Endpoint discovery (uncredentialed)


Twigs supports discovering assets from your environment using nmap.


You need to have nmap installed on your host (where you will be running twigs). Nmap needs to be available as /usr/bin/nmap. If you are using the twigs docker image, nmap is pre-bundled with it.


The steps involved to discover assets using nmap in your environment are as below:

  • Open a new shell / terminal.
  • Check that twigs is installed and running properly by running below command:

twigs nmap -h

  • You can run the command below:

twigs nmap [-h] [--hosts HOSTS] [--timing {0,1,2,3,4,5}] [--discovery_scan_type {N,S,A,U,Y,O,E,P,M}] [--discovery_port_list DISCOVERY_PORT_LIST] [--no_ssh_audit] [--run_dast]


HOSTS can be single hostname, IP address or CIDR range

TIMING allows fine grained control on performance. For details refer link.

DISCOVERY_SCAN_TYPE allows user to customize the host discovery scan. For details refer link.

DISCOVERY_PORT_LIST can be used to specify port(s) to be used in the host discovery scan.

run_dast switch allows you to run DAST checks for web applications. Note DAST checks may take time and are not recommended for use with scans on large network CIDRs. Please use the “webapp” option for running DAST and other tests on known web application URLs.

  • After discovery is complete, you can login into ThreatWorx Console to view the newly discovery assets.

This discovery mode is a best effort to identify the endpoint operating system and services based on fingerprinting techniques offered by nmap. Twigs augments these by using its own NSE scripts for better coverage of obscure services. If you think this coverage can be augmented by adding more of these scripts, please reach out to us at support@threatworx.io

For OS discovery, twigs is recommended to be run in as root since nmap requires it. However, OS discovery will not be as accurate as running a credentialed scan using twigs. This may result in false positives. ThreatWorx console will try and adjust the confidence score of vulnerability findings resulting from nmap discovery which will allow you to filter / hide some of these these results from the console as required. Depending on the size of the network and number of active endpoints, this discovery mode can also take a significant amount of time to complete.