Every public IP address on the internet gets scanned by automated bots multiple times per hour. Port scanners, credential stuffers, vulnerability scrapers. They do not care if it is a corporate data center or your home router. If a port is open and a service is running, it gets probed.

Most people have no idea what their home network exposes to the internet. This guide shows you how to find out.

What Does “Scanning” Actually Mean?

When you scan a network, you are checking your public IP for things that should not be there. Open ports running services you forgot about. Software with known security holes. Devices still using factory passwords. Encryption that was considered secure five years ago but is not anymore.

Think of it like checking every door and window on a house. Some are supposed to be open. Some you forgot you left unlocked. And some have locks so old that anyone with a bump key can get through.

The DIY Route: Nmap

Nmap is the standard. It has been around since 1997, it is free, and it runs on everything.

Install it (brew install nmap on macOS, apt install nmap on Linux, or grab the installer from nmap.org for Windows), then find your public IP:

curl ifconfig.me

Run a basic scan:

nmap -sV -sC your.public.ip

This checks the top 1000 TCP ports, identifies what software is running on each one, and runs default detection scripts. Takes about two minutes. For a full scan of all 65535 ports, add -p- and go make coffee. It will take 30 to 60 minutes.

The output looks something like this:

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.9p1
80/tcp   open  http     nginx 1.18.0
443/tcp  open  ssl/http nginx 1.18.0
8080/tcp open  http     Apache httpd 2.4.49

If you know what you are looking at, this is gold. Port 22 with password auth means someone is brute-forcing your SSH right now. Apache 2.4.49 has a known path traversal vulnerability (CVE-2021-41773). Port 8080 probably should not be exposed at all.

If you do not know what you are looking at, you now have a list of open ports and no idea what to do about it. That is the gap nmap does not fill.

The Passive Route: Shodan

Shodan crawls the entire internet continuously and indexes what it finds. You can search your IP on shodan.io and see what their crawlers picked up. No scanning required on your end.

The catch is that you are looking at cached data. Shodan might have scanned your IP yesterday, or last week. You also get raw banners and port data without interpretation. It is a search engine, not a doctor. It tells you the symptoms but not the diagnosis.

Useful for a quick check. Not sufficient for a real assessment.

The Hands-Off Route: Endolum Sentinel

We built Sentinel to bridge the gap between “run nmap and interpret the output yourself” and “pay Nessus ten thousand dollars a year.”

You enter your email, confirm it is your network, and wait. Sentinel scans all 65535 TCP ports and the top 1000 UDP ports, fingerprints services, matches them against CVE databases, tests common default credentials (stops at the first match, does not try to break in), checks your TLS configuration, and looks for misconfigurations. The results go through an AI that writes a report in plain language with severity ratings and specific instructions for fixing each issue.

The report lands in your inbox in 30 to 60 minutes. No account needed. No credit card. Scan data is deleted after 24 hours.

Try a free scan

What You Will Probably Find

After running thousands of home network scans, a pattern emerged. The same five things show up over and over.

Router admin panel on the public internet. ISP routers love exposing their web interface to the world. If the admin password is still “admin” or “password” or printed on a sticker on the bottom of the device, anyone on the internet can log in, change your DNS, and redirect your traffic through their server. Log into your router and turn off remote management. Today.

SSH with password authentication. If you run a home server, NAS, or Raspberry Pi, there is a good chance SSH is open on port 22 with password auth enabled. This is being brute-forced right now. Not hypothetically. Right now. Switch to key-based authentication and disable passwords. Consider fail2ban or just moving SSH to a non-standard port.

UPnP automatically opening ports. Universal Plug and Play lets devices on your network ask the router to open ports without your permission. Game consoles, smart TVs, and IoT devices use it for convenience. Malware uses it to expose internal services to the internet. Disable UPnP in your router settings and manually forward only what you actually need.

Outdated firmware with known CVEs. That router your ISP gave you three years ago probably has not received a firmware update since. It has known vulnerabilities with public exploit code. Check the manufacturer’s site. If there is no update available, consider replacing the device.

Open DNS resolver. Some routers run a DNS resolver that accepts queries from the entire internet. This is not just a misconfiguration for you. Attackers use open resolvers for DNS amplification attacks, meaning your router becomes a weapon against someone else. Restrict DNS to your local network or disable the resolver entirely.

How Often Should You Do This?

Your network is not static. Firmware updates change configurations. New devices get connected. Port forwarding rules accumulate. Something that was secure three months ago might not be today.

For a home user, once a month is reasonable. Sentinel’s free tier allows one scan per IP per week.

For businesses managing their own infrastructure, the standard is daily or weekly automated scans. That is what Sentinel’s business tier is built for: scheduled recurring scans with a dashboard that shows what changed between each scan.

The Point

Your home network is being scanned whether you scan it yourself or not. The difference is whether you know what the bots are finding before one of them exploits it. Pick a method. Nmap, Shodan, Sentinel, or all three. The important thing is that you look.