mipo
Distributed attack-surface evidence for networks you actually run.
Deploy zero-dependency scanners, track port changes over time, and preserve audit-ready evidence for Security and GRC teams.
Illustrative sample data — not a live feed. Every panel above maps to a real mipo surface.
An operational loop, not a one-shot scan
mipo runs continuously: deploy scanners at each vantage point, define scope once, schedule runs, and let every result diff against history.
Deploy scanners
Drop a zero-dependency static binary onto each network vantage point.
Define scope
Model subnets, FQDNs, and port lists as reusable scan templates.
Run schedules
Launch on demand or on a cron schedule from the manager.
Detect changes
Diff every result against history to surface new/closed ports.
Preserve evidence
Append-only audit log + encrypted backups keep an auditable trail.
Alert operators
Stateful alarms notify on dead scanners, deltas, and failures.
↻ Continuous — each run feeds the next: today’s scan becomes tomorrow’s baseline.
Built for evidence, not just discovery
Security and GRC teams need a defensible record of what changed and when — mipo treats every scan as auditable evidence.
Every scan is diffed against history in TimescaleDB, so newly-open, still-open, and closed ports are explicit and dated.
A global interceptor records every state change with actor, timestamp, and field-level diffs — tamper-evident by design.
A single Go stdlib-only static binary. No agent supply chain, no auto-update, no telemetry.
Self-hosted, API-first, no black boxes
mipo monitors itself with a five-layer resilience model and a stateful alarm system. Everything the GUI does is a documented API call.
Runs on infrastructure you control; all data stays in your deployment.
The GUI is just a consumer of the same public API your automation uses.
Manager, ingest, dispatcher, scanner, and CI are all in one readable repo.
Start where you are
Setup, scanning, evidence, operations, and integration — each with a focused doc.
Run your first scan: deploy a scanner, define scope, launch, and read the results.
Scanners are stateless Go binaries deployed on customer networks that execute port scans. This page lets you provision new scanners, manage their lifecycle (enable/disable/delete), configure IP binding for security, and regenerate provisioning tokens. Each scanner connects to mipo via a one-time curl command generated during provisioning.
The scanner binary download endpoint (GET /scanner/binary/:platform/:arch) intentionally returns 501 Not Implemented. mipo does not serve pre-built binaries — operators build the scanner from auditable source code to protect against supply chain attacks. The response body includes the exact build command for the requested platform and architecture.
Displays the detailed findings of a single completed scan, including all discovered hosts, ports, and services. Security engineers use this page for attack surface monitoring — identifying unexpected open ports, new services, and deviations from expected baselines. Results are paginated and loaded on demand as you scroll to handle large scans efficiently. Failed scans show per-scanner error details.
The Changes page is the primary compliance audit trail. It logs every create, update, and delete action performed on system resources. This append-only log cannot be modified or deleted, providing the evidence trail required for SOC2 and ISO 27001 compliance reporting.
Active and historical system alarms. Alarms are created automatically when built-in rules detect faults (scanner offline, database unreachable, TLS expiring, etc.). Identical events roll into existing open alarms (deduplication). Alarms can be acknowledged, manually resolved, or auto-resolved when the underlying condition clears.
See what your networks actually expose
Read the docs to run your first scan, or take the product tour to see the full workflow.