Skip to main content
Internal network security is critical yet often overlooked. Once attackers gain initial access through configuration drift, phishing, or compromised credentials, they can rapidly expand their foothold by exploiting internal vulnerabilities. This lateral movement can lead to devastating breaches, making internal vulnerability scanning as crucial as external assessments. ProjectDiscovery offers two distinct approaches for internal network vulnerability scanning, each designed to fit different organizational needs while maintaining our core focus on exploitability and accurate detection.

Agent based Scanning

Use pd-agent for seamless internal scanning through our platform. Perfect for large networks and centralized security management.

Local Scanning & Upload

Run Nuclei locally and upload results to PD’s platform. Ideal for teams with existing scanning workflows or specific network restrictions.
Internal scanning helps identify misconfigurations, unpatched systems, and security gaps that could be exploited for lateral movement before attackers can leverage them.
To use this feature you’ll need to install and deploy pd-agent within your internal network. The agent acts as a bridge between your internal infrastructure and ProjectDiscovery’s platform, enabling you to trigger and manage scans remotely.

What is pd-agent?

pd-agent is a lightweight agent that you deploy within your internal network to execute scans and enumerations remotely. It establishes a secure connection between your internal infrastructure and ProjectDiscovery’s platform, receives scan configurations and executes them locally using ProjectDiscovery’s tools. Key Capabilities:
  • Network Discovery: Automatically discover assets, services, and open ports across your internal network
  • Vulnerability Scanning: Execute Nuclei-based vulnerability scans using templates from the ProjectDiscovery’s platform
  • Agent Tagging: Organize agents with tags and networks for targeted execution
  • Passive Discovery: Optional passive network discovery via libpcap/gopacket
  • Automatic Updates: Receive and execute new scan configurations automatically
Agent based internal scanning is an Enterprise-exclusive feature. Free users can still perform internal scans using the local scanning method described below.
System Requirements
The agent is designed to be lightweight and efficient. Minimum recommended specifications for optimal performance:
  • CPU: 2 vCPU
  • Memory: 4GB RAM
  • Network: 100Mbps network interface
  • Storage: 10GB available disk space
  • Operating System: Linux (recommended), macOS, or Windows
These specifications are suitable for most deployment scenarios. A basic VPS (Virtual Private Server) meeting these requirements is sufficient for running pd-agent efficiently.

Step 1: Create a Network

Before installing the agent, you need to create a network in the ProjectDiscovery’s platform. Each network represents a distinct internal environment (e.g., production, staging, office network) and generates a unique agent configuration.
  1. Navigate to https://cloud.projectdiscovery.io/networks
  2. Click “Create Network”
  3. Provide a network name
  4. Save the network to generate your unique agent installation command
Creating a Network in PDCP
You can create multiple networks for different environments or network segments. Each network can have one or more agents deployed.

Step 2: Install the agent

After creating your network, the platform will display a unique installation command pre-configured with your credentials and network settings.
Prerequisites for Go installation methodIf you’re using the Go command option to install pd-agent, ensure you have:
  1. Go installed on your system (download Go)
  2. pdtm (ProjectDiscovery Tool Manager) installed
To install pdtm, run:
go install -v github.com/projectdiscovery/pdtm/cmd/pdtm@latest
pdtm -ia
Or combine both commands:
go install -v github.com/projectdiscovery/pdtm/cmd/pdtm@latest && pdtm -ia
Finally copy and run the command (displayed when you create a network) in your internal environment where you want the agent deployed. If you’re using the Docker option, you can directly run the installation command without any additional prerequisites.
Keep your installation command secure - it contains your API key and agent configuration. Anyone with this command can connect an agent to your network.
The installation command will:
  • Download and configure the agent
  • Establish a secure connection to ProjectDiscovery’s platform
  • Register the agent with your network
Once the agent runs successfully, it will appear in your network dashboard, indicating that it’s ready to execute scans.
Complete pd-agent Setup: Create Network, Install Agent, and Verify Connection
The agent must remain running to execute scans. For production deployments, consider running it as a system service (systemd, Docker, or Kubernetes) to ensure it stays active.

Step 3: Discover Assets

Before running vulnerability scans, you can discover assets in your internal network. This helps you identify all hosts, services, and open ports that the agent can reach.
  1. Navigate to your networks dashboard at https://cloud.projectdiscovery.io/internal-network
  2. Locate the network you want to discover assets for and click the Discover assets button under the Action column
  3. Configure your discovery parameters (target ranges, ports, discovery methods, etc.)
  4. Click on Start Discovery to initiate the discovery process. The pd-agent will scan your internal network and discovered assets will appear in your asset inventory
Discovering Assets in Internal Network using pd-agent
Asset discovery helps you build an accurate inventory of your internal infrastructure before running targeted vulnerability scans. This ensures comprehensive coverage of your attack surface.
Scaling for Large Networks: If your network has a large number of assets that need to be scanned, consider deploying multiple pd-agents across different network segments. This distributes the scanning load and improves performance for comprehensive vulnerability assessments.

Step 4: Trigger Internal Scans

Once your pd-agent is connected and assets are discovered (optional), you can trigger vulnerability scans. The workflow is identical to external scanning - configure scans through the same interface and view results in the same dashboard.
  1. Click on the Scan button for the network you want to scan, or go to the Scans menu (https://cloud.projectdiscovery.io/scans) and click Create New Scan, choose Internal followed by the network
  2. Select the Asset Group created from the previous discovery operation, or manually enter your targets (internal IPs, hostnames, or CIDR ranges like 192.168.1.0/24, internal-server.local)
  3. Select Nuclei templates (CVEs, misconfigurations, vulnerabilities, etc.) and configure scan settings (rate limits, headers, parameters)
  4. Click Create Scan to start - the scan executes through pd-agent in your internal network and results appear in your dashboard
Creating and Running an Internal Scan in PDCP
Internal scanning provides the same experience as external scanning - identical template selection, scan configuration, results viewing, retesting capabilities, and integration options.
Important: Only input targets that are accessible from where pd-agent is deployed. If the agent is running on a server in your 192.168.1.0/24 network, it can only scan hosts within that network or other networks it has routing access to.

Method 2: Local Scanning & Upload

This approach lets you run Nuclei locally and upload results to ProjectDiscovery Cloud Platform (ProjectDiscovery).

Set up your API Key

To connect your existing Nuclei results to PDCP you will need to create a free API Key:
  1. Visit https://cloud.projectdiscovery.io
  2. Open the setting menu from the top right and select “API Key” to create your API Key
PDCP API Key
  1. Use the nuclei -auth command, and enter your API key when prompted.

Configure Team (Optional)

If you want to upload the scan results to a team workspace instead of your personal workspace, you can configure the Team ID using either method:
  1. Run your scan with the upload flag:
# Single target
nuclei -u http://internal-target -cloud-upload

# Multiple targets
nuclei -l internal-hosts.txt -cloud-upload

# With specific templates
nuclei -u http://internal-target -t misconfiguration/ -cloud-upload
This method is ideal when you want to maintain complete control over scan execution or integrate with existing automation scripts.