Network Exposure
The Network Exposure tab on the agent detail page provides visibility into every listening port on the endpoint, the process behind it, and whether the firewall allows inbound connections. This helps you identify unauthorized services, assess attack surface, and verify firewall posture.
What the Agent Collects
The TridentStack Control agent performs a comprehensive port enumeration every hour (configurable, minimum 15 minutes). For each listening port, it reports:
| Data Point | Description |
|---|---|
| Port | Port number (1-65535) |
| Protocol | TCP or UDP |
| Binding Address | What the service listens on (0.0.0.0, 127.0.0.1, specific IP, or IPv6) |
| Process Name | Name of the process holding the port |
| Process Path | Full path to the executable |
| Process Signing | Whether the executable is digitally signed and the signer identity (Windows and macOS) |
| Service Name | Windows service name and display name, if the port is held by a service |
| Firewall Status | Whether the firewall allows inbound traffic to this port. Windows reports the Windows Firewall rule name and active profile; macOS reports the Application Firewall decision for the owning app and stealth mode. |
On Linux, the agent additionally enriches ports held by docker-proxy with the container name and image by querying the Docker Engine API.
Firewall state is reported on Windows (Windows Firewall) and macOS (the Application Firewall). Linux agents do not currently report firewall state (iptables/nftables); the firewall column shows as unknown for Linux endpoints.
Risk Assessment
Each port receives a context-aware risk level based on its exposure characteristics, not just its port number:
| Risk Level | Criteria | Examples |
|---|---|---|
| Critical | Legacy dangerous protocols exposed to the network | Telnet (23), FTP (21) on LAN or internet |
| High | Services that should not be internet-exposed | RDP (3389), SMB (445), databases exposed to the internet |
| Medium | Services with moderate risk when exposed | SNMP (161), non-standard services on network interfaces |
| Low | Common web services | HTTP (80), HTTPS (443) |
| Info | Expected services on internal interfaces | Standard Windows services on localhost, internal-only ports |
Context matters. The same port can have different risk levels depending on:
- Binding address: A database on 127.0.0.1 is informational. The same database on 0.0.0.0 with the firewall open is high risk.
- Firewall state: A port blocked by the firewall is lower risk than one the firewall allows.
- Process characteristics: Signed executables from known vendors in standard paths carry lower risk than unsigned binaries in unusual locations.
Viewing Network Exposure
Navigate to any agent's detail page and select the Network tab.
Summary Header
At the top of the tab, a summary strip shows:
- Total listening ports on the endpoint
- Externally exposed ports (not bound to localhost)
- Risk breakdown by level (critical, high, medium, low, info)
- Events in the last 24 hours (ports opened, closed, or changed)
- Firewall status (enabled or disabled)
Port Table
The main view displays all listening ports in a sortable, filterable table:
| Column | Description |
|---|---|
| Risk | Color-coded badge (red/orange/yellow/blue/gray) |
| Port | Port number |
| Protocol | TCP or UDP |
| Binding | Address the service listens on |
| Process | Process name holding the port |
| Firewall | Whether inbound traffic is allowed |
| Exposure | Calculated exposure level (localhost, LAN, internet, firewall blocked) |
Click any row to expand and see:
- Full process path and command line
- Service name and display name (Windows)
- Firewall details: rule name and profile (Windows), or the Application Firewall decision and stealth mode (macOS)
- Process signing details (Windows and macOS)
- Port timeline showing when it was first seen and any state changes
Filtering
- Search: Filter by port number, process name, process path, or service name
- Risk level: Show only ports at a specific risk level
- Protocol: Filter by TCP or UDP
- Exposed only: Show only ports that are both bound to a non-localhost address and allowed by the firewall
Port History
Switch to the History view to see a timeline of all port state changes:
- Opened: A new port started listening
- Closed: A port stopped listening
- Changed: The process or configuration behind a port changed
Filter history by event type, risk level, or date range.
On-Demand Refresh
Click the Refresh button on the Network tab to trigger an immediate port scan from the agent. The agent collects fresh data and sends it back within seconds. The UI updates automatically when new data arrives.
Refresh is rate-limited to prevent excessive collection (5 requests per minute per agent).
Fleet-Wide Queries
Two fleet-level views help you identify exposure across your entire environment:
- Fleet port search: Find all agents with a specific port open (e.g., "show me every endpoint listening on port 3389")
- High-risk report: View all high-risk exposed ports across all agents in one view
macOS-Specific Behavior
- Firewall (Application Firewall): TridentStack Control reports whether the macOS Application Firewall is enabled, whether stealth mode is on, and, for each listening port, whether the firewall allows inbound connections to the owning app. The macOS firewall is application-based rather than port-based, so the inbound decision is resolved for the process that holds the port.
- Process signing: each listening process is checked with macOS code signing, reporting whether it is signed, whether the signature is valid, and the signer identity.
Linux-Specific Behavior
- Dual-stack consolidation: When a service listens on both IPv4 (0.0.0.0) and IPv6 (::) on the same port and process, the agent consolidates them into a single row to reduce noise.
- Docker enrichment: Ports held by
docker-proxyare enriched with the container name and image for easy identification. - No firewall data: Linux agents do not currently collect iptables/nftables state. The firewall column shows as unknown for Linux endpoints.