Yes, Nmap even plays a role in supporting IR efforts when a vulnerability has been exploited. 

Vulnerabilities and Incident Response

When a vulnerability is present, it creates an opportunity for attackers. If an attacker exploits that vulnerability, the IR team must:

• Identify what systems are affected

• Determine what services were exposed

• Confirm whether exploitation is ongoing

• Contain or shut down the vulnerable service

• Apply patches and verify recovery

How Nmap Helps Incident Responders

1. Detecting Vulnerable or Unexpected Services

• Identify open ports that should NOT be exposed

• Detect outdated or high-risk service versions using -sV

• Spot unauthorized services added by attackers

2. Confirming Exploitation or Lateral Movement

• Discover new hosts or ports that appear after a compromise

• Identify command-and-control (C&C) services opened by malware

3. Verifying Containment

• Ensure vulnerable services have been stopped and shut down

• Confirm firewall rules and ACL changes are working as expected

4. Verifying Recovery

• Ensure vulnerable software versions have been patched/updated

• Compare before/after scans to confirm correct configurations

• Check that only the expected ports are available again

• Ensure everything is operational as expected