The Network Mapper (Nmap) is an open-source, free security scanner widely loved by network and security analysts. Many commercial tools try to replicate its power, but most end up bundling Nmap itself as a “feature.”
Under the hood, Nmap is a precise instrument for discovery and reconnaissance. This primer introduces what it is, how to think about its scripting engine, and a few practical scans to add to your toolkit.
About Nmap
Nmap helps you analyze your infrastructure’s external exposure: open ports, services, versions, and basic OS traits. While it began as a network scanner, its ecosystem now stretches across layers of your stack (network and application). You’ll typically run it from the command line; a GUI called Zenmap exists if you prefer a UI.
Use Nmap only on systems you own or have explicit permission to test.
Leverage the Scripting Engine (NSE)
A big reason Nmap remains best-in-class is the Nmap Scripting Engine (NSE). It ships with Nmap and offers 600+ scripts, grouped by categories such as discovery
, safe
, vuln
, and more.
You can run individual scripts or entire categories—and write your own when you need to automate repeatable tasks.
Example: running a specific script (ASN lookup):
nmap --script asn-query [--script-args dns=<resolver>] <target>
Or run a whole category (all discovery
scripts):
nmap --script discovery <target>
Real-World Application
Say your team deployed five new servers. A basic scan helps you validate what’s visible from the Internet and whether exposure matches intent.
Simple port discovery:
# Basic TCP scan
nmap 173.255.xxx.xxx
# Sample output (abridged)
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
443/tcp open https
465/tcp filtered smtps
587/tcp filtered submission
We can see SSH and HTTP(S) are open; SMTP appears filtered. Should SSH be exposed? Is a mail service expected on this host? These quick checks catch misconfigurations early.
Add version detection (-sV
) to learn more about what’s running:
nmap -sV 173.255.xxx.xxx
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))
...
Version data helps prioritize patching and quickly check exposure to known CVEs. You can scan multiple hosts at once by listing them:
nmap -sV 192.155.xxx.xxx 198.58.xxx.xxx
Nmap Empowers the Analyst
Even with default scans, Nmap provides high-value visibility into your perimeter. Combine it with NSE for scripted discovery, and you’ll accelerate validation, reduce guesswork, and surface drift across environments.
For safe testing, the Nmap team provides scanme.nmap.org
. Don’t scan systems without authorization.
NOC — Authoritative DNS, CDN & WAF
Accelerate and protect your sites with global DNS, edge caching, and an always-on web application firewall.
See Plans