Firewall Allowlist for Cybrium Scanners
Cybrium's continuous network scanners run from a fixed set of egress IPs. Add them to your firewall, WAF, and IDS allowlists so scans aren't blocked or flagged as adversary activity.
Live IP list: https://app.cybrium.ai/scanner-egress — this is the canonical source of truth. Cite this URL in your change-management tickets.
We notify customers at least 14 days before any IP rotates. Subscribe to platform status to receive rotation notices.
How to use this page
- Open https://app.cybrium.ai/scanner-egress and copy the IPv4 + IPv6 ranges.
- Substitute them into the rule snippets below for your platform.
- Apply the rules to ingress on every perimeter device that protects assets you've registered as continuous scan targets.
We use the placeholder 203.0.113.0/29 (TEST-NET-3, RFC 5737) in examples below — replace it with the real ranges from the live page.
AWS Security Group
Add an inbound rule that allows Cybrium IPs on the ports you've registered for scanning.
aws ec2 authorize-security-group-ingress \
--group-id sg-xxxxxxxx \
--ip-permissions '[{
"IpProtocol": "tcp",
"FromPort": 1,
"ToPort": 65535,
"IpRanges": [
{"CidrIp": "203.0.113.0/29", "Description": "Cybrium continuous scanner egress"}
]
}]'
For a stricter allow (only the ports you actually expose), narrow FromPort / ToPort.
Azure NSG
az network nsg rule create \
--resource-group <rg> \
--nsg-name <nsg> \
--name allow-cybrium-scanners \
--priority 200 \
--direction Inbound \
--access Allow \
--protocol Tcp \
--source-address-prefixes 203.0.113.0/29 \
--destination-port-ranges '*' \
--description "Cybrium continuous scanner egress"
GCP Firewall
gcloud compute firewall-rules create allow-cybrium-scanners \
--direction=INGRESS \
--action=ALLOW \
--rules=tcp \
--source-ranges=203.0.113.0/29 \
--description="Cybrium continuous scanner egress"
Cloudflare
In Security → WAF → Custom Rules, add an Allow rule:
(ip.src in {203.0.113.0/29})
Set the action to Skip and tick all WAF + Bot Fight modules so Cybrium reaches origin without being challenged.
Palo Alto / PAN-OS
set address Cybrium-Scanners ip-netmask 203.0.113.0/29
set address-group Cybrium-Scanners-Group static [ Cybrium-Scanners ]
set rulebase security rules Allow-Cybrium-Scanners \
from any to any \
source Cybrium-Scanners-Group \
destination any \
application any service any action allow
Fortinet / FortiGate
config firewall address
edit "Cybrium-Scanners"
set subnet 203.0.113.0/29
next
end
config firewall policy
edit 0
set name "Allow-Cybrium-Scanners"
set srcintf "wan1"
set dstintf "any"
set srcaddr "Cybrium-Scanners"
set dstaddr "all"
set action accept
set service "ALL"
set comments "Cybrium continuous scanner egress"
next
end
On-prem appliances (generic iptables)
iptables -A INPUT -s 203.0.113.0/29 -j ACCEPT
ip6tables -A INPUT -s <ipv6-range> -j ACCEPT
IDS / NDR — suppress alerts
Snort / Suricata:
suppress gen_id 1, sig_id 0, track by_src, ip 203.0.113.0/29
Splunk / SIEM detection rules: scope source IP allowlist to the ranges from the live page so alerts aren't suppressed for adversary scans that happen to share a port.
FAQ
Why do my IDS alerts fire when Cybrium scans? That's intentional — the scans look like adversary recon by design. You can either suppress alerts on the published IPs (above) or accept the alerts as a control validation that your IDS works.
Will the IPs ever change? Rarely. We post a 14-day notice on the live page and email all customers before any rotation.
Can I get a per-tenant dedicated IP?
Yes — Enterprise plans include a dedicated /29 egress range. Contact your account team.