All posts
September 10, 20251 min read

Scanning Trust Boundaries with Identity-Aware Proxy and Nmap

The port was open, but no one knew who was knocking. That’s the problem with scanning and protecting modern services. A standard port scan can tell you what’s exposed, but it can’t tell you who’s allowed in. That’s where Identity-Aware Proxy (IAP) meets Nmap — and things change fast. What is an Identity-Aware Proxy in this context? An Identity-Aware Proxy sits between the user and your application. It checks identity before granting access, often using SSO, OAuth, or other strong authenticatio

Free White Paper

Trust Boundaries + Pomerium (Zero Trust Proxy): The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The port was open, but no one knew who was knocking.

That’s the problem with scanning and protecting modern services. A standard port scan can tell you what’s exposed, but it can’t tell you who’s allowed in. That’s where Identity-Aware Proxy (IAP) meets Nmap — and things change fast.

What is an Identity-Aware Proxy in this context?
An Identity-Aware Proxy sits between the user and your application. It checks identity before granting access, often using SSO, OAuth, or other strong authentication methods. Unlike traditional firewalls or network ACLs, IAP doesn’t just block based on IP or port — it decides based on who is making the request.

Why combine IAP with Nmap?
Nmap is the trusted tool for network discovery and port scanning. But running Nmap against a service protected by an Identity-Aware Proxy yields a different view of the surface. If the scanner is unauthenticated, the service may appear closed or filtered. If authenticated, you can map the application layer just as you would with an open port — but with a context: identity-gated access that limits exposure.

Continue reading? Get the full guide.

Trust Boundaries + Pomerium (Zero Trust Proxy): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

This combination is about visibility and truth.
You can:

  • Confirm which services are truly public vs. identity-gated.
  • Test how your IAP responds to different scan profiles.
  • Detect misconfigurations where a supposedly protected service is still exposed.
  • Audit apps that have inconsistent authentication enforcement.

How to Approach an IAP + Nmap Workflow

  1. Enumerate targets as usual with Nmap, but note filtered or closed responses.
  2. Use an identity-aware tunnel or auth proxy access to rerun scans as an authenticated user.
  3. Compare the two datasets. Differences reveal your true attack surface.
  4. Test multiple roles or accounts to validate role-based restrictions.

Security depends on knowing what the world can see and what your users can see. If your perimeter logic is based on trust alone, it will fail. If it’s based on verified user identity before network access, you drastically cut down unwanted exposure.

The rise of Identity-Aware Proxies makes traditional port scanning incomplete unless identity is in scope. By using Nmap alongside authenticated sessions, you don’t just scan ports — you scan trust boundaries.

See how you can set up an identity-aware reverse proxy, connect it to your services, and run meaningful scans in minutes. Try it live with hoop.dev and experience the difference between scanning a port and scanning through a real identity gate.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts