Architecture & Program

Built to run
inside your network.

An ongoing vulnerability management program that scans from the inside, ships events in real time, and surfaces what's actually exploitable. Not just what scores high on paper..

Your Network
Internet
Northstar Infrastructure
Workstations & Servers Security agent installed EVENT AGENT Compass OPTIONAL Internal scanner AUTH SCANNER Firewall Network edge INTERNET Encrypted Tunnel Port 9200 HTTPS · TLS 1.3 Port 443 Security Monitoring Event collection · Alerting · Daily review Northstar SIEM · AWS Vulnerability Platform Scan results · CISA KEV · Risk scoring Northstar Scan Console No inbound connections. No firewall rules required.

The scan flow

Authenticated scanning from inside your network. It is the only way to see what's actually exploitable.

01

Asset Discovery

Every device on your network is identified, including ones your IT team may not have mapped. Nothing is assumed invisible.

02

Authenticated Scan

The scanner authenticates to each machine using admin credentials, the same way your IT team would. This exposes the full picture: software versions, patch gaps, running services, registry configuration.

03

CISA KEV Cross-Reference

Every finding is checked against the CISA Known Exploited Vulnerabilities catalog. Any match is immediately classified P0: confirmed active exploitation in the wild.

04

Risk Prioritization

Findings are ranked by actual exploitability, not just severity score. A medium CVSS with active exploit code in the wild ranks above a critical CVSS with no known exploitation.

05

Prioritized Risk Report

Findings are delivered as a ranked action list with named owners, SLA deadlines, and specific remediation steps, not a raw export of CVE IDs.

06

Verified Closure

No finding is marked closed without a rescan confirming the fix. Every remediation is verified, not assumed.

The monitoring flow

Security events from your machines, reviewed every morning.

01

Agent Deployment

A lightweight agent is installed on Windows machines. It reads system security event logs and ships them in real time via an encrypted tunnel to Northstar's monitoring platform.

02

Continuous Event Collection

Authentication events, privilege changes, new admin accounts, PowerShell execution, after-hours access, all collected and stored with a 90-day minimum retention window.

03

Detection Rules

Structured detection rules fire on behavioral patterns that indicate compromise, insider activity, or policy violations. Rules are tuned to reduce noise. You are notified when something warrants attention, not on every event.

04

Daily Advisor Review

Every morning, a Northstar advisor reviews the previous 24 hours across all monitored environments. Anything suspicious is investigated the same day, not held for the monthly report.

What you get every month

🔍

Authenticated Vulnerability Scan

Full internal scan: every asset, every patch gap, every service. Cross-referenced against the CISA Known Exploited Vulnerabilities catalog on every run.

📋

Prioritized Risk Report

Findings ranked by exploitability with named owners, SLA deadlines, and specific remediation guidance. Not a raw findings export. It is a program document.

📞

30-Minute Delivery Call

Walk through the top findings directly with your advisor. What changed, what is still open, what to address first. Quarterly business reviews track trend data.

Ready to see what's actually exploitable
in your environment?

Start with a free Security Posture Assessment: authenticated scan, CISA KEV cross-reference, and a findings call. No obligation.

Request Free Assessment