some file

Edge Scanners

Edge Scanners provide advanced security scanning capabilities that automatically detect threats, vulnerabilities, and policy violations in MCP (Model Context Protocol) communications and AI tool interactions.

Overview

The Edge Scanners feature enables administrators to deploy and manage security scanners that monitor, detect, and remediate potential security issues in real-time. These scanners protect your organization from data leaks, prompt injection attacks, and other AI-specific security threats.

Edge Scanners Dashboard

Scanner Management Dashboard

The dashboard provides a comprehensive view of all active scanners:

  • Scanner Name: Identifies the specific security scanner
  • Active Status: Toggle to enable/disable scanners
  • Severity Level: Risk classification (HIGH, CRITICAL)
  • Category: Security domain the scanner addresses
  • Version: Current scanner rule version
  • Used By: Number of users affected by the scanner

Pre-configured Global Scanners

Netzilo includes several pre-configured global scanners that provide immediate protection:

  1. Path Traversal Detection

    • Detects suspicious file path patterns in gateway/server descriptions
    • Severity: HIGH
    • Protects against directory traversal attacks

  2. PII Detection in Tool Output

    • Detects and redacts PII (SSN, credit cards, emails, MAC addresses) in tool responses
    • Severity: HIGH
    • Ensures data privacy compliance

  3. Prompt Injection Detection

    • Detects attempts to override system instructions or inject malicious prompts
    • Severity: HIGH
    • Prevents AI manipulation attacks

  4. API Key and Secret Redaction

    • Detects and redacts API keys, tokens, and other secrets from tool responses
    • Severity: HIGH
    • Prevents credential exposure

  5. SSH Key Exfiltration in Tool Input

    • Detects attempts to upload or exfiltrate SSH private keys via tool arguments
    • Severity: CRITICAL
    • Protects authentication credentials

  6. System Enumeration & CLI Tool Exfiltration

    • Detects attacks that enumerate system info (env vars, processes, network) and exfiltrate data
    • Severity: CRITICAL
    • Prevents reconnaissance and data theft

YAML Rule Configuration

Scanner Rule Definition

YAML Scanner Configuration

Scanners are defined using YAML format for maximum flexibility and customization:

description: "Detects and redacts API keys, tokens, and other secrets from tool responses"
severity: HIGH
score: 85
enabled: true
version: "1.0.0"
author: "Netzilo Security Team"
tags:
  - secrets
  - api-keys
  - credentials
  - redaction

categories:
  - Secrets Management
  - Credential Protection
  - Data Privacy

context_type: any

action:
  type: REDACT
  message: "Secrets detected and redacted from response"
  log_level: warn

  redaction:
    strategy: mask
    mask_char: "*"
    preserve_length: true
    patterns:
      - name: "api_key"
        regex: '(?i)(api[-_]?key|apikey)[":\s=]+([a-zA-Z0-9-]{20,})'

Key Configuration Elements

Scanner Metadata

  • description: Clear explanation of what the scanner detects
  • severity: Risk level (LOW, MEDIUM, HIGH, CRITICAL)
  • score: Numerical risk score (0-100)
  • enabled: Active/inactive status
  • version: Rule version for tracking updates
  • author: Scanner creator for accountability

Detection Categories

  • Secrets Management
  • Credential Protection
  • Data Privacy
  • System Security
  • Network Security
  • Compliance

Context Types

  • any: Applies to all contexts
  • input: Only scans user inputs
  • output: Only scans tool responses
  • bidirectional: Scans both directions

Action Types

  • REDACT: Removes sensitive content
  • BLOCK: Prevents execution
  • ALERT: Notifies administrators
  • LOG: Records for audit

Redaction Strategies

Masking Options

  • mask: Replace with mask characters
  • hash: Replace with hash value
  • truncate: Show partial content
  • remove: Complete removal

Pattern Matching

  • Regular expressions for flexible detection
  • Named patterns for organized rules
  • Case-insensitive matching options
  • Multi-line pattern support

Scanner Name & Description

Scanner Name and Description Configuration

Configuring Scanner Identity

Scanner Name

  • Must be unique and descriptive
  • Automatically syncs with YAML rule
  • Examples:
    • "API Key and Secret Redaction"
    • "PII Detection Scanner"
    • "Prompt Injection Blocker"

Description

  • Detailed explanation of scanner functionality
  • Should include:
    • What it detects
    • How it protects
    • When it triggers
    • Impact on users

Global scanners are pre-configured by Netzilo and cannot be edited or deleted. They provide baseline security that cannot be disabled.

Creating Custom Scanners

Step 1: Define Detection Patterns

Identify specific patterns or behaviors to detect:

patterns:
  - name: "aws_access_key"
    regex: 'AKIA[0-9A-Z]{16}'
  - name: "github_token"
    regex: 'ghp_[a-zA-Z0-9]{36}'
  - name: "stripe_key"
    regex: 'sk_live_[a-zA-Z0-9]{24}'

Step 2: Configure Actions

Define how the scanner responds to detections:

action:
  type: REDACT
  notification:
    enabled: true
    channels:
      - email
      - slack
    recipients:
      - security-team@company.com

Step 3: Set Context Rules

Specify where the scanner applies:

context:
  includes:
    - "*.api.company.com"
    - "production-*"
  excludes:
    - "test-*"
    - "dev-*"

Step 4: Test and Validate

Use the scanner testing interface to:

  • Validate pattern matching
  • Test redaction accuracy
  • Verify performance impact
  • Check false positive rate

Scanner Categories

Security Scanners

  • Path Traversal: Detects directory traversal attempts
  • Command Injection: Identifies malicious command patterns
  • SQL Injection: Prevents database manipulation
  • XSS Detection: Blocks cross-site scripting

Privacy Scanners

  • PII Detection: Identifies personal information
  • PHI Scanner: Protects health information
  • Financial Data: Detects credit cards, bank accounts
  • GDPR Compliance: Ensures data protection compliance

Credential Scanners

  • API Keys: Detects various API key formats
  • Passwords: Identifies hardcoded passwords
  • Tokens: JWT, OAuth, session tokens
  • Certificates: SSL/TLS certificate detection

Behavioral Scanners

  • Anomaly Detection: Identifies unusual patterns
  • Rate Limiting: Detects excessive requests
  • Data Exfiltration: Prevents large data transfers
  • Privilege Escalation: Identifies permission abuse

Best Practices

Scanner Configuration

  1. Start with Global Scanners: Use pre-configured scanners as baseline
  2. Layer Custom Rules: Add organization-specific scanners
  3. Regular Updates: Keep scanner rules current with threats
  4. Performance Testing: Monitor scanner impact on latency

Detection Tuning

  1. Minimize False Positives: Refine patterns for accuracy
  2. Context-Aware Rules: Use context types effectively
  3. Severity Alignment: Match severity to actual risk
  4. Testing Coverage: Validate against real-world data

Response Actions

  1. Gradual Enforcement: Start with logging, then blocking
  2. User Communication: Clear messages for blocked actions
  3. Incident Response: Define escalation procedures
  4. Audit Trails: Maintain comprehensive logs

Performance Considerations

Scanner Optimization

  • Pattern Efficiency: Use optimized regex patterns
  • Caching: Leverage result caching for repeated scans
  • Parallel Processing: Enable concurrent scanning
  • Resource Limits: Set maximum scan time/size

Monitoring Metrics

  • Scan Latency: Track processing time
  • Detection Rate: Monitor true/false positives
  • Resource Usage: CPU and memory consumption
  • Queue Depth: Pending scan backlog

Troubleshooting

Common Issues

Scanner Not Triggering

  • Verify pattern syntax
  • Check enabled status
  • Review context configuration
  • Test with known patterns

High False Positive Rate

  • Refine regex patterns
  • Add exclusion rules
  • Adjust sensitivity thresholds
  • Review sample data

Performance Degradation

  • Optimize regex patterns
  • Reduce scanner scope
  • Enable caching
  • Increase resources

Missing Detections

  • Update pattern library
  • Check scanner versions
  • Review bypass techniques
  • Analyze detection gaps

Integration with Other Features

Tools Integration

  • Scanners automatically apply to Edge Tools
  • Real-time scanning of tool inputs/outputs
  • Contextual filtering based on tool type

Filters Coordination

  • Works with Edge Filters for layered security
  • Shared policy enforcement
  • Unified logging and reporting

Activity Monitoring

  • Scanner events in Activity Reports
  • Detection statistics and trends
  • Compliance reporting

Next Steps

Edge Scanners require an Enterprise license. Contact your account manager to enable additional scanner slots or custom scanner development support.