Network Exposure
The Network Exposure tab on the agent detail page provides visibility into every listening port on the endpoint, the process behind it, and whether the firewall allows inbound connections. This helps you identify unauthorized services, assess attack surface, and verify firewall posture.
What the Agent Collects
The TridentStack Control agent performs a comprehensive port enumeration every hour (configurable, minimum 15 minutes). For each listening port, it reports:
| Data Point | Description |
|---|---|
| Port | Port number (1-65535) |
| Protocol | TCP or UDP |
| Binding Address | What the service listens on (0.0.0.0, 127.0.0.1, specific IP, or IPv6) |
| Process Name | Name of the process holding the port |
| Process Path | Full path to the executable |
| Process Signing | Whether the executable is digitally signed and the signer identity (Windows) |
| Service Name | Windows service name and display name, if the port is held by a service |
| Firewall Status | Whether the Windows Firewall allows inbound traffic to this port, the rule name, and active profile |
On Linux, the agent additionally enriches ports held by docker-proxy with the container name and image by querying the Docker Engine API.
Linux agents do not currently report firewall state (iptables/nftables). Firewall data is available for Windows agents only.
Risk Assessment
Each port receives a context-aware risk level based on its exposure characteristics, not just its port number:
| Risk Level | Criteria | Examples |
|---|---|---|
| Critical | Legacy dangerous protocols exposed to the network | Telnet (23), FTP (21) on LAN or internet |
| High | Services that should not be internet-exposed | RDP (3389), SMB (445), databases exposed to the internet |
| Medium | Services with moderate risk when exposed | SNMP (161), non-standard services on network interfaces |
| Low | Common web services | HTTP (80), HTTPS (443) |
| Info | Expected services on internal interfaces | Standard Windows services on localhost, internal-only ports |
Context matters. The same port can have different risk levels depending on:
- Binding address: A database on 127.0.0.1 is informational. The same database on 0.0.0.0 with the firewall open is high risk.
- Firewall state: A port blocked by the firewall is lower risk than one the firewall allows.
- Process characteristics: Signed executables from known vendors in standard paths carry lower risk than unsigned binaries in unusual locations.
Viewing Network Exposure
Navigate to any agent's detail page and select the Network tab.
Summary Header
At the top of the tab, a summary strip shows:
- Total listening ports on the endpoint
- Externally exposed ports (not bound to localhost)
- Risk breakdown by level (critical, high, medium, low, info)
- Events in the last 24 hours (ports opened, closed, or changed)
- Firewall status (enabled or disabled)
Port Table
The main view displays all listening ports in a sortable, filterable table:
| Column | Description |
|---|---|
| Risk | Color-coded badge (red/orange/yellow/blue/gray) |
| Port | Port number |
| Protocol | TCP or UDP |
| Binding | Address the service listens on |
| Process | Process name holding the port |
| Firewall | Whether inbound traffic is allowed |
| Exposure | Calculated exposure level (localhost, LAN, internet, firewall blocked) |
Click any row to expand and see:
- Full process path and command line
- Service name and display name (Windows)
- Firewall rule name and profile
- Process signing details (Windows)
- Port timeline showing when it was first seen and any state changes
Filtering
- Search: Filter by port number, process name, process path, or service name
- Risk level: Show only ports at a specific risk level
- Protocol: Filter by TCP or UDP
- Exposed only: Show only ports that are both bound to a non-localhost address and allowed by the firewall
Port History
Switch to the History view to see a timeline of all port state changes:
- Opened: A new port started listening
- Closed: A port stopped listening
- Changed: The process or configuration behind a port changed
Filter history by event type, risk level, or date range.
On-Demand Refresh
Click the Refresh button on the Network tab to trigger an immediate port scan from the agent. The agent collects fresh data and sends it back within seconds. The UI updates automatically when new data arrives.
Refresh is rate-limited to prevent excessive collection (5 requests per minute per agent).
Fleet-Wide Queries
Two fleet-level views help you identify exposure across your entire environment:
- Fleet port search: Find all agents with a specific port open (e.g., "show me every endpoint listening on port 3389")
- High-risk report: View all high-risk exposed ports across all agents in one view
Linux-Specific Behavior
- Dual-stack consolidation: When a service listens on both IPv4 (0.0.0.0) and IPv6 (::) on the same port and process, the agent consolidates them into a single row to reduce noise.
- Docker enrichment: Ports held by
docker-proxyare enriched with the container name and image for easy identification. - No firewall data: Linux agents do not currently collect iptables/nftables state. The firewall column shows as unknown for Linux endpoints.