What CIDR block sizes does DriftAlarm support?

DriftAlarm supports individual IP addresses and CIDR blocks. The Pro tier includes up to 10 /24 subnets (2,560 IPs total). Each /24 block covers 256 IP addresses. For organizations with larger IP footprints requiring /16 blocks or multiple non-contiguous ranges, the Enterprise tier provides custom asset limits. The Standard tier supports a single IP address for focused monitoring.

How often are IP ranges scanned?

DriftAlarm runs discovery scans weekly and vulnerability scans daily against your monitored IP ranges. You can also trigger on-demand scans at any time. The drift detection engine compares each scan result against your established baseline and sends Slack or email notifications when new hosts, ports, or services are detected.

Which ports does DriftAlarm scan?

DriftAlarm scans a comprehensive set of ports commonly targeted in external attacks, including SSH (22), FTP (21), Telnet (23), SMTP (25), DNS (53), HTTP (80, 8080, 3000), HTTPS (443, 8443), RDP (3389), databases (1433, 3306, 5432, 6379, 27017), and many additional service ports. The specific port list is optimized based on current threat intelligence and covers the ports most frequently exploited in real-world attacks.

Can DriftAlarm monitor cloud provider IP ranges?

Yes. DriftAlarm scans any publicly routable IP address regardless of where it is hosted. This includes AWS EC2 and ELB IPs, Azure VM and App Service IPs, GCP Compute Engine IPs, and any other cloud or hosting provider. Since DriftAlarm scans from the outside, it provides the same perspective an attacker would have, validating that your cloud security groups and network ACLs are configured correctly.

How does IP range monitoring differ from domain monitoring?

Domain monitoring discovers and tracks assets by starting from your domain name — enumerating subdomains, checking DNS records, and following hostnames. IP range monitoring starts from your IP address space and discovers what is reachable on each IP, regardless of whether a DNS name points to it. Both approaches are complementary: domain monitoring catches assets with DNS records, while IP range monitoring catches everything else, including hosts accessible only by IP address.

IP Range & CIDR Monitoring

Your IP address space is larger than you think. DriftAlarm scans entire CIDR blocks to discover every live host, open port, and running service — then monitors for changes so new exposures never go unnoticed.

Scans complete in under 90 seconds

See How It Works

Why Monitor Your IP Ranges

Most organizations own or lease more IP addresses than they realize. Between cloud provider allocations, colocation facilities, ISP assignments, and legacy address blocks from acquisitions, the total IP footprint often far exceeds what is documented in internal asset inventories. A /24 CIDR block contains 256 addresses, and a /16 block contains over 65,000. Within those ranges, individual hosts can be spun up, reconfigured, or forgotten without any centralized record of what changed.

The security risk is not just about unknown hosts — it is about unknown services on known hosts. A server that was provisioned for a web application may have SSH on port 22, a database on port 3306, and a monitoring agent on port 9100 all listening on its public interface. When that server's purpose changes or the responsible team rotates, those extra services remain open. An attacker scanning your IP range will find every open port, even the ones your team has forgotten about.

IP-based attacks target the entire range, not just named hosts. Automated scanning tools like Shodan and Censys index the entire IPv4 space continuously. Attackers use these databases to find exposed services by port number across all IPs, regardless of whether those IPs have a DNS name. A host at 203.0.113.47 running an unpatched Redis instance on port 6379 is just as exploitable as one with a friendly hostname — it is just harder for your team to find during a manual audit.

External attack surface management (EASM) closes this gap by scanning your IP ranges with the same thoroughness that attackers use. DriftAlarm monitors your CIDR blocks continuously, discovering new hosts, flagging open ports, and alerting you when the state of your IP space drifts from its expected baseline.

~2,000

average number of open ports discovered across a mid-size organization's external IP ranges

30%+

of externally reachable IP assets are unknown to the organization's security team

6 hours

average time from a new port opening on a public IP to it being indexed by internet-wide scanners

How DriftAlarm Scans IP Ranges and CIDR Blocks

Add Your IP Ranges

Add individual IP addresses or CIDR blocks (e.g., 203.0.113.0/24) as assets in DriftAlarm. The Pro tier supports up to 10 /24 subnets, giving you coverage across multiple network segments, cloud regions, and data center allocations. For larger IP footprints, the Enterprise tier provides custom limits.

Host Discovery and Port Scanning

DriftAlarm scans each IP address across common service ports — including SSH (22), HTTP (80, 8080), HTTPS (443, 8443), RDP (3389), databases (3306, 5432, 27017), and dozens of other frequently targeted ports. For each responsive host, DriftAlarm records which ports are open, what services are running, and what banners or headers the services return.

Service Identification and Technology Detection

Using httpx for web services and banner grabbing for non-HTTP protocols, DriftAlarm identifies the software and version running on each open port. This includes web server software (Apache 2.4, Nginx 1.24), application frameworks, database engines, and administrative interfaces. Knowing exactly what is running on each IP and port is essential for assessing vulnerability exposure.

Vulnerability Assessment

DriftAlarm runs the Nuclei vulnerability scanner against discovered services, testing for known CVEs, misconfigurations, default credentials, and exposed sensitive endpoints. The scanner uses continuously updated templates covering thousands of vulnerability checks, tailored to the specific technologies detected on each host.

Baseline and Drift Monitoring

After the initial scan, DriftAlarm establishes a baseline of your IP range — which hosts are live, which ports are open, and what services are running. Subsequent scans compare against this baseline using 32 drift detection rules. When a new host appears in your range, a previously closed port opens, or a service version changes, DriftAlarm sends a Slack or email alert so your team can investigate.

AI-Guided Remediation

For each finding, Claude AI provides context-specific remediation guidance. Rather than a generic 'close this port' recommendation, you receive actionable steps based on the specific service, its configuration, and the risk it presents. For example: 'Port 3306 (MySQL 8.0) is publicly accessible on 203.0.113.47. Restrict access to trusted IPs using a firewall rule or security group, and verify that authentication is enforced.'

What You Get

Full CIDR Block Scanning

Scan entire IP ranges rather than individual addresses. DriftAlarm accepts CIDR notation (/24, /25, /26, etc.) and scans every address in the range for live hosts and open ports. This ensures coverage of hosts that may not appear in DNS records or internal CMDBs, including load balancer VIPs, management interfaces, and legacy systems.

Open Port and Service Inventory

Maintain a continuously updated inventory of every open port and running service across your IP ranges. DriftAlarm checks common high-risk ports including SSH (22), RDP (3389), FTP (21), Telnet (23), SMTP (25), DNS (53), HTTP/S (80, 443, 8080, 8443), databases (1433, 3306, 5432, 27017), and many more. Each service is fingerprinted to identify the software and version.

New Host Detection

Get alerted when a new host becomes responsive in your IP range. Whether it is a new cloud instance, a contractor's device, or a rogue system, DriftAlarm detects it on the next scan cycle and notifies your team via Slack or email. The alert includes the host's open ports, detected services, and initial risk assessment.

Port State Change Alerts

DriftAlarm's drift detection engine tracks the state of every port on every monitored IP. When a port transitions from closed to open (or vice versa), a drift event is generated with full context: which port changed, what service appeared or disappeared, and when the change was detected. This is critical for detecting unauthorized service deployments and verifying that decommissioned services are actually shut down.

Cloud and On-Premises Coverage

Monitor IP ranges across any environment — AWS, Azure, GCP, colocation facilities, and on-premises data centers. DriftAlarm scans from the outside, the same perspective an attacker would have, regardless of where your infrastructure is hosted. This unified external view eliminates the blind spots that arise when cloud and on-premises security tools operate independently.

See Your Attack Surface — Start Free Trial

Who Uses This

Network and Infrastructure Security Teams

Network security teams use DriftAlarm to maintain an accurate external port and service inventory across their IP allocations. Instead of relying on internal asset databases that may be outdated, they get an attacker's-eye view of what is actually reachable from the internet. Port state change alerts help them verify that firewall rule changes and decommissioning procedures are effective, and catch unauthorized services within hours of them appearing.

Cloud Security and DevOps Engineers

Cloud security engineers use IP range monitoring to detect instances and services deployed with overly permissive security groups. When a new EC2 instance launches with port 22 open to 0.0.0.0/0, or an Azure VM exposes a management port to the internet, DriftAlarm detects it on the next scan and sends an alert. This complements cloud-native tools like AWS Config by providing an external validation that security group rules are working as intended.

IT Operations and Asset Management

IT operations teams use DriftAlarm as an external source of truth for IP asset management. The platform answers the questions that internal tools struggle with: Is anything actually listening on this IP range we allocated six months ago? Are there live hosts in the block we thought was decommissioned? By comparing DriftAlarm's external scan data against internal records, ops teams identify discrepancies and clean up their IP space.

Compliance and Audit Teams

Compliance teams use IP range monitoring to demonstrate that the organization maintains a current inventory of internet-facing assets, a requirement across PCI DSS, SOC 2, and ISO 27001 frameworks. DriftAlarm's continuous scanning and drift event history provide audit-ready evidence that IP assets are actively monitored and that changes are detected and investigated.

Frequently Asked Questions

See Every Host and Open Port Across Your IP Ranges

30-day free trial. No credit card required. Results in 90 seconds.

Contact Sales