System Requirements
This page lists the platforms, browsers, and network ports AlloyScan needs in order to run.
Supported browsers
The AlloyScan web UI supports the latest two stable releases of the following browsers.
| Browser | Notes |
|---|---|
| Microsoft Edge | Latest two stable releases |
| Google Chrome | Latest two stable releases |
| Mozilla Firefox | Latest two stable releases |
| Apple Safari | Latest two stable releases |
Mobile browsers (Safari on iOS, Chrome and Edge on Android) are in beta. The primary AlloyScan experience is desktop.
AlloyScan platform
AlloyScan is delivered as SaaS (*.alloyservice.com) and as on-premise deployments. The frontend and backend services are hosted by Alloy Software for SaaS or by you for on-premise. End-user requirements stop at a supported browser.
Audit Service
The Audit Service is the lightweight Windows service that performs agentless scan and audit from inside your network.
| Requirement | Value |
|---|---|
| Operating system (production) | Windows Server 2016 or later |
| Operating system (evaluation) | Windows 10 or later |
| .NET runtime | .NET Framework 4.8.1 or later |
| PowerShell | PowerShell 5.1 |
| Network | Outbound HTTPS (TCP 443) to the AlloyScan instance |
| Local storage | Local disk for the encrypted credentials pool |
Audit Agent
The Audit Agent is the optional per-endpoint service installed on devices that do not stay on the internal network.
| Operating system family | Supported versions |
|---|---|
| Windows | Windows 10 or later, Windows Server 2016 or later |
| macOS | macOS X 10.7 or later |
| Linux | Debian-derived and Red-Hat-derived distributions |
The agent requires only outbound TCP 443 (HTTPS). No inbound firewall rules are required on the endpoint.
Hypervisor and cloud audit
| Platform | Status |
|---|---|
| VMware ESXi | Supported end to end (ESXi 3.5 U5+ per public documentation) |
| Microsoft Hyper-V | In documented taxonomy (Server 2016+) — details may vary by deployment |
| Citrix XenServer | In documented taxonomy (5.6.1 SP2+) — details may vary by deployment |
| Xen | In documented taxonomy (3.1+) — details may vary by deployment |
| AWS, Azure, Google | Available as Preview cloud Segments |
Preview: Cloud Segments (AWS, Azure, Google) are in preview and subject to change.
Required ports
The Audit Service uses the following ports to reach audit targets. These ports must be open between the Audit Service host and the relevant devices.
Agentless audit (Audit Service to targets)
| Target | Protocol / Port | Purpose |
|---|---|---|
| Windows | TCP 5985 | WinRM (primary) |
| Windows | TCP 135 / 139 / 445 / 88 / 389 | Fallback and Active Directory authentication |
| Linux / macOS | TCP 22 | SSH |
| VMware ESXi | TCP 80 / 443 / 902 | ESXi APIs |
| SNMP devices | UDP 161 | SNMP |
| NAS | TCP 139 | NetBIOS over TCP |
Network discovery broadcast
| Protocol / Port | Purpose |
|---|---|
| UDP 53 | DNS broadcast |
| UDP 137 / 138 | NetBIOS name service |
| ICMPv4 | Recommended for reachability checks |
Audit Agent (endpoint outbound)
| Protocol / Port | Purpose |
|---|---|
| TCP 443 | HTTPS to the AlloyScan instance — outbound only |
Note: Windows targets must be in the same Active Directory domain as the Audit Service host for agentless scan. Cross-domain or workgroup targets require an Audit Agent instead.
License and quotas
Quotas are set at the instance level on the License and propagate to each Site through per-site Max caps.
| Quota | Notes |
|---|---|
| Nodes (audited devices) | Hard cap; instance value can be Unlimited |
| Users | Hard cap; instance value can be Unlimited |
| Audits per month | Soft cap; resets on the recharge day |
| API transactions per month | Soft cap; resets on the recharge day |
Per-site caps appear on Admin Center > Site Settings > Limits and usage. A per-site Max = 0 means "no per-site cap — inherit from the instance value".
Credential storage
Credentials used by the Audit Service (Windows, Linux and macOS, Hypervisor, SNMP, AWS, Azure, Google) are stored encrypted on the Audit Service host. Per the public documentation, credentials never leave the local network. The form does not expose stored secrets — you replace a password by entering a new one.