This manual explains how to use the Scantide Auditor PowerShell script to review your own networks, discover reachable hosts, identify exposed services, inspect web and TLS evidence, compare findings with CMDB data, and export clear reports that administrators can actually act on.
The old ScantideLAN manual was useful, but it used older naming, older graphics, a few encoding-problem characters, and some wording that sounded more like vulnerability assessment than practical inventory and exposure review. This updated version focuses on the current Scantide Auditor direction.
The wording now describes authorized internal visibility, service evidence, certificates, and CMDB comparison instead of broad or scary security claims.
The old purple dashboard style has been replaced with the newer dark hero, rounded cards, evidence badges, and cleaner Scantide visual language.
Every major finding now explains why it matters for a normal administrator, not only for a technical security specialist.
Scantide Auditor PowerShell is an agentless script for administrators who need a practical view of what is reachable inside their own network. It does not try to exploit systems. It collects observable evidence and turns it into an HTML report.
Finds reachable systems in a subnet or list of networks so you can compare expected assets with what actually responds.
Checks common ports such as web, SSH, FTP, SMTP, DNS, RDP, and alternate web ports where supported by your script build.
Reviews visible certificate details such as subject, SAN names, issuer, and expiration dates on TLS-enabled services.
When enabled, compares discoveries against CMDB or ServiceNow-style inventory data to highlight known and unknown assets.
A network scan report is only useful if people understand what to do with it. These explanations are written for administrators, operations teams, and managers who need clear risk context without exaggerated fear.
An unknown host may be a legitimate device, a forgotten test system, a printer, a VM, or something that was never added to inventory. It deserves review because unmanaged assets often miss patching, ownership, monitoring, and backup routines.
An open port is not automatically bad. It means a service is reachable. The important question is whether that service should be reachable on that network and whether the owning team knows about it.
Web titles, server headers, redirects, and response clues help identify admin panels, appliances, legacy portals, default pages, and services that may otherwise be hard to recognize from an IP address alone.
Expired or soon-expiring certificates can break services, confuse users, and create avoidable incidents. Certificate subjects and SAN names can also reveal what a host was intended to be.
If a device is reachable but not in CMDB, it may be outside normal change, patch, ownership, or lifecycle processes. This is often one of the most useful operational findings.
One scan gives a snapshot. Repeated scans show change: new devices, disappeared hosts, new exposed services, or certificates that are getting close to expiry.
Use this flow when you simply want to run a safe authorized inventory scan and produce the first HTML report.
Download the script and save it in a dedicated folder, for example C:\ScantideAuditor\. Keep reports in the same folder or in a separate report archive.
Administrator rights are not always required for basic TCP checks, but they reduce friction and help with local policy and network behavior on managed Windows systems.
If Windows blocks unsigned local scripts, use a temporary session-level policy instead of changing the whole machine permanently.
Set-ExecutionPolicy -Scope Process -ExecutionPolicy BypassStart with a small known subnet before scanning larger ranges. This makes it easier to verify output, timing, firewall noise, and report readability.
cd C:\ScantideAuditor
.\ScantideAuditor.ps1 -Network "192.168.1.0/24"The report is normally created with a timestamped filename such as NetworkScan_YYYYMMDD_HHMMSS.html. Review unknown hosts, open services, web evidence, certificates, and CMDB status first.
Exact parameters can vary between builds, but the current Scantide Auditor PowerShell family usually follows this model. Keep the manual aligned with the actual script header before publishing.
| Parameter | Purpose | Example |
|---|---|---|
-Network |
Scan one CIDR range. | -Network "10.24.48.0/24" |
-List |
Read multiple networks or hosts from a text file, one entry per line. | -List ".\networks.txt" |
-Email |
Identify the licensed user when API-backed or Pro features are enabled. | -Email "admin@example.com" |
-ApiKey |
Enable Scantide-backed enrichment or licensed features where supported. | -ApiKey "YOUR_KEY" |
| CMDB options | Some builds include ServiceNow or CMDB connection settings. Use these only with a read-only account where possible. | -ServiceNowInstance, -CmdbToken, or build-specific equivalents |
| Output options | Some builds allow custom output paths or report naming. If not, reports are created in the script directory. | -OutputPath "C:\Scans" if supported |
Best for normal recurring scans, troubleshooting, or checking a VLAN.
.\ScantideAuditor.ps1 -Network "10.24.48.0/24"Best for scheduled scanning across several known networks.
# networks.txt
10.24.48.0/24
10.24.49.0/24
10.24.50.0/24
.\ScantideAuditor.ps1 -List ".\networks.txt"The script uses a staged flow so the report can explain where each finding came from. The exact phases may vary by version, but the logic is generally the same.
The script expands the selected network or reads the list file. Large networks should be split into smaller ranges for cleaner output.
Reachability checks identify likely live hosts. Some networks block ping, so TCP results can still reveal active systems.
Common ports are checked with timeouts. This is evidence of reachable services, not proof that the service is unsafe.
Where web services respond, the script can collect titles, server hints, status codes, and redirect clues.
For TLS-enabled services, certificate data helps identify ownership, names, expiry, and obvious maintenance issues.
The final HTML report is designed for sorting, filtering, review, and sharing with asset owners.
The report is the main deliverable. It should help you move from a raw scan to an action list: verify unknown hosts, fix inventory gaps, renew certificates, and remove services that should not be reachable.
| Report field | What it means | How to use it |
|---|---|---|
| IP address / hostname | The discovered endpoint and any resolved DNS name. | Use it to identify the owner, location, and expected role. |
| Open port | A network service responded on that port. | Confirm whether that service should be reachable from the scanned network. |
| Web title / server | Visible web page title, response clues, or server header where available. | Useful for recognizing appliances, portals, default pages, and forgotten admin interfaces. |
| Certificate subject / SAN | Names and identity information presented by a TLS certificate. | Use it to spot expired certificates, wrong hostnames, old systems, or ownership clues. |
| CMDB status | Whether the host appears in the connected inventory source. | Prioritize hosts marked not found in CMDB for ownership and lifecycle review. |
| Scan duration / network | Summary metadata for when and where the report was created. | Important when comparing multiple reports or proving when a finding was observed. |
CMDB comparison is one of the most valuable parts of the Auditor workflow. It connects network reality with asset governance: what responds on the wire versus what the organization believes exists.
Systems that appear in CMDB are easier to route to an owner. The scan evidence can still reveal services or certificates that need maintenance.
These are often the most important rows. They may be legitimate but unmanaged, or they may be old lab systems, appliances, shadow IT, or stale infrastructure.
If the script connects to ServiceNow or another CMDB, use least-privilege read-only credentials and keep secrets outside shared screenshots and reports.
Use CVE and jurisdiction information as context for triage. It helps decide what to investigate first, but it does not replace verification by the system owner.
The script can collect clues such as open services, web titles, server headers, TLS certificate names and service banners. If those clues identify a product or version, they can be compared with known CVEs. Always confirm the real installed version and patch state before calling it a vulnerability.
For public-facing domains, cloud-hosted systems or services that depend on external providers, country, ASN, provider ownership and mail routing can matter. The purpose is to support governance and data-sovereignty review, not to label a provider or country as automatically good or bad.
Scantide Auditor PowerShell is intended for authorized internal visibility. It should be used on networks you own, administer, or have explicit permission to assess.
The best scan is not always the biggest scan. Smaller, predictable ranges usually produce cleaner reports and fewer operational surprises.
Use a /24 or smaller known range for the first run. Confirm that reports, sorting, and CMDB matching look right before expanding.
Break /16-style scopes into multiple /24 or /22 chunks. This is easier to schedule and easier to troubleshoot if one network behaves differently.
Shorter timeouts are faster but can miss slow services. Longer timeouts are more complete but increase total run time.
# Example: scan several smaller ranges instead of one huge scan
.\ScantideAuditor.ps1 -Network "10.24.48.0/24"
.\ScantideAuditor.ps1 -Network "10.24.49.0/24"
.\ScantideAuditor.ps1 -Network "10.24.50.0/24"Scheduled scans are useful when you want to detect change over time: new hosts, new exposed services, disappearing systems, or certificates getting close to expiry.
Create a small wrapper script and call it from Windows Task Scheduler.
$ScriptPath = "C:\ScantideAuditor\ScantideAuditor.ps1"
$Network = "10.24.48.0/24"
& $ScriptPath -Network $NetworkWeekly is often enough for normal internal visibility. Daily can be useful during cleanup projects, migrations, or CMDB remediation work.
Most problems fall into a few categories: execution policy, blocked traffic, DNS behavior, permissions, or services that do not speak standard HTTP/TLS even though a port is open.
Use a process-scoped execution policy for the current window.
Set-ExecutionPolicy -Scope Process -ExecutionPolicy BypassPing may be blocked or routed differently. Confirm that the scanner machine can reach the target network and that local firewall rules allow outbound checks.
That can be normal. RDP and NLA do not always behave like a standard HTTPS certificate check. Treat the open port as evidence, not a failed certificate scan.
Browse to the script folder and open the newest NetworkScan_*.html file manually. On servers, default browser behavior may be restricted.
Reduce scope first. If needed, adjust script timeout or parallelism settings only after confirming the network is stable and the target range is correct.
Check whether CMDB stores IPs, FQDNs, short hostnames, retired records, NAT addresses, or multiple interfaces differently than the scan sees them.
These habits make the reports more useful and easier to defend when shared with asset owners or management.
Record which networks were scanned, when the scan ran, who requested it, and which machine performed the scan.
Keep timestamped reports so you can compare trends and prove when a host or service first appeared.
Reports contain internal infrastructure details. Store them where only authorized teams can access them.
A finding without an owner often stays unresolved. Route unknown hosts and exposed services to the team responsible for the network or system.
After disabling a service, renewing a certificate, or adding a CMDB record, run the same scope again to verify the result.
An open port or missing CMDB record is a review signal. Use the evidence to drive verification, not blame.
Short answers for common questions from administrators and stakeholders.
No. It is positioned as an authorized internal visibility and evidence collection tool. It checks reachability, services, web clues, TLS certificates, and inventory gaps. It should only be used on networks where you have permission.
No. An open port means a service is reachable. The follow-up question is whether that service is expected, owned, patched, monitored, and appropriate for that network.
Because unmanaged assets are often the root of operational and security problems. If a device exists on the network but not in inventory, it may not be patched, monitored, backed up, or owned by the right team.
Technically, yes, depending on your build and environment. Practically, smaller chunks are better. They create clearer reports, reduce noise, and are easier to schedule safely.
Web titles are a simple way to identify what a service is. A title can reveal a printer admin page, firewall interface, old application, test portal, or forgotten default web server.
No. Treat reports as internal operational data. They can contain IP addresses, hostnames, software clues, certificate names, and service exposure details.
Save the script, run a small authorized network first, review the report, then expand into scheduled scans or CMDB comparison once the output is verified.
Scantide is split into focused tools so the right audience gets the right kind of evidence quickly. Use Observe for live website behavior, Online for public domain checks, Dashboard for monitoring, and Auditor when you need authorized internal network visibility.
For Chrome, Edge, Brave and Firefox. Shows trackers, cookies, scripts, security headers, forms, contacted hosts and browser-visible website risk while you browse.
Open Observe guideFor Android users who want to share a URL from a browser or app and understand website privacy, scripts, trackers, infrastructure and jurisdiction context on mobile.
Open Observe MobileFor quick public-domain checks. Reviews visible TLS, DNS, headers, redirects, services, provider and jurisdiction signals for a website or domain.
Run single scanFor teams that need recurring certificate and domain visibility, status views, uploaded domain lists, expiry warnings and evidence history.
Open dashboard loginFor Windows admins reviewing authorized internal networks. Finds reachable hosts, visible services, web responses, TLS clues and CMDB gaps in clear HTML reports.
Open PowerShell AuditorFor mobile field checks and quick local network visibility. Useful for Wi-Fi review, nearby network context and on-site authorized infrastructure checks.
Open Android Auditor