Asset & Network Vulnerability Scanner
The asset missing from your ledger is live on your network.
Register your asset ledger, then reconcile it against a real TCP scan. ANVS surfaces unregistered hosts and services, exposed remote access, admin pages, and risky ports — from a laptop, inside a closed network.
The gap between what you declared and what's actually reachable.
An asset ledger says what should exist. A scan says what does. ANVS puts the two side by side, so unregistered hosts and undeclared services stop hiding.
Coverage is matched services over everything observed. The lower it runs, the more of your network lives outside the ledger.
Reconciliation is a shape, not a spreadsheet. The unregistered slice is what you didn't know you were running.
From a spreadsheet of assets to a map of what's actually exposed.
A vulnerability scanner assumes you already know your hosts. ANVS starts from your ledger, observes the real network, and reconciles the two.
Excel ledger import
Bring assets, IPs and CIDR, owners, and allowed ports from an .xlsx file or the UI. A single malformed row is rejected outright, never silently dropped.
Pure-Node TCP observation
A net.Socket connect scan with banner grab and HTTP probing. No raw sockets, no root or NET_RAW — it runs where a normal user can.
Ledger-vs-scan reconciliation
Every observed service is matched to the ledger. Unregistered hosts, undeclared ports, and inactive assets are separated automatically.
Exposure check
Remote access (SSH, Telnet, RDP), admin pages, risky ports, and allowed-network violations, ranked by severity against a port knowledge base.
Owner PII encrypted
The owner and contact field is stored under AES-256-GCM. A key mismatch fails loudly instead of silently returning garbage.
Reports with Korean fonts
Markdown, HTML, JSON, and PDF. Korean-capable fonts embed for clean output in air-gapped environments.
Reachable is not the same as authorized.
ANVS ranks what an attacker already on the LAN would find first: plaintext remote access, exposed admin consoles, database ports, and services answering from outside their allowed range.
Ledger in, findings out — nothing leaves the laptop.
The ledger loads once. A pure-Node TCP scan observes the network; reconciliation and exposure analysis run locally; a report prints on the spot.
The scan reaches out to the target network, but no result or telemetry leaves the machine it runs on.
Where a ledger and reality drift apart
Public closed networks, factory floors, financial internal networks, on-site consulting. The same reconciliation produces an audit-ready record.
Public-sector closed network
Reconcile the official asset ledger against the live network in an air-gapped agency. Unregistered devices surface as evidence.
Manufacturing OT/ICS exposure
Find management interfaces and remote access exposed on a plant network without installing agents on fragile OT hosts.
Financial internal-network review
Recurring internal scans produce a reconciliation record and exposure list for the audit trail.
On-site security consulting
Run from a consultant's laptop with no internet. Reconcile, check exposure, and print a report on the spot.
One scanner, three ways to run it.
A desktop app for people, a CLI for automation, an MCP server for agents. Same engine and same report across all three.
Desktop app
macOS, Windows, and Linux installer. No Docker, no Postgres, no server — the whole scanner runs from an app, offline.
CLI
Run anvs analyze for scripted and scheduled scans. JSON out for pipelines; drop sensitive banners with one flag.
MCP server
A stdio MCP binary exposes scan, query, and report tools to an AI agent over a loopback-only API.