Configuring the Ethiack Beacon

The Ethiack Beacon allows your organization to extend testing to multiple internal networks. Here's how to configure it.

If your organization's plan supports the Ethiack Beacon, you can click the Beacons button on your assets page. The Ethiack Beacon is powered by the Wireguard open-source technology for improved security and performance. You can also click this link:


1. Configure a VM or a machine with the following requirements:

  • Debian-based Linux distribution (others should work too)
  • Docker
  • 2GB RAM
  • 2 vCPU

2. Run our checker or the following command on the machine you will use as the beacon.

curl | bash

3. Click the Add button and fill in the required information provided by the checker:

  • Name: a unique name for this beacon. Examples: beacon-office-1, beacon-cloud-tier-1
  • Endpoint address: The public IP address or hostname of your beacon VM or server
  • Endpoint port: The UDP port that will be used to give our engine access to the internal network. This port must be forwarded to your server and reachable from the Internet. We can assist you in creating this firewall rule on your cloud. For example, you may need only to allow Ethiack IP addresses to connect to this port. Our checker will also validate that this port is open and reachable.
  • Network (CIDR): The Beacon will be authorized to access the internal network range. This doesn't mean we will test every single asset in this range; it's simply an authorization.
  • Network interface: The network interface resolves hosts from the internal network range.
  • DNS Server: This is an optional field. Please leave it blank if you are only interested in testing internal IP addresses. However, this is a huge plus if you have an internal DNS server that will allow us to perform reconnaissance and vulnerability identification in internal web apps. This DNS server must be reachable from the Beacon VM or server.

4.  Click the Generate button. A ZIP file will be generated and should be uploaded to your VM or server via SFTP or similar.

5. Extract the ZIP file on your server and run the script:

unzip && ./

6. If all goes well, the beacon will come online after a few minutes:

Adding internal assets

Now that the beacon is configured, you must add internal assets. Go to your machine event scope by clicking the Details button on your dashboard and then Edit. Here, you can add private domains or private IP addresses. Wildcards are supported, too, if you added a valid internal DNS server to this beacon.

Note: At this moment, we don't sweep IP ranges to discover alive hosts. You must manually add each IP address, private subdomain, or a wildcard internal domain.

You are all set! Internal assets will start to be tested soon. Keep an eye on your inbox for new findings.