Internal network security is critical yet often overlooked. Once attackers gain initial access through configuration drift, phishing, or compromised credentials, they can rapidly expand their foothold by exploiting internal vulnerabilities. This lateral movement can lead to devastating breaches, making internal vulnerability scanning as crucial as external assessments. ProjectDiscovery offers two distinct approaches for internal network vulnerability scanning, each designed to fit different organizational needs while maintaining our core focus on exploitability and accurate detection.

Cloud-Managed Scanning

Use TunnelX for remote scan triggering through PDCP UI. Perfect for large networks and centralized security management.

Local Scanning & Upload

Run Nuclei locally and upload results to PDCP. Ideal for teams with existing scanning workflows or specific network restrictions.
Internal scanning helps identify misconfigurations, unpatched systems, and security gaps that could be exploited for lateral movement before attackers can leverage them.

Port Discovery with Naabu

Before running vulnerability scans, it’s recommended to first identify open ports in your internal network using Naabu - a fast and reliable port scanner. This ensures comprehensive vulnerability scanning coverage. 
# Scan entire internal subnet and save results
naabu -host 192.168.1.1/24 -o internal_ports.txt

# Scan specific port ranges
naabu -host 192.168.1.1/24 -p 80,443,8000-9000 -o internal_ports.txt

# Faster scanning with increased rate
naabu -host 192.168.1.1/24 -rate 1000 -o internal_ports.txt
The discovered ports can be used as input for vulnerability scanning to ensure thorough coverage of all exposed services. Learn more about Naabu’s capabilities in our detailed documentation.
Naabu will soon be integrated directly into ProjectDiscovery’s internal vulnerability scanning capabilities. Contact our sales team to be notified when this feature becomes available.
TunnelX is our open-source tunneling solution, purpose-built by ProjectDiscovery to enable secure internal scanning. It establishes isolated SOCKS5 proxies that let you trigger scans directly from the ProjectDiscovery interface while ensuring your internal infrastructure remains protected and unexposed.
Cloud-managed internal scanning with TunnelX is an Enterprise-exclusive feature. Free users can still perform internal scans using the local scanning method described above.
System Requirements
TunnelX is designed to be lightweight and efficient. Minimum recommended specifications for optimal performance:
  • CPU: 1 vCPU/Core
  • Memory: 2GB RAM
  • Network: 100Mbps network interface
  • Storage: 10GB available disk space
  • Operating System: Linux (recommended), macOS, or Windows
These specifications are suitable for most deployment scenarios. A basic VPS (Virtual Private Server) meeting these requirements is sufficient for running TunnelX efficiently.

Install TunnelX

Choose your preferred installation method: 
# Pull and run the official image
docker run --network host -d \
  -e PDCP_API_KEY="your_api_key" \
  projectdiscovery/tunnelx:latest

# Or build locally
docker build -t tunnelx https://github.com/projectdiscovery/tunnelx.git
docker run --network host -d -e PDCP_API_KEY="your_api_key" tunnelx

Triggering Internal Scans

Once you’ve successfully configured TunnelX, you can easily trigger internal scans directly from the ProjectDiscovery Cloud Platform:
  1. Navigate to Scans Dashboard:
  2. Configure Your Scan:
    • Set your targets, templates, and other scan configurations
    • Proceed to the final “Scan settings” step
  3. Enable Internal Scanning:
    • In the bottom left corner of the Scan settings screen, you’ll see an “Internal Scan” option
    • Select this option to use your connected TunnelX proxy
    • Choose the appropriate internal proxy connection from the dropdown
Internal Scan Option in Scan Settings
  1. Launch Your Scan:
    • Click “Create scan” to start scanning your internal targets
Your scan will now execute against internal targets through the secure TunnelX connection, with results appearing in your ProjectDiscovery dashboard just like external scans.
TunnelX connections appear automatically in the dropdown once properly configured. If you don’t see your connection, check that TunnelX is running properly and your API key is correctly configured.
Important: Only input targets that are actually accessible from the machine where TunnelX is running. For example, if TunnelX is deployed on a server in your internal network (192.168.1.0/24), it can only scan hosts within that network or other networks it has routing access to. If you input external targets or internal hosts that the TunnelX machine cannot reach, the scan will fail.

Method 2: Local Scanning & Upload

This approach lets you run Nuclei locally and upload results to ProjectDiscovery Cloud Platform (ProjectDiscovery).

Set up your API Key

To connect your existing Nuclei results to PDCP you will need to create a free API Key:
  1. Visit https://cloud.projectdiscovery.io
  2. Open the setting menu from the top right and select “API Key” to create your API Key
PDCP API Key
  1. Use the nuclei -auth command, and enter your API key when prompted.

Configure Team (Optional)

If you want to upload the scan results to a team workspace instead of your personal workspace, you can configure the Team ID using either method:
  1. Run your scan with the upload flag:
# Single target
nuclei -u http://internal-target -cloud-upload

# Multiple targets
nuclei -l internal-hosts.txt -cloud-upload

# With specific templates
nuclei -u http://internal-target -t misconfiguration/ -cloud-upload
This method is ideal when you want to maintain complete control over scan execution or integrate with existing automation scripts.