Published 2026-04-30 — v1.0

Exposed-device classification methodology

CipherCue classifies open-port banners — already collected by nmap service detection — against a versioned device-rule dictionary. This page specifies the four categories, the banner-source posture, the recorded fact shape, and how CISA KEV cross-reference is applied.

Banner source

Banners are collected by nmap with -sV service detection at -T3 polite timing — the same scan that produces the port_scan fact. Service detection sends a small set of well-known probes (HTTP OPTIONS, SMB SessionSetup, RTSP DESCRIBE, etc.) and records the response banner. CipherCue does no additional probing for classification — the data is already on disk.

Categories

Four categories are recognised:

• admin_panel — Jenkins, GitLab, Grafana, Kibana, Prometheus, Portainer, ESXi/vCenter, phpMyAdmin, Adminer, RabbitMQ Management, Confluence, Jira, SonarQube, Cisco ASA admin, FortiGate admin.
• ip_camera — Axis, Hikvision, Dahua, Ubiquiti UniFi Video, Bosch IP cameras, generic ONVIF responses.
• network_gear — Cisco IOS, Juniper JunOS, MikroTik RouterOS, Fortinet, Palo Alto Networks, F5 BIG-IP management, Pulse Secure, Citrix Gateway, OpenVPN Access Server.
• office_device — HP printers (JetDirect/IPP), Xerox, Canon, Lexmark, Polycom VoIP, Cisco IP Phone, Yealink.

Each rule has a severity field — low, medium, or high — that reflects the operational sensitivity of the exposure category. It is not a verdict on the entity. A Jenkins admin panel has severity high because credentialed access typically means code-execution; an HP printer has severity low because the typical exposure is office-network printing, not credentialed admin.

Matching

For each open port, the service, product, version, and CPE strings from nmap are joined with a separator and matched against each rule's patterns list (PCRE). The first matching rule wins per port — overlapping patterns produce one classification, not two.

CISA KEV cross-reference

Where a rule has cve_lookup => true, the matched vendor and product are looked up in the locally-cached CISA KEV signal index. If a CISA KEV entry exists for the same lowercased (vendor, product), the classification fact is decorated with:

• kev_match.cve_count — number of CISA KEV entries against the vendor/product
• kev_match.latest.cve_id — the most recent CVE
• kev_match.latest.kev_date_added — the date that CVE was added to the catalogue

This is a vendor-product KEV match, not a per-version CVE assertion. See /methodology/kev-matching for the version-required policy that governs kev_match facts; the device decoration is the looser vendor-history view.

Recorded fact

One device_classification fact is written per (host, port, rule) match per scan day:

• host, port, protocol
• category, vendor, product, version
• severity — operational sensitivity of the category, not a verdict
• evidence — the joined banner string that matched
• cpe — the CPE string from nmap, if present
• kev_match — present only when the rule supports CVE lookup and a match exists
• authority_source = "nmap service detection (-sV)"
• authority_url = this page

What we do not do

• No authentication. We do not log in to admin panels, even with default credentials publicly documented by the vendor.
• No exploitation. We do not run vulnerability scanners (Nuclei templates, Nessus plugins, Metasploit modules) against any classified device.
• No active probing of the device beyond the standard nmap -sV probe set.
• No assertion that exposing the port is a fault — many of these device categories are exposed deliberately (load-balancer admin pages on a management VLAN, public-facing helpdesk Jira, and so on).

Pre-disclosure handling

Device classifications are derived from the same nmap data that produces the port_scan fact, which has always been written as a public_observation. Classifications are likewise written with disclosure_status = "public_observation" and surfaced to customers immediately. The vendor-history KEV decoration follows the same posture — it is a derived view over the public CISA catalogue.

Correction

If a classification is spurious (e.g. banner mis-attribution, device not actually deployed at the host), email corrections@ciphercue.com. We investigate within 7 days.

Changelog
v1.0 — 2026-04-30 — Initial publication. ~38 rules across four categories. Vendor-product KEV decoration via local CISA KEV signal index.