How Google’s Open‑Source Tsunami Scanner Secures Massive Enterprise Networks

Background

Search results on Google often contain tutorials, tips, and code snippets, but many include flawed database statements; 16 out of 30 results have SQL‑injection vulnerabilities, making programs insecure if such code is reused.

Google’s Open‑Source “Tsunami” Scanner

Google recently open‑sourced a vulnerability‑scanning tool for large enterprise networks, capable of handling thousands to millions of IoT devices. It has been used internally for a month before public release.

Architecture

Tsunami consists of two main components plus an extensible plugin mechanism. The first component is the scanner (recon module) that probes open ports, tests each port, and attempts to identify the services and protocols running on them, avoiding mis‑labeling.

The port‑fingerprinting module is based on the industry‑standard nmap engine. The second component builds on the recon results, selects appropriate vulnerability checks, and runs them to determine if devices are vulnerable.

Vulnerability verification is performed via plugins, allowing security teams to add new attack vectors and checks.

Built‑in Plugins

Exposed sensitive UIs: Jenkins, Jupyter, and Hadoop Yarn expose web interfaces without authentication, enabling attackers to execute malicious commands.

Weak credentials: Tsunami uses tools such as ncrack to detect weak passwords for protocols like SSH, FTP, RDP, and MySQL.

Future Plans

Google will enhance Tsunami in the coming months by adding new plugins, all of which will be released on GitHub.

Goals

The primary goal is high‑accuracy vulnerability detection for large‑scale networks, minimizing false positives that could trigger mass patching and cause network outages. To reduce alert fatigue, Tsunami focuses on high‑risk, weaponisable vulnerabilities rather than scanning every possible issue.

Adoption

Shortly after release, Tsunami topped GitHub’s weekly trending list, accumulating over 4,400 stars and 362 forks. The project is maintained by the open‑source community, similar to Kubernetes.