How Internal Scanning works: Q&A with Detectify’s product expert

Security doesn’t stop at the perimeter. The “inside” of your network often harbors many overlooked risks. To address this, ealier this year we launched Detectify Internal Scanning, designed to bring our world-class vulnerability research directly into your private ecosystems. By deploying a lightweight agent within your infrastructure, you can now uncover vulnerabilities that were previously hidden behind your firewall, ensuring that your internal posture is just as resilient as your public-facing one.

How does internal scanning work in practice, and how quickly can you deploy it? In this webinar recap, our Senior Product Manager and resident product expert, Linus Kingfors, sat down to address questions from our customers and community about Internal Scanning and its capabilities, including deployment methods and data handling.

TL;DR

• It is possible to deploy Internal Scanning in 3 ways: Kubernetes, Helm, or Docker. The recommended way is Kubernetes, and it can take a couple of minutes to set up. 
• Detectify only collects data related to identified vulnerabilities, not broader system data.
• Detectify’s high assessment accuracy rate of 99.7% is based on real customer-reported false positives.
• A finding in our solution is qualified as a true positive when it is organized by the user. 
• Detectify is currently testing the capability to scan for developer mistakes such as leaking credentials or private keys.

1. How do you deploy internal scanning, and how long does it take to set up?

To deploy Internal Scanning in your environment, there are three primary methods, dependent on your environment:

• Kubernetes Cluster: We recommended a method using a prepared cluster.
• Helm Chart: A standard option for Kubernetes users.
• Docker Containers: For those who prefer individual container deployment.

Time to live, depends on many factors, specific to your environment. However, customers who have set up the Internal Scanner have been able to do so within a couple of minutes with the right people and right permissions in place. Similar to all other Detectify products, the setup is smooth. 

2. When the agent is installed, what data is actually being sent back to Detectify?

The data sent back is primarily focused on the vulnerabilities themselves. To provide a clear finding for the user, Detectify requires:

• Payload Details: The specific requests and responses related to the finding.
• Scan Metadata: Information regarding the state of the scan (e.g., is the scan currently ongoing?).

3. How accurate is Detectify’s Internal Scanner, and how do you calculate your accuracy rate of 99.7%?

Detectify’s high-fidelity findings, with an accuracy rate of 99.7%, are not just a rough estimate; they’re a calculation based on customer reporting.

We look at all findings produced across our different products and measure how many are reported as False Positives by customers. Because the same test beds are used across various Detectify products, the resulting accuracy calculation closely reflects real-world performance.

4. What qualifies a finding to be a true positive in reports?

A finding is qualified as a true positive when it is organized by the user. Specifically, this includes findings that are:

• Moved outside the product for further action.
• Marked to be fixed.
• Resolved (meaning Detectify no longer finds the vulnerability in subsequent scans).
• Note: While “accepted risk” is a status, it is not necessarily included in this specific true positive qualification.

5. Does Detectify scan for developer mistakes like leaking credentials or private keys?

Not at the moment. However, we are currently experimenting with this, so keep an eye out for it in the future. Sign up for our newsletter to get updates on our products. 

Want to learn more about internal scanning?

For more details, check out our deployment documentation and agent specifications or rewatch the full webinar recording.