我构建了一个F5 QKview扫描器，用于CISA ED 26-01。

我构建了一个F5 QKview扫描器，用于CISA ED 26-01。
I built an F5 QKview scanner for CISA ED 26-01

原始链接: https://www.usenabla.com/blog/emergency-scanning-cisa-endpoint

## CISA 紧急指令 26-01：Nabla 提供自动化合规性美国国土安全部 CISA 指令 26-01 规定联邦机构识别并报告其网络上的所有 F5 BIG-IP 产品，概要报告截止日期为 10 月 29 日，详细清单则需在 2025 年 12 月 3 日前提交。 Nabla 针对这一紧急需求推出了一种新的扫描器，旨在实现快速合规。该工具动态评估 F5 设备，提取固件版本、配置并可视化网络依赖关系——所有这些都不依赖于手动流程或估算。它接受 qkview 文件和 Terraform 状态等输入，并提供与 FedRAMP、CMMC 和 CISA 报告兼容的结构化、可验证的证据。 Nabla 的扫描器侧重于*确定性分析*——解析实际系统数据——而不是基于人工智能的猜测，确保报告可审计且可重现。输出结果提供了受影响设备、漏洞和生命周期结束状态的清晰摘要，并附带密码学证明。随着截止日期日益临近，Nabla 提供了一种解决方案，可以将潜在混乱的合规工作转化为精简、基于证据的工作流程。目前提供试点计划，以帮助机构满足这些关键要求。

黑客新闻新的 | 过去的 | 评论 | 提问 | 展示 | 工作 | 提交登录我构建了一个用于 CISA ED 26-01 的 F5 QKview 扫描器 (usenabla.com) 15 分，作者 jdbohrman，8 小时前 | 隐藏 | 过去的 | 收藏 | 讨论考虑申请 YC 2026 冬季班！申请截止日期为 11 月 10 日指南 | 常见问题 | 列表 | API | 安全 | 法律 | 申请 YC | 联系方式搜索：

原文

The Department of Homeland Security’s CISA Emergency Directive 26-01 dropped like a thunderclap this week, mandating agencies to identify and report all instances of F5 BIG-IP products within their networks by October 29th (summary) and December 3rd, 2025 (detailed inventory).

For many security and compliance teams, those dates are tomorrow in infrastructure time.

If you’re staring down those deadlines wondering how to discover F5 assets, extract version data, and produce a verifiable inventory without babysitting spreadsheets or guessing from network logs, Nabla has you covered.

Introducing the Nabla ED 26-01 Scanner

We’re releasing a new F5 BIG-IP detection and evidence module purpose-built for CISA ED 26-01 compliance, available today after a short into call.

The scanner dynamically:

Assesses F5 BIG-IP appliances via provided qkview files
Extracts firmware version, module signatures, and SSL/TLS configuration evidence
Visualizes reachability and dependency paths as Mermaid diagrams, no LLMs or black-box inference required

A request usually looks like this:

{
  "assets": [
    {"hostname":"bigip-a.agency.gov","mgmt_ip":"203.0.113.10","labels":["prod"]},
    {"hostname":"bigip-b.agency.gov","mgmt_ip":"10.0.10.20","labels":["internal"]}
  ],
  "inputs": {
    "qkview": {
      "kind": "presigned-url",
      "url": "https://customer-bucket/.../bigip-a.qkview?X-Amz-Expires=600"
    },
    "terraform_states": [
      {"kind":"presigned-url","url":"https://customer-bucket/.../bigip.tfstate?sig=..."}
    ]
  },
  "access": {
    "icontrol": [
      {
        "base_url":"https://bigip-a.mgmt",
        "token": "eyJhbGciOi...",            // <= short-lived (<=10 min)
        "scope": "read-only"
      }
    ]
  },
  "checks": {
    "inventory": true,
    "qkview_runtime": true,
    "internet_exposure": {"ports":[22,443,8443],"vantage_points":["us-east"]},
    "cve_mapping": true,
    "eos_check": true,
    "report_cisa": true
  },
  "output": {
    "deliver_to": "presigned-url",
    "url": "https://customer-bucket/.../result.json?X-Amz-Expires=600" // optional
  }
}

Each scan generates structured evidence compatible with FedRAMP, CMMC, and ED 26-01 reporting workflows, making it trivial to crosswalk between technical data and compliance deliverables.

Why It Matters

Emergency directives like ED 26-01 aren’t just about compliance checkboxes they’re stress tests for visibility.

When CISA asks, “What’s running on your network?”, your answer can’t depend on tribal knowledge, Slack threads, or ticket archaeology. It has to come from data-driven, verifiable evidence that can stand up to scrutiny cryptographically signed, timestamped, and reproducible.

That’s exactly what Nabla’s Evidence Relay model was built for: to convert live system and binary telemetry into machine-verifiable control mappings, ready for auditors, 3PAOs, or agency reviewers.

How It Works (In Plain English)

When you run a scan, Nabla uses the provided assets, qkview, and tools like TokioStream to assess vulnerability to the critical issues found in ED 26-01. Then maps evidence into an output response like this:

{
  "summary": { "devices": 2, "exposed": 1, "needs_patch": 1, "eos_public": 0 },
  "findings": [...],
  "artifacts": {
    "qkview": [{"device":"bigip-a","sha256":"..."}],
    "terraform": [{"sha256":"..."}]
  },
  "attestation": {
    "algo": "RS256",
    "jws": "eyJhbGciOiJSUzI1NiIsInR5..."
  }
}

You can use this output to build your own reports, and attach them directly to your CISA summary template.

Deadlines Are Looming

October 29, 2025 (11:59 PM ET): Submit summary of affected products to CISA
December 3, 2025 (11:59 PM ET): Submit detailed inventory of all affected instances

If your agency or vendor environment touches F5 BIG-IP, you’ll want to generate your first scan before October 25th to allow time for validation and report packaging.

Built for Evidence, Not AI Guesswork

We love AI, but when it comes to federal compliance, the bar is higher. ED 26-01 reports must reflect verifiable system states, not inferred guesses.

That’s why our scanner operates entirely on deterministic analysis: parsing binaries, signatures, and configurations directly. Every artifact can be rechecked, hashed, and audited.

Evidence should be reproducible, not interpretive.

Final Thoughts

Emergency directives like ED 26-01 highlight a growing truth: Governance has to evolve at the speed of zero-days.

At Nabla, we’re building the tooling that turns those panic moments into push-button workflows, connecting binary evidence, network posture, and compliance mapping into one seamless relay.

So if your inbox says “CISA ED 26-01” and your calendar says “two weeks,” you can say, “we have a scanner for that.”

Reach out to start your ED 26-01 pilot.