Active scanning, no agent required
Host discovery and concurrent port scanning, then deep probes: TLS protocol versions and cipher suites, negotiated groups and curves, full X.509 chains, SSH host keys and KEX/cipher/MAC negotiation.
discovery → portscan → TLS/SSH probe → classify