Risk Scan Engine Deployment

Updated Sep 7, 2023

Risk Scan Engine deployment

Arctic Wolf Risk Scan Engine (formerly Joval) has several deployment models: host-based, agentless, and offline. You can implement them simultaneously in a hybrid deployment model, which is especially helpful in the network infrastructure components of an environment that you cannot deploy software to.

Risk Scan Engine does not require installation or deployment of databases or server infrastructure. Instead, the the tool integrates with existing enterprise reporting and automation systems. For more information about Risk Scan Engine deployment models, see the User Guide files in the zip files for the components you license.

Host-based deployment

In the host-based deployment model, a small Risk Scan Engine software library exists on each endpoint that you want to scan. An existing enterprise-grade deployment and orchestration system is used to distribute this library, as well as the relevant security benchmarks and vulnerability definitions, to each participating endpoint system. The orchestration system can also start scan and collect scan results for cataloging in a central result store. Risk Scan Engine implements the scan logic and provides complete standards-based result information that is lightweight and easy for the central result store to process.

Agentless deployment

In agentless deployments, a Risk Scan Engine-enabled application called a sensor is deployed to one or more hosts with network connectivity required to scan the target environment. Sensors can perform credentialed and non-credentialed scans over the network and accommodate complex network topologies including SOCKS and HTTP proxies and multi-hop SSH gateways. You can also use Risk Scan Engine sensors to generate result transformations that a central result store can process.

Offline scanning deployment

Risk Scan Engine can perform vulnerability and compliance scans against a variety of offline file formats, such as router configurations and Docker images.

Input file formats for offline scanning

Risk Scan Engine supports offline scanning for Cisco and Juniper routers.

For Cisco devices, the target input file must contain output from the show tech-support command or output from any set of commands in that same format. At a minimum, include the following commands in the output file:

For Juniper devices, include output from the request support information command.

Risk Scan Engine can then use the results file for scanning, instead of the device.

See also