How does NMAP support IR?

NMAP helps IR teams answer critical questions during and after an incident. These are also skills that an ethical hacker or someone doing a pentest will use.  Yes, NMAP is more than just a "hacker tool."

1. Identification: What Is Actually Online?

• Discover which hosts are active on the network.

• See which ports are open and which services are running.

• Spot unexpected systems or services that may be part of the incident.

2. Containment: Is the Problem Isolated?

• Confirm that a compromised service has really been shut down.

• Check that new firewall rules or access control changes are working.

• Verify that only the intended hosts and ports remain reachable.

3. Eradication and Recovery: Are We Clean and Back to Normal?

• Ensure that backdoors or rogue services are no longer listening.

• Use version detection (-sV) to verify patched or updated services.

• Compare “before and after” scan results to confirm systems are back to an expected state.

4. Lessons Learned: What Changed?

• Compare scans from before, during, and after an incident.

• Identify misconfigurations or exposures that contributed to the compromise.

• Update baselines so future scans can more easily flag suspicious changes.

These are all related to NMAP and various scans: ping sweep, open ports, versions, OS detection, etc. NMAP is a powerful tool, you should master it.