Network Discovery

Network discovery focuses on identifying alive (or responsive) IP addresses within your network.

It works by identifying responsive hosts and open ports across every IP address within your network(s) and cataloging any that respond.


A network is a range of consecutive IP addresses. This can also be known as a netblock, or subnet. When you add networks to your account, we'll monitor them for alive IPs and open ports.

A network can be represented in CIDR notation like, or as a range of IP addresses like Currently, we only support IPv4 addresses.

Adding a network

If your organization has dedicated IP addresses, you can easily add that range to your Halo Security dashboard by going to Discovery -> Networks -> Add.

You can enter the network in one

You can also use network discovery to monitor open ports on a single IP address, although we recommend using the firewall monitoring service for that use case.

Configuring network discovery

Once you've added a network for discovery you have several options for configuration. To edit the settings on a network, visit Discovery --> Network and click on the cog icon in the network row.

You can configure the following settings:



How the network will be displayed within the Halo Security dashboard.

Defaults to the network range entered.

Scan Frequency

How often the network discovery will occur. Defaults to weekly.

Scan Time

The hour in UTC you'd like scan to occur. Defaults to Random.

Next Scan

When the next scan should be performed.

Defaults to None.


Whether the scanner should test of hosts are alive by sending an ICMP echo request.

Defaults to Yes.

UDP Scan

Whether UDP port scanning should be performed.

Defaults to Yes.

Network Additional UDP Ports

Comma separated list of UDP ports.

Defaults to None.

Depending on your settings and the size of the network, the scan may take some time to avoid overwhelming your servers. If we estimate the scan will take over 24 hours to complete, we'll warn you on the settings page.

Deleting a network

To remove a network from network discovery, visit Discovery --> Network and click on the cog icon in the network row. Then click Delete Network and confirm you'd like to delete the network.

Deleting a network will delete all historical data for that network. You can always add your network back, but historical data can not be recovered.

Alive IPs

During the discovery process, we detect and report on Alive IPs. An IP address is considered alive if it has any open ports. Because our scans are all external and non-authenticated, new alive IP addresses represent an additional asset coming online and being accessible from the internet. If this is intentional, the IP address can easily be added as a target within Halo Security for monitoring.

If this is unexpected, the asset may represent a nefarious actor within your environment or an oversight and should be addressed promptly.

On Discovery --> Network, you can see the number of Alive IPs that were detected during the last discovery and the percentage of the total IP addresses within the network that were alive. You can click the value to see a filtered list of alive IP addresses on that network and the corresponding targets within your account.

Open Ports

Ports that have been identified as being open during the scanning process will be listed along with the protocol and IP address.


  • Overview: Networks and their risk score by domain and target, as well as number of open ports and alive IPs.

  • Summary: Ports that were identified during scanning and number of occurrences.

  • IPs: IP addresses that were discovered, their number of open ports, and reverse DNS lookup of hostname.

  • Ports: List of open ports per network target.

Last updated