Network Analyzer
Scans live hosts for open ports and analyzes any TLS-enabled services for quantum cryptography vulnerabilities. For each TLS service found, the full certificate analysis (same engine as the Certificate Analyzer) is run automatically.
Input Methods
- Hostname or IP scan โ enter a domain or IP address; Rivet scans a standard set of ports and performs TLS analysis on any that respond
- Bulk scan โ upload a
.txtor.csvfile with one hostname/IP per line
Ports Scanned
Each scan checks the following 8 ports by default. All are TLS-enabled services and receive full certificate and quantum risk analysis when open. The default port list and bulk scan limit can be customized in Settings โ Network Analysis.
| Port | Service | TLS Analysis |
|---|---|---|
| 443 | HTTPS | Yes |
| 465 | SMTPS | Yes |
| 587 | SMTP+STARTTLS | Yes |
| 636 | LDAPS | Yes |
| 993 | IMAPS | Yes |
| 995 | POP3S | Yes |
| 5671 | AMQPS | Yes |
| 8443 | HTTPS-Alt | Yes |
Scan Constraints
- Maximum 100 ports per scan request
- Valid port range is 1โ65535
- Private and internal IP ranges are blocked:
127.x,10.x,172.16.xโ172.31.x,192.168.x,169.254.x - Protocol prefixes (
https://,http://) are not accepted โ enter the hostname only
Bulk Scan Limits
- Maximum 50 targets per bulk scan by default โ configurable up to 500 in Settings โ Network Analysis โ Max Bulk Targets
- Targets exceeding the limit are dropped with a warning before scanning begins
- Scans run sequentially per target โ large bulk scans will take proportionally longer
- A Cancel button is available during any scan
Result Fields Explained
Summary Statistics
| Field | What it means |
|---|---|
| Total Scanned | Number of ports probed during the scan. |
| Open Ports | Ports that accepted a TCP connection within the timeout window (3 seconds per port). |
| Closed Ports | Ports that timed out or actively refused the connection. |
| TLS Services | Open ports that successfully completed a TLS handshake. These are the ports that receive full quantum risk analysis. |
Quantum Security Assessment (per TLS service)
Each TLS-enabled port gets its own quantum risk assessment using the same unified risk engine as the Certificate Analyzer. All scores and fields below are per-port.
| Field | Range / Values | What it means |
|---|---|---|
| Quantum Vulnerability | CRITICAL / HIGH / MEDIUM / LOW / UNKNOWN | The vulnerability level of the certificate's public key algorithm to Shor's algorithm. RSA and ECDSA are CRITICAL or HIGH. A NIST PQC algorithm would show LOW or UNKNOWN. |
| Migration Urgency | immediate / high / medium / low | How urgently the TLS configuration on this port needs to be migrated to post-quantum cryptography, based on algorithm risk and certificate lifetime. |
| Overall Quantum Risk | 0 โ 100 | Composite score from four weighted components (see Risk Score Breakdown below). This is the same score shown in the Certificate Analyzer for the same certificate. |
Risk Score Breakdown (per TLS service)
The Quantum Risk Score is a weighted sum of four component scores, each normalized to 0โ100 before weighting.
| Component | Weight | What drives it |
|---|---|---|
| Algorithm Risk | 40% | Vulnerability of the certificate's public key algorithm and key size to Shor's algorithm. RSA-2048 scores 85; ECDSA P-256 scores 85; RSA-4096 scores 78. DSA/DH score 35. |
| Timeline Risk | 25% | Whether a quantum computer capable of breaking this certificate is expected to exist before the certificate expires. Short-lived certificates score near 0 here. |
| Business Impact | 20% | Contextual factors including business criticality, compliance requirements, and certificate chain complexity. Defaults to a moderate baseline when no user context is provided. |
| PQC Readiness | 15% | Whether the certificate already uses a NIST-approved post-quantum algorithm. Higher is better โ this component is inverted in the risk bar display (green = high readiness = good). |
Security Recommendations (per TLS service)
Recommendations are pulled from the certificate analysis for each TLS port and grouped by risk level. Each recommendation card shows:
- Port number โ which service the recommendation applies to
- Risk badge โ CRITICAL / HIGH / MEDIUM / LOW, color-coded red/orange/yellow/blue
- Recommendation text โ specific action such as upgrading key size, enabling TLS 1.3, or migrating to ML-DSA
Port Details (Technical Details)
Expanded view available by clicking "Technical Details". Shows a table of all open ports with:
| Column | What it means |
|---|---|
| Port | TCP port number. |
| Service | Identified service name (HTTPS, SMTPS, LDAPS, etc.) based on well-known port mappings. |
| SSL/TLS | Whether the port successfully completed a TLS handshake. Enabled = TLS confirmed; No = plain TCP only. |
| Response Time | Time in milliseconds for the TCP connection to be established. Does not include TLS handshake time. |
| Banner | First 100 characters of data returned by the service after connection. Useful for identifying software versions. Not available for all services. |
Certificate Technical Details (per TLS service)
For each TLS port, the full certificate details are shown in the expanded Technical Details section. These are the same fields as the Certificate Analyzer:
| Field | What it means |
|---|---|
| Subject | The entity the certificate was issued to (RFC 4514 distinguished name). |
| Issuer | The Certificate Authority that signed this certificate. |
| Signature Algorithm | Algorithm the CA used to sign the certificate (e.g. sha256WithRSAEncryption). |
| Public Key | Algorithm and bit length of the certificate's own public key (e.g. RSA 2048 bits). This is what Shor's algorithm targets. |
| Cipher Suite | Symmetric cipher negotiated for the TLS session (e.g. TLS_AES_256_GCM_SHA384). Determines Grover's algorithm impact on session traffic. |
| TLS Version | Protocol version negotiated (TLSv1.2, TLSv1.3). TLS 1.3 is required for PQC cipher suite support. TLS 1.0 and 1.1 are deprecated and flagged as high risk. |
| Valid Until | Certificate expiry date (notAfter) and days remaining. Certificates expiring before the quantum break timeline for their algorithm carry lower quantum risk. |
| Serial Number | Unique identifier assigned by the CA, used for revocation (CRL/OCSP). |
| Analysis Duration | Time in milliseconds taken to retrieve and analyze the certificate for this port. |
Scan Performance
| Field | What it means |
|---|---|
| Scan Duration | Sum of TCP response times across all open ports (does not include closed port timeout time). |
| Ports Scanned | Total number of ports probed. |
| Average Response | Mean TCP connection time across open ports in milliseconds. |
No TLS Services Found
If open ports are found but none support TLS, the Quantum Security Assessment section shows a "No TLS Services Found" notice. This means:
- The host has open ports (HTTP, SSH, FTP, etc.) but none are using TLS encryption
- No quantum certificate risk can be assessed โ but unencrypted services are themselves a security concern
- If port 443 is closed, the host may not be serving HTTPS at all
If no ports are open at all, the target may be firewalled, offline, or blocking the scanner's source IP.
Relationship to Certificate Analyzer
The Network Analyzer is a superset of the Certificate Analyzer for live hosts. When a TLS service is found:
- The same
QuantumCertificateAnalyzerruns against the certificate - The same four-component risk score is calculated
- The same recommendations are generated
The difference is that the Network Analyzer also discovers which ports are running TLS services, making it useful for infrastructure-wide scanning rather than analyzing a single known certificate.
For full documentation of the quantum risk scoring methodology, algorithm risk scores, and the quantum computing threat timeline, see the Certificate Analyzer documentation.