🛡️
Penetration testers & red teams
Fast reconnaissance, service fingerprinting and exploit-aware triage to focus a pentest on the findings most likely to be weaponised.
ShadowSecurityScanner
ShadowSecurityScanner
ShadowSecurityScanner is a free, open-source penetration testing tool and network vulnerability scanner — a clean-room reimagining of the classic SSS. It fingerprints services and operating systems, runs thousands of catalogued security checks, and ranks every finding by real-world exploit probability (EPSS & CISA KEV), not just raw severity. A privacy-first, self-hosted alternative to Nessus and OpenVAS.
ShadowSecurityScanner is a free, open-source network vulnerability scanner and penetration testing tool for security engineers, system administrators, red teams and DevSecOps pipelines. It combines automated port scanning, service and operating-system fingerprinting, and thousands of active network and web-application security checks into a single native desktop application for Windows, macOS and Linux.
Unlike cloud-based scanners, ShadowSecurityScanner runs entirely on your own machine — there is no cloud, no agents and no telemetry, so sensitive scan data never leaves your environment. What sets it apart is exploit-aware prioritisation: every finding is scored with FIRST.org EPSS (the probability a vulnerability will be exploited in the next 30 days) and flagged against the CISA Known Exploited Vulnerabilities (KEV) catalog — so you fix what attackers actually exploit first, instead of chasing a flat list of CVEs by raw CVSS score.
Fast reconnaissance, service fingerprinting and exploit-aware triage to focus a pentest on the findings most likely to be weaponised.
Run regular authorized vulnerability scans of your own network, track remediation with scan diffing, and prove progress with PDF reports.
Export SARIF for GitHub code scanning and machine-readable XML/CSV to wire vulnerability results straight into your pipeline.
How ShadowSecurityScanner compares to common network vulnerability scanners.
| Capability | ShadowSecurityScanner | Nessus (Essentials) | OpenVAS / GVM |
|---|---|---|---|
| License | Open source (MIT) | Proprietary | Open source (GPL) |
| Price | Free | Free tier (16 IPs) / paid | Free |
| Deployment | Single desktop binary | Local service + web UI | Server stack |
| Cloud / telemetry | None — fully self-hosted | Account & activation | Self-hosted |
| EPSS exploit scoring | Built in | Partial | No |
| CISA KEV flagging | Built in | Partial | No |
| Scan diffing | New / regressed / resolved | Limited | Limited |
| SARIF export | Yes | No | No |
| Platforms | Windows · macOS · Linux | Windows · macOS · Linux | Linux |
Read the full ShadowSecurityScanner vs Nessus vs OpenVAS comparison →
Comparison reflects publicly documented features at the time of writing and is provided for orientation only; verify current capabilities with each vendor. Product names are trademarks of their respective owners.
A complete scanning workflow in one app — discovery, detection, prioritisation and reporting.
Heuristic identification across HTTP, DNS, SMB, LDAP, SSH, mail and more — including unauthenticated Windows version detection via the SMB2 NTLM challenge.
Every finding carries its EPSS exploit probability and a CISA KEV "known-exploited" flag, so you fix what attackers actually use first.
Thousands of CGI / web-app checks (legacy SSS + Nuclei templates), de-duplicated by path with soft-404 calibration to keep false positives low.
Compare a scan to the prior state of its targets: what's new, what regressed after being fixed, and what's been resolved.
A browsable knowledge base of CVEs and checks — CISA KEV, Nuclei and curated advisories — refreshed daily with signed updates and NVD/EPSS enrichment.
A single self-contained binary with its own window. No cloud, no agents, no database server — your data stays on your machine.
The original SSS made its name auditing services other scanners only port-knocked. That breadth lives on — each service has dedicated detection and version-aware checks.
Cross-platform by design: targets running Windows, Linux, the BSDs, Solaris and network appliances are all in scope — the scanner runs natively on Windows, macOS and Linux.
A CVSS 9.8 that nobody exploits can wait; a CVSS 7 that's actively exploited can't. ShadowSecurityScanner folds FIRST.org EPSS (30-day exploit probability) and the CISA Known Exploited Vulnerabilities list onto every finding.
Re-scan and instantly see your remediation progress — and catch regressions where a previously fixed issue has come back.
Export polished reports for stakeholders or machine-readable results for your pipeline.
ShadowSecurityScanner follows an open-core model: it's free to use, and parts of it are released as standalone open-source libraries you can read, audit and reuse.
The exploit-aware prioritisation engine as a Go library & CLI: fetch FIRST.org EPSS scores and CISA KEV status for any list of CVEs and sort them KEV → EPSS → CVSS. Read the code on GitHub →
Convert vulnerability findings into SARIF 2.1.0 for GitHub code scanning — per-CVE rules, NVD links and CVSS-based security-severity. Read the code on GitHub →
The desktop app is free to use, and these MIT-licensed components are open source. Issues, ideas and pull requests are welcome — explore the repo on GitHub →
Fast, keyboard-driven, dark by default — built for analysts who live in the tool.
Mock-ups for illustration — drop real screenshots into assets/ to replace them.
Shadow Security Scanner began life in the early 2000s at Safety-Lab as a Windows-native vulnerability assessment scanner. It earned a reputation as one of the fastest scanners of its era — built around a proprietary "intellectual core", with a catalog of 5,000+ audits and the rare ability to actually audit proxy and LDAP servers rather than just check whether a port was open.
ShadowSecurityScanner is its clean-room successor: the same mission, rebuilt from scratch in Go and React as a cross-platform, open-source desktop app. The legacy audit corpus carries forward — its checks were re-derived into today's catalog and enriched with modern signals like EPSS and CISA KEV.
The original Shadow Security Scanner was used by security teams at
A selection from the original product's published client list — shown to credit the tool's lineage, not as an endorsement of this open-source successor.
Native desktop app for every platform — each a single, self-contained download, no installer required.
Runs in its own window via WebView2. The full experience.
Download for Windows (x64)A .dmg installer — open it and drag the app to Applications.
Native window via WebKitGTK. Mark executable and run.
Download for Linux (x64)libwebkit2gtk-4.1 & libgtk-3chmod +x then runAll builds are published on the GitHub Releases page. Building from source? scripts/build-desktop.sh windows amd64 — see the repository README.
ShadowSecurityScanner is a free, open-source (MIT-licensed) penetration testing and network vulnerability scanning tool. It performs port scanning, service and OS fingerprinting, and thousands of active web and network checks, then ranks findings by real-world exploit probability using EPSS and the CISA KEV catalog. It runs as a native desktop app on Windows, macOS and Linux with no cloud and no telemetry.
Yes. It's a free, open-source, self-hosted alternative to commercial scanners like Nessus and to OpenVAS. It's a single self-contained desktop binary with no server to deploy, keeps all data on your machine, and adds exploit-aware EPSS/KEV prioritisation plus scan diffing and SARIF/PDF reporting. See the comparison table.
Download the single binary for Windows, macOS or Linux, launch it, add the targets you are authorized to test, choose a scan profile, and start. The app discovers services, fingerprints them, runs catalogued checks, then presents findings ranked by EPSS exploit probability and CISA KEV status — with one-click export to PDF, HTML, SARIF, XML or CSV.
ShadowSecurityScanner is for authorized security testing only — scan systems you own or are explicitly permitted to assess. Denial-of-service tests are intentionally excluded.
Entirely on your machine. The app stores its database in your user profile (e.g. %AppData%\ShadowSecurityScanner). There is no telemetry and no cloud component.
EPSS (FIRST.org) is the probability a CVE will be exploited in the next 30 days. KEV (CISA) is the catalog of vulnerabilities known to be actively exploited. Together they turn a flat list of findings into a real priority order.
Yes. The audit catalog refreshes from a signed update feed (CISA KEV daily, plus Nuclei and curated advisories), optionally enriched with CVSS/CWE from NVD and EPSS scores.
ShadowSecurityScanner follows an open-core model. The app is free to use, and core components are released as MIT-licensed open source in the public GitHub repository — such as the EPSS/KEV prioritisation engine and the SARIF exporter, which you can read, audit and reuse. See the open-source components section.
We'd love to hear how you're using ShadowSecurityScanner. Reach out — we usually reply within a day.