ANVS
NEW

Asset & Network Vulnerability Scanner

The asset missing from your ledger is live on your network.

Register your asset ledger, then reconcile it against a real TCP scan. ANVS surfaces unregistered hosts and services, exposed remote access, admin pages, and risky ports — from a laptop, inside a closed network.

Pure-Node TCP scanLedger reconciliationRemote-access & risky-port exposureAir-gapped desktop appOwner PII encrypted
Ledger Reconciliation

The gap between what you declared and what's actually reachable.

An asset ledger says what should exist. A scan says what does. ANVS puts the two side by side, so unregistered hosts and undeclared services stop hiding.

Ledger (declared)
42
Observed (scanned)
61
Matched (38)
Declared, running, and reachable exactly as the ledger records.
Undeclared service (8)
A known host answers on a port the ledger never listed.
Unregistered host (9)
A live host the ledger has no record of at all.
Out-of-scope reach (2)
A management service answers from outside its allowed network.
Inactive (4)
Declared in the ledger but not responding on the scan.
Asset coverage
62%
Unregistered host17
Out-of-scope reach2

Coverage is matched services over everything observed. The lower it runs, the more of your network lives outside the ledger.

Reconciliation is a shape, not a spreadsheet. The unregistered slice is what you didn't know you were running.

Capabilities

From a spreadsheet of assets to a map of what's actually exposed.

A vulnerability scanner assumes you already know your hosts. ANVS starts from your ledger, observes the real network, and reconciles the two.

Excel ledger import

Bring assets, IPs and CIDR, owners, and allowed ports from an .xlsx file or the UI. A single malformed row is rejected outright, never silently dropped.

Pure-Node TCP observation

A net.Socket connect scan with banner grab and HTTP probing. No raw sockets, no root or NET_RAW — it runs where a normal user can.

Ledger-vs-scan reconciliation

Every observed service is matched to the ledger. Unregistered hosts, undeclared ports, and inactive assets are separated automatically.

Exposure check

Remote access (SSH, Telnet, RDP), admin pages, risky ports, and allowed-network violations, ranked by severity against a port knowledge base.

Owner PII encrypted

The owner and contact field is stored under AES-256-GCM. A key mismatch fails loudly instead of silently returning garbage.

Reports with Korean fonts

Markdown, HTML, JSON, and PDF. Korean-capable fonts embed for clean output in air-gapped environments.

Exposure Check

Reachable is not the same as authorized.

ANVS ranks what an attacker already on the LAN would find first: plaintext remote access, exposed admin consoles, database ports, and services answering from outside their allowed range.

anvs · exposure findings
10.0.4.12:23TelnetPlaintext protocolcritical
10.0.9.51:3306MySQLRisky ports opencritical
10.0.2.8:8080Admin ConsoleAdmin page exposedhigh
10.0.7.30:3389RDPRemote access exposedhigh
10.0.5.19:22SSHOut-of-scope reachhigh
10.0.1.44:21FTPPlaintext protocolmedium
Remote access exposed
SSH, Telnet, or RDP reachable — most dangerous when it answers from outside the allowed network.
Admin page exposed
Management consoles and dashboards answering over HTTP where anyone on the segment can reach them.
Risky ports open
Databases, SMB, and other sensitive services open to the LAN, matched against the port knowledge base.
Plaintext protocol
Telnet, FTP, and unencrypted HTTP admin — credentials travel in the clear.
Out-of-scope reach
A service answers from an IP range the ledger never authorized for it.
How it works

Ledger in, findings out — nothing leaves the laptop.

The ledger loads once. A pure-Node TCP scan observes the network; reconciliation and exposure analysis run locally; a report prints on the spot.

Stage 1
Load ledger
Assets, IP/CIDR, owners, allowed ports · .xlsx or UI
Stage 2
TCP scan
net.Socket connect · banner grab · HTTP probe
Stage 3
Reconcile & check
Ledger diff + exposure analysis against the port KB
Stage 4
Report
Markdown · HTML · JSON · PDF with Korean fonts
Scan Capabilities
TCP Connect
Banner Grab
HTTP Probe
Ports KB
Scope Check
PII AES-256
No privilege, no cloud
A pure-Node TCP connect scan. No root or NET_RAW, no Docker, no external calls — it touches only the LAN it's pointed at.
Pure Node TCPNo root · NET_RAWAir-gappedHost networkSQLite

The scan reaches out to the target network, but no result or telemetry leaves the machine it runs on.

Use Cases

Where a ledger and reality drift apart

Public closed networks, factory floors, financial internal networks, on-site consulting. The same reconciliation produces an audit-ready record.

Public-sector closed network

Reconcile the official asset ledger against the live network in an air-gapped agency. Unregistered devices surface as evidence.

Audit-ready evidence

Manufacturing OT/ICS exposure

Find management interfaces and remote access exposed on a plant network without installing agents on fragile OT hosts.

Agentless OT check

Financial internal-network review

Recurring internal scans produce a reconciliation record and exposure list for the audit trail.

Periodic audit record

On-site security consulting

Run from a consultant's laptop with no internet. Reconcile, check exposure, and print a report on the spot.

Air-gapped on-site
How you run it

One scanner, three ways to run it.

A desktop app for people, a CLI for automation, an MCP server for agents. Same engine and same report across all three.

One-click install

Desktop app

macOS, Windows, and Linux installer. No Docker, no Postgres, no server — the whole scanner runs from an app, offline.

best fit: Analysts, field engineers, closed networks
Automation

CLI

Run anvs analyze for scripted and scheduled scans. JSON out for pipelines; drop sensitive banners with one flag.

best fit: Scheduled scans, CI, scripting
Agent-native

MCP server

A stdio MCP binary exposes scan, query, and report tools to an AI agent over a loopback-only API.

best fit: Agent workflows, assisted audits
Why ANVS

It finds the assets you forgot, not just the bugs you expected.

Finds assets, not just vulnerabilities
Traditional scanners rank findings on hosts you already know. ANVS starts from the ledger and surfaces the hosts and services you didn't know were there.
Zero privilege, zero footprint on targets
A pure-Node TCP connect scan. No raw sockets, no root or NET_RAW, and no agent installed on any target host.
Air-gapped desktop
One-click installer for macOS, Windows, and Linux. No Docker or Postgres; the scanner and its data stay on the laptop, offline.
Owner PII encrypted by default
Contact fields are stored under AES-256-GCM, and the tool refuses to silently mask a decryption failure.
Safe by design
An unknown vantage point is recorded as undetermined, never inflated into a false critical. Ledger replacement and scan cancellation both require explicit confirmation.
Agent-ready over MCP
Scan, query, and report generation are exposed as MCP tools over a loopback-only API — no quiet fallback to a fixed port.
Get started

See what's really on your network.

Bring your asset ledger. ANVS returns the gap as a reconciliation and an exposure list — on a laptop, offline when you need it.