Continuous Port Monitoring for Your Attack Surface
Baseline diffing and service fingerprinting catch unauthorized ports the moment they open, not on your next manual audit.
Track Open Ports Across Your Infrastructure
Detect unauthorized services before attackers exploit them. Continuous scanning with baseline diffing and service identification.
| Host | Open Ports | Changes | Last Scan | Status |
|---|---|---|---|---|
| api.acme-corp.com |
22/ssh
80/http
443/https
|
No changes | 12 min ago | Stable |
| db.acme-corp.com |
5432/postgresql
3306/mysql NEW
|
+1 new port | 8 min ago | Changed |
| staging.acme.io |
22/ssh
443/https
8080/http-alt
|
Service changed on 8080 | 25 min ago | Changed |
| mail.acme-corp.com |
25/smtp
587/submission
993/imaps
|
No changes | 15 min ago | Stable |
Severity-Classified Port Alerts
Port changes are classified by risk level so your team can prioritize response. Alerts integrate with your existing notification channels -- no separate configuration needed.
-
High
PORT_NEW_OPEN
A previously closed port is now open on two consecutive scans
-
Medium
PORT_NOW_CLOSED
A previously open port is now closed on two consecutive scans
-
Medium
PORT_SERVICE_CHANGED
The service banner on an existing port has changed
New Open Port Detected
5 minutes ago
db.acme-corp.com -- port 3306/mysql is now open (confirmed on 2 consecutive scans).
Previous baseline: 5432/postgresql only | Severity: High
Catch Unauthorized Services Instantly
Continuous port scanning that detects changes in your attack surface as they happen.
Baseline + Diff Detection
The first scan establishes a port baseline for each host. Subsequent scans compare against it and alert you when new ports appear, existing ports close, or services change.
Two-Failure Threshold
A single transient scan result does not trigger an alert. Metric Tower requires two consecutive scans showing the same change before notifying you, cutting false positives dramatically.
Banner Grabbing
Identifies the service running on each open port with version detection. Know whether port 8080 is running Apache, nginx, or a custom application -- and get alerted when the service identity changes.
Everything You Need for Port Security
Comprehensive port monitoring that covers discovery, change detection, and service identification.
New Port Alerts
When a port that was previously closed appears as open on two consecutive scans, Metric Tower fires a high-severity alert. Unauthorized services -- debug endpoints, forgotten test servers, attacker-installed backdoors -- are caught immediately.
Closed Port Detection
A port that was previously open and is now closed on two consecutive scans triggers a medium-severity alert. This helps you detect unexpected service outages, firewall rule changes, or decommissioned services that should have been formally removed.
Service Change Tracking
When the service banner on an existing port changes -- Apache replaced with nginx, or a version upgrade -- Metric Tower flags it as a medium-severity alert. Track every service change across your entire infrastructure with a full audit trail.
Configurable Scan Intervals
Set scan frequency per host based on risk level. Critical production servers can be scanned hourly, while development environments run daily. All checks are non-intrusive TCP connect scans that produce minimal network traffic.
Port Range Selection
Monitor the top 100 common ports for quick coverage or the full 65,535 port range for deep audits. Custom port lists let you focus on the exact services that matter to your infrastructure -- skip the noise, catch the risk.
Historical Port Timeline
Every scan result is recorded with full history. See exactly when a port opened, when it closed, and what service was running at each point in time. Essential for incident investigation and compliance audits.
Continuous Port Monitoring
Track open ports across your infrastructure with automatic baseline diffing, two-failure confirmation, and service banner identification. Get alerted to unauthorized services before attackers find them.