UltraViolet: your own Shodan, in Docker, with CVE/KEV/EPSS
UltraViolet is an open-source, self-hosted network discovery and search tool designed to run in Docker on user hardware. It performs TCP/UDP scanning and probes approximately 100 protocols to gather service and infrastructure information, including HTTP bodies, TLS fingerprints, and CVE matching using local NVD, KEV, and EPSS data. It is intended for authorized scanning of owned networks and does not perform exploitation or intrusive vulnerability scanning. The tool supports role-based access control, audit logging, and alerting on saved searches. It is not a cloud service and requires user deployment and management.
AI Analysis
Technical Summary
UltraViolet is a self-hosted network reconnaissance platform that enables users to scan authorized IP ranges for open ports and services using a variety of protocol probes. It stores results in a local PostgreSQL database and provides full-text search capabilities over collected data, including banners, HTTP content, TLS fingerprints, and CVE information. The tool integrates local vulnerability data sources such as the National Vulnerability Database (NVD), CISA KEV, and EPSS for risk assessment without relying on cloud services. It is designed for single-tenant use with Docker Compose deployment, emphasizing data control and offline operation. UltraViolet includes features like scan scheduling, delta tracking of scan results, WebSocket updates, RBAC, JWT authentication, audit logs, and metrics integration. It explicitly advises scanning only networks for which the user has authorization and does not include exploit scanning or agent deployment.
Potential Impact
UltraViolet itself is not a vulnerability or exploit but a tool for network discovery and vulnerability data correlation. It does not introduce a security vulnerability but could be misused if deployed improperly or used to scan unauthorized networks, which may violate policies or laws. There are no known exploits or vulnerabilities associated with UltraViolet reported in the provided data. The impact is primarily operational, providing enhanced visibility into network assets and potential vulnerabilities for authorized users.
Mitigation Recommendations
This is not a vulnerability requiring patching. Users should ensure they deploy UltraViolet securely by following best practices outlined in the documentation: restrict scanning to authorized CIDRs, secure secrets and credentials, change default passwords, enable TLS termination properly, configure RBAC appropriately, and maintain backups. No official patches or fixes are applicable as this is a tool, not a vulnerability. Users must comply with legal and organizational policies regarding network scanning.
UltraViolet: your own Shodan, in Docker, with CVE/KEV/EPSS
Description
UltraViolet is an open-source, self-hosted network discovery and search tool designed to run in Docker on user hardware. It performs TCP/UDP scanning and probes approximately 100 protocols to gather service and infrastructure information, including HTTP bodies, TLS fingerprints, and CVE matching using local NVD, KEV, and EPSS data. It is intended for authorized scanning of owned networks and does not perform exploitation or intrusive vulnerability scanning. The tool supports role-based access control, audit logging, and alerting on saved searches. It is not a cloud service and requires user deployment and management.
Reddit Discussion
Been hacking on UltraViolet for a while - basically network discovery and search you run yourself. Shodan vibes, except the data sits in your Postgres behind a normal Docker Compose stack. Not SaaS, not multi-tenant. One install, your hardware.
You give it CIDRs you're actually allowed to hit (please only stuff you own or have written permission for). It finds open TCP/UDP ports, then probes a bunch of protocols - HTTP/HTTPS with bodies, titles, tech guesses, favicon hash, robots.txt, security.txt; TLS with certs, JARM, JA3S/JA4S; mail, LDAP, common DBs and queues; some ICS/SCADA and IoT stuff too. Roughly ~100 probe types last I counted. Discovery can be the built-in scanner or masscan/zmap if you want it faster.
Results go into Postgres. Search is full-text over banners, HTTP bodies, TLS bits, DNS, CVEs - handy when you're trying to answer "where is this nginx version still hanging around" without living in spreadsheets.
Why I wanted this:
- perimeter / inventory that doesn't rot in a shared cloud account
- rescan diffs (new, gone, changed) plus websocket updates while scans run
- CVE side is local NVD mirror + fingerprint matching, with KEV and EPSS layered on
- offline tarball exists if you need air-gap (images, optional CVE seed, GeoIP db)
- saved searches can alert to logs or webhooks, with cooldowns so one chatty host doesn't wreck your day
What it is not: an exploit scanner. No L2 mapping, no agents everywhere, no "scan the whole internet" product angle. Single tenant on purpose.
Stack is boring on purpose - Go API + worker, React UI, Postgres 16. RBAC (viewer / operator / admin), JWT + refresh, audit log, rate limits, schedules, Prometheus metrics, optional Grafana profile. Dev is clone, secrets in service-env, make dev, UI on :3000. Production mode kills the default admin/admin thing.
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
UltraViolet is a self-hosted network reconnaissance platform that enables users to scan authorized IP ranges for open ports and services using a variety of protocol probes. It stores results in a local PostgreSQL database and provides full-text search capabilities over collected data, including banners, HTTP content, TLS fingerprints, and CVE information. The tool integrates local vulnerability data sources such as the National Vulnerability Database (NVD), CISA KEV, and EPSS for risk assessment without relying on cloud services. It is designed for single-tenant use with Docker Compose deployment, emphasizing data control and offline operation. UltraViolet includes features like scan scheduling, delta tracking of scan results, WebSocket updates, RBAC, JWT authentication, audit logs, and metrics integration. It explicitly advises scanning only networks for which the user has authorization and does not include exploit scanning or agent deployment.
Potential Impact
UltraViolet itself is not a vulnerability or exploit but a tool for network discovery and vulnerability data correlation. It does not introduce a security vulnerability but could be misused if deployed improperly or used to scan unauthorized networks, which may violate policies or laws. There are no known exploits or vulnerabilities associated with UltraViolet reported in the provided data. The impact is primarily operational, providing enhanced visibility into network assets and potential vulnerabilities for authorized users.
Mitigation Recommendations
This is not a vulnerability requiring patching. Users should ensure they deploy UltraViolet securely by following best practices outlined in the documentation: restrict scanning to authorized CIDRs, secure secrets and credentials, change default passwords, enable TLS termination properly, configure RBAC appropriately, and maintain backups. No official patches or fixes are applicable as this is a tool, not a vulnerability. Users must comply with legal and organizational policies regarding network scanning.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":27,"reasons":["external_link","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a1f1e71e29bf47b50ef0187
Added to database: 6/2/2026, 6:18:25 PM
Last enriched: 6/2/2026, 6:18:32 PM
Last updated: 6/2/2026, 7:39:07 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.