Tsunami is a security vulnerability scanner designed for very large networks – originally created by Google for scanning their own huge network.

Google has now released Tsunami as an open source project – it is under active development and users are warned to expect significant changes in future releases.

Security Managers responsible for very large networks with thousands or even hundreds of thousands of devices face a unique set of challenges.  One of them being the pain and wasted time that results from false positive results when running vulnerability scans.  Tsunami was created to address this problem by excelling at detecting high severity vulnerabilities, with very low false positive rates, in extremely large networks, very quickly.

Google states in the project documentation:

As attackers increasingly invest in automation, the time window to react to a newly released, high severity vulnerability is usually measured in hours. This poses a significant challenge for large organizations with thousands or even millions of internet-connected systems. In such hyperscale environments, security vulnerabilities must be detected and ideally remediated in a fully automated fashion. To do so, information security teams need to have the ability to implement and roll out detectors for novel security issues at scale in a very short amount of time. Furthermore, it is important that the detection quality is consistently very high. To solve these challenges, we created Tsunami – an extensible network scanning engine for detecting high severity vulnerabilities with high confidence in an unauthenticated manner.

Following a model similar to the creation of Kubernetes, Tsunami will not be a Google branded product and it has been open sourced under the Apache 2.0 license.

Tsunami has a two part architecture, with a core scanning engine (which is an enhanced flavour of NMAP) and a range of plug-ins which test for specific vulnerabilities. Both exist as projects on Github.