86_64 (amd64) | bitcollector-linux-amd64 |
| Linux | ARM64 (aarch64) | bitcollector-linux-arm64 |
| macOS | Intel (amd64) | bitcollector-darwin-amd64 |
| macOS | Apple Silicon (arm64) | bitcollector-darwin-arm64 |
| Windows | x86_64 (amd64) | bitcollector-windows-amd64.exe |
Quick Start
The fastest way to deploy an agent is from the dashboard:
- Go to Asset Management → Devices
- Click the green Deploy Agent button
- Follow the 4-step guided wizard
- The agent will appear in your device list within 60 seconds
For manual deployment, see the Deployment Guide.
Resource Usage
Agents are designed to be lightweight and non-intrusive:
| Resource | Default Limit | Configurable |
|---|---|---|
| Memory | 50 MB max | Yes (max_memory_mb) |
| CPU | < 1% average | Adjustable via collection intervals |
| Disk | ~20 MB binary + ~10 MB data | Data dir configurable |
| Network | ~5 KB/min heartbeat + telemetry | Batch size configurable |
What Happens After Deployment
Once an agent is running and registered:
- Device appears in inventory — The device shows up in Asset Management → Devices with "Online" status
- System info collected — OS, kernel, CPU, memory, disk info populated automatically
- Process inventory — Running processes with PID, owner, CPU/memory usage
- Port inventory — Open ports, listening services, bound addresses
- Software inventory — Installed packages and applications
- Metrics streaming — CPU, memory, load, I/O metrics updated every 30 seconds
- Network traffic — Per-service traffic statistics (if enabled)
- Vulnerability scanning — Device becomes eligible for on-demand and scheduled scans
- Compliance checks — CIS/STIG benchmarks can be run against the device
Next Steps:
- Agent Deployment Guide — Step-by-step installation
- Agent Configuration Reference — Full config file reference
- Devices — Managing devices in the dashboard