Deploy the SWARM


How SWARM engagements work

The first phase is the recon phase, where SWARM will use CANVAS recon modules in order to collect information about the target systems:

  • FTP server information
  • WEB server information
  • TELNET & SSH server information
  • RPC information

Immunity recommends you record the SWARM IPs in your IPS/IDS and any event tracking system, to prevent undue excitement in your incident response team.

Keep in mind that SWARM models the actions of a malicious Internet environment against your network periphery– everything that SWARM does is being done to your network every day

Download SWARM slick PDF

The second phase is the penetration testing phase, where SWARM will use the information collected in order to determine and verify vulnerabilities on the target systems. It does this by running CANVAS exploits:

  • Padding Oracle exploit against .NET applications
  • Multiple JBoss exploits against any and all potential JBoss servers
  • Multiple Coldfusion exploits against Coldfusion applications
  • Multiple Joomla exploits against Joomla installations
  • Multiple exploits against vulnerable FTP servers
  • Multiple exploits against vulnerable Telnet/ SSH servers
  • Multiple exploits against RPC servers
  • Multiple exploits against WEB servers

SWARM focuses on the CANVAS exploits which allow for direct, remote access to remote servers – the very ones that pose the most risk to your organization. Immunity has a long history of penetration testing and these are the exploits we’ve found most applicable to a typical attack against a periphery.

Immunity personnel will monitor the actions of SWARM and are able to stop the scan at any time.


A default swarm can scan around a thousand IPs a minute, although this can be accelerated at additional cost for extremely time sensitive engagements.

Data Mining

The Immunity team will then look over the data SWARM has gathered, to provide potential avenues for an additional SWARM run, with perhaps a new security check, or a different configuration. The database created is extremely useful for follow-on engagements which focus on newly emerging threats.

Websiege Application Scanning

Additionally, a common follow-on engagement is to run WebSiege to find SQL Injection vulnerabilities in every publicly accessible web application.

Finally, a report is produced that explains our results and indicates possible courses of action.

Keep in mind that the time estimates given here can vary and depend on the behavior of your network.

For additional product questions, scheduling a demo or to purchase SWARM, please contact us:
By Phone: 786-220-0600 (Monday - Friday between 9am - 5pm Eastern Time)
Or Email: sales@immunityincdotcom.