Introducing Protocol Discovery to stop guessing what’s behind your open ports

Most tools will just tell you that a port is open. We’ve decided that’s not enough.

TLDR: We’ve launched Protocol Discovery, a custom-built engine designed to move beyond simple port scanning by identifying the specific services communicating behind your open ports. Our engine is optimized for the speed of modern cloud environments-scanning assets in under 10 seconds. From detecting multiplexed protocols like SOCKS5 to uncovering high-risk services on non-standard ports, we’re providing the granular visibility needed to secure a complex attack surface.

You might have an exposed Redis database, a Cisco ASA VPN appliance, or even a Minecraft server (yes, we have actually seen this) sitting on your surface. Your tools might see 443/tcp, some tools will send a HTTP probe over TLS and happily announce “https”, but our new engine can dig even deeper to find the SOCKS5 protocol multiplexed along https, identify SSH running on non-standard ports (which we find just as often as port 22), or even negotiate TLS over TLS to find even greater (previously invisible) attack surface. We believe that simply knowing a port is “open” isn’t enough. To truly secure your attack surface, you need to know exactly what is communicating over that port.

Recently, we launched Protocol Discovery, a core enhancement to Surface Monitoring. This isn’t just another port scanner; it is a custom-built, in-house discovery engine designed to give you unprecedented visibility into your exposed services.

Engineering a better Discovery engine

A key part of what we do at Detectify is building unique solutions that provide significantly more value to your team than standard tooling. Building on the principles pioneered by open-source classics like Nmap, our new engine is tailored for the specific speed and demands of the modern cloud:

• 2X the Probes: We’ve doubled the number of probes compared to an equivalent OSS tool, specifically targeting service-specific signatures that others miss.
• Unrivaled speed: While an equivalent OSS tool takes 4 minutes to scan, we do it in under 10 seconds on comparable infrastructure. This allows for more frequent testing without resource bloat.
• Protocol nesting, multiplexing & multi-protocol classification: We can now detect multiplexed protocols, such as a Cisco ASA appliance communicating over both 443/tcp -> TLS -> HTTP (https) and 443/tcp -> TLS -> SOCKS5. Along with other interesting behaviors such as 443/tcp -> TLS -> TLS -> HTTP. Notice the double “TLS” – this is highly unusual.
• Finding the “invisible”: Our data shows that SSH is found on non-standard ports just as often as on port 22 (50.7% on 22/tcp, with the remaining 49.3% on other ports). We’re also identifying high-risk exposures like Redis and MongoDB that should not be public-facing.

Deep visibility into niche & legacy protocols

Our new probes cover everything from modern web services to legacy enterprise and industrial systems:

• Enterprise: Oracle WebLogic), SAProuter, and IBM DB2.
• Critical infrastructure: DNP3 (Power/Water SCADA) and Niagara Fox (Building Automation).
• Legacy & finance: IBM Mainframe and ATM host protocols.
• High risk: MSMQ (remember the QueueJumper RCE) and Java Debug Wire Protocol .

What’s new in your dashboard?

We’ve integrated this data directly into your workflow to make it actionable:

• The Protocols Page: A dedicated command center to view all discovered protocols, domain IPs, transport protocols, and schemes.
• Protocol-Based Filtering: We’ve updated our predefined filters to use actual protocol data instead of port numbers, drastically increasing accuracy and reducing noise.
• Enhanced Domain Details: A new “Protocols” tab gives you a granular look at the communication schemes connected to any specific asset.
• Automated Policies: You can now create custom Policies based on schemes. For example, set an alert to trigger the moment a database protocol or an unauthorized remote desktop server appears on your perimeter.

Get started

The best way to understand your exposure is to see it. Navigate to Attack Surface > Protocols in your Detectify dashboard to explore the services running across your assets. Book a demo to talk to our experts or start a 2-week free trial to see it in action.