Vulnerability Management in Air-Gapped Environments: A Practical Guide

Air-gapped environments — networks with no direct internet connectivity — are common in critical infrastructure, defense, government agencies, financial institutions, and industrial control systems. These networks exist for good reason: isolation is one of the most effective security controls available.

But isolation creates a challenge: how do you keep track of known vulnerabilities when your systems can’t reach the internet?

Most vulnerability scanners assume internet connectivity. They need to download signature updates, sync with cloud platforms, and phone home for licensing. In an air-gapped environment, these tools either don’t work at all or require complex workarounds.

The air-gapped vulnerability management challenge

In a connected environment, vulnerability management follows a straightforward workflow:

1. Scanner downloads latest vulnerability signatures
2. Scanner scans your systems
3. Results are uploaded to a cloud dashboard
4. Team triages and remediates

In an air-gapped environment, every step becomes manual:

1. Download vulnerability data on a connected system
2. Transfer it to the isolated network via approved media (USB, optical disc, data diode)
3. Import it into your scanning tool
4. Run the scan locally
5. Export results for reporting (if needed outside the air gap)

This manual process is error-prone, time-consuming, and often falls behind. Many air-gapped environments end up with vulnerability data that’s weeks or months out of date.

The CISA KEV approach: reducing the problem

Here’s where the CISA Known Exploited Vulnerabilities (KEV) catalog changes the equation. Instead of syncing 250,000+ CVE definitions, you only need to track ~1,484 actively exploited vulnerabilities.

This reduction matters enormously in air-gapped environments:

• Smaller data transfers: The KEV catalog is a single JSON file, a few megabytes in size
• Less frequent updates: CISA adds 2-5 new KEVs per week, vs. dozens of CVEs daily in the NVD
• Clearer prioritization: Every entry in the KEV catalog has a confirmed exploitation and a remediation deadline

How SentriKat handles air-gapped deployments

SentriKat was designed from the ground up to support air-gapped environments. Here’s how each component works without internet access:

1. Deployment

SentriKat runs entirely on your infrastructure via Docker Compose. The deployment process:

1. Download the SentriKat Docker images on a connected system
2. Export them as tar archives: docker save
3. Transfer to the air-gapped network
4. Load the images: docker load
5. Start the application: docker compose up -d

No internet access is required from the air-gapped network at any point.

2. License activation

SentriKat supports offline license activation:

1. Generate a machine fingerprint from the air-gapped SentriKat instance
2. Submit the fingerprint via email or the SentriKat portal from a connected system
3. Receive an offline activation file
4. Import the activation file into your air-gapped instance

The license is valid for the subscription duration without requiring periodic online verification.

3. KEV knowledge base sync

The SentriKat knowledge base (KEV catalog + vendor advisories + CPE mappings) can be exported and imported as a single file:

1. On a connected SentriKat instance (or the SentriKat portal), export the latest KB
2. Transfer the KB file to the air-gapped network
3. Import via the SentriKat admin interface

We recommend syncing the KB at least weekly to stay current with new KEV additions.

4. Agent communication

SentriKat agents communicate only with your local SentriKat server — never with any external service. In an air-gapped environment, agents connect to the SentriKat instance on your internal network. No firewall exceptions for external addresses are needed.

5. Backup and restore

SentriKat includes built-in backup and restore functionality. Backups can be stored on the local filesystem or transferred to external storage via your approved data transfer procedures.

Best practices for air-gapped vulnerability management

Based on our experience with air-gapped deployments, here are practical recommendations:

Establish a regular sync cadence

• Weekly minimum: Sync the KEV knowledge base at least once per week
• After major incidents: When CISA adds emergency KEV entries (which they announce publicly), sync as soon as practical
• Document the process: Create a step-by-step procedure for KB sync that any authorized operator can follow

Use the three-tier confidence system

SentriKat’s three-tier confidence system (Affected / Likely Resolved / Resolved) is especially valuable in air-gapped environments. Even if your KB is a few days behind, the confidence tiers provide context:

• AFFECTED: This vulnerability has no known vendor fix — investigate immediately
• LIKELY RESOLVED: A vendor fix exists but hasn’t been verified on this endpoint — check the installed version
• RESOLVED: The fix is confirmed via version comparison — no action needed

Leverage compliance reporting

NIS2 Article 21 and CISA BOD 22-01 compliance reports can be generated entirely within the air-gapped environment and exported as PDFs for external reporting needs.

Plan for updates

When SentriKat releases software updates, the same Docker image transfer process applies. We recommend testing updates in a staging environment before deploying to production — which is standard practice in air-gapped environments.

Conclusion

Air-gapped vulnerability management doesn’t have to mean flying blind. By focusing on the CISA KEV catalog instead of the entire NVD, and using a tool designed for offline operation, you can maintain effective vulnerability oversight even in the most isolated environments.

SentriKat’s air-gapped deployment model is included in every Pro license at no additional cost. Request a demo to see how it works with your infrastructure.