As cyber threats grow more sophisticated and remote attacks keep multiplying, some organizations are making what might look like a drastic choice, one that’s steadily gaining traction: completely isolating their critical systems from the rest of the digital world.
The approach rests on a simple principle: cut off all external network communication to shrink the attack surface. The result is a physically isolated, or “air-gapped,” environment.
So what does that actually involve? Why is this approach gradually becoming the norm in certain sectors? And what concrete capabilities does Cyberwatch offer to scan sensitive or isolated machines and run vulnerability assessments despite the lack of network connectivity?
Here’s everything you need to know.
Understanding air gap: definition, benefits, and use cases
What is an air-gapped environment?
An air-gapped environment is an information system deliberately isolated from any untrusted network, particularly the internet.
In the strictest sense, an isolated system has:
- No internet connection
- No routing to an external network
- No VPN tunnel
- No persistent interconnection with a third-party system
The isolation is physical, not just logical.
What does that mean in practice? The machines involved aren’t tied to any external environment by cable, Wi-Fi, fiber, or any other networking technology.
It’s worth noting that:
- A private network sitting behind a firewall isn’t necessarily air-gapped
- A segmented VLAN isn’t necessarily air-gapped
- A system with no internet access but still wired to other networks isn’t necessarily air-gapped either
The key takeaway: a true air gap means no active network communication ever leaves the environment.
Why set up an air gap?
An air gap dramatically reduces the remote attack surface. Not by patching vulnerabilities one at a time, but by removing the exposure itself.
To see why, it helps to look at how attackers actually operate. The most common attacks exploit whatever is reachable from the outside:
- Exposed services
- Application vulnerabilities
- Misconfigurations
- Authentication flaws
- Compromised remote access
According to Kaspersky’s 2025 incident response analysis, for example, public-facing applications were the leading initial attack vector (39.2% of cases), and compromised accounts were the point of entry in 31.4% of incidents. Both vectors share one assumption: that something is reachable from the outside in the first place.
That’s exactly what an air gap takes away. By cutting off all external network connectivity, you strip attackers of the surface these techniques depend on.
That said, physical isolation isn’t bulletproof.
Removable media, uncontrolled physical access, and supply chain compromises are still viable vectors, which is precisely why vulnerability management remains essential, even in an air-gapped environment.
Where is air gap typically used?
Physical isolation isn’t done on a whim. It meets specific regulatory or security requirements, and you’ll mostly find it in environments where a breach would carry critical consequences:
- Industrial systems (ICS/SCADA)
- Critical infrastructure (energy, transportation, healthcare)
- Classified or military systems
- Cryptographic signing environments
- Certain sensitive production environments
For some organizations, the requirement is regulatory as well. France has its operators of vital importance (OIV), Germany its critical infrastructure operators (KRITIS) supervised by the BSI. In every case, the rules are strict: any communication with an external network is prohibited or tightly controlled.
In all of these contexts, the acceptable risk is close to zero, and an air gap becomes the obvious architectural answer.
The operational challenges of air gap
The flip side of a near-zero attack surface is a serious operational burden. Isolated systems can’t pull automatic updates, can’t be monitored by connected security tools, and can’t ship their logs to a centralized SIEM.
That creates a structural challenge for vulnerability management. How do you scan machines that can’t talk directly to a security platform? How do you keep patch levels current with no network traffic? How do you detect risk with no telemetry?
This is exactly what Cyberwatch’s isolated-environment mode was built to solve. Here’s how it works.
How to scan and report vulnerabilities on isolated environments with Cyberwatch
How air-gap scanning works in Cyberwatch
Unlike a standard scan, which runs over a direct connection between Cyberwatch and the target machine, an air-gap scan relies on an offline model:
→ Cyberwatch provides analysis scripts that run locally on the isolated machine. They’re the same scripts used for agent-based and agentless scans.
→ The scripts collect the technical data needed to identify the software components in place (OS, packages, versions, configurations).
→ The output can be exported as structured text files using declarative data.
→ Those files can then be imported into the connected Cyberwatch instance, either manually or through automated tooling (API / CLI), potentially across a protocol break.
The process requires no communication flow whatsoever between the isolated environment and Cyberwatch.
The collected data is exported, then transferred according to the organization’s own procedures.
This approach pulls data from disconnected machines into centralized vulnerability management, all while respecting the infrastructure’s isolation constraints.
Let’s walk through how to set it up, step by step.
Setting up air-gap scanning with Cyberwatch, step by step
Downloading and copying the analysis scripts
The first step in an air-gap scan is to download the scripts Cyberwatch provides. You have two options:
- From the Cyberwatch interface, under Asset Management > Air gap assets > Add, you can grab a ZIP package containing the analysis scripts.
- From the Cyberwatch API available on GitHub, installable via Python, using the following command: cyberwatch-cli airgap download-scripts.
If you go with the second option, you’ll need to have generated an API key from your user account in the interface, plus a connection between a machine and your Cyberwatch instance.
Either way, the next step is to transfer the downloaded scripts to the offline device (as the ZIP file or the extracted folder).
Running the scripts on the isolated machine
The scripts are organized by supported system family. On the isolated machine, run the one that matches the operating system:
- Windows, for example: run it through PowerShell (.\run.ps1).
- Linux, for example: run the provided Bash script (.\run.sh).
The script produces text output that you can redirect to a file (> output.txt), holding the structured system information in declarative form (operating system, component list, versions, and so on).
That file is what Cyberwatch uses as the basis for vulnerability analysis.
Transferring the results and importing them into Cyberwatch
Once the script has run, the output file needs to leave the isolated environment through whatever means your security policy allows, then get imported into Cyberwatch.
Two options here as well:
- Through the interface: Asset Management > Air gap assets > Add, then import the generated text file.
- Through the API, with the cyberwatch-cli airgap upload command. This option lets you automate scans and avoid installing an agent on critical assets.
One thing to know at import time: if an asset with the same hostname already exists in the same project, Cyberwatch updates its information. Otherwise, a new asset is created. Either way, the history is preserved.
Supported formats:
Cyberwatch accepts several formats depending on the use case:
| Format | Use case |
| Text file | Script output, manual asset creation |
| JSON / SBOM (CycloneDX, SPDX) | Software inventory, Docker images |
| XLSX | Bulk import of multiple machines, network or industrial devices |
| XML (Burp) | Burp Suite application scan results |
You’ll find a more detailed walkthrough of air-gap mode, along with the different sources and methods available, in our dedicated documentation.
Mapping your isolated assets with declarative discovery
Once your machines are scanned and imported, one question remains: do you have full visibility into your isolated fleet?
That’s where declarative discovery comes in.
In Cyberwatch, discoveries let you map your assets across different scopes (network, infrastructure providers, and so on) and measure how many of them are actually being monitored.
For environments with several isolated machines, declarative discovery lets you add a list of assets by hostname, IP address, or domain name. The import comes from a text file (.txt), a CSV, or an Excel file (.xlsx), with no network connection required.
Cyberwatch then correlates them with the assets already under management and shows how many machines are only discovered versus already registered, giving you a precise read on your real coverage, including any blind spots across your offline machines.
You’ve now got the essentials down. Here are a few extra resources if you’d like to go deeper.
Beyond the basics
Prioritizing vulnerabilities in an air gap environment
Identifying vulnerabilities on an isolated system is only the first step. The next one is knowing which to fix first.
In a connected environment, teams often lean on standard severity scores (CVSS, EPSS, and so on) to steer their remediation efforts. In an air-gap context, though, that approach quickly runs into its limits.
A vulnerability rated critical because it’s remotely exploitable over the network doesn’t necessarily carry the same risk on a machine that’s fully cut off from the internet and every external network. Conversely, some vulnerabilities that are exploitable locally or through removable media can still have a major impact despite the system’s isolation.
This matters all the more because update operations tend to be more complex in isolated environments: limited maintenance windows, production shutdowns, specific validation procedures, or regulatory constraints. Under these conditions, the goal isn’t to patch as many vulnerabilities as possible, but to pinpoint exactly which ones pose a real risk to the asset in question.
To address this, Cyberwatch lets you define a prioritization policy tailored to the context of each monitored device. The risk score is then recalculated using the BTE method (Base, Threat, Environment), factoring in the asset’s own characteristics, especially its exposure level.
In an air-gap setting, critical vulnerabilities whose exploitation hinges solely on network access can be downgraded, while the flaws that genuinely matter in an isolated context automatically rise to the top of the queue.
The result: prioritization that more faithfully reflects real risk, better allocation of maintenance resources, and remediation effort focused where it delivers the most value in reducing risk.
Managing compliance in air gap with Cyberwatch
Vulnerability scanning isn’t the only analysis you can run on an isolated device. Cyberwatch also lets you run compliance checks there, following the same offline principle.
The process unfolds in three steps, through the Cyberwatch REST API and CLI:
- Download the compliance scripts from a device connected to the server: cyberwatch-cli airgap download-compliance-scripts
- Transfer and run the scripts locally on the isolated device.
- Send the results back to the Cyberwatch server: cyberwatch-cli airgap upload-compliance
Note: the corresponding asset must already exist in Cyberwatch, as explained in the previous section.
Prefer PowerShell? The full procedure is available in our dedicated documentation.
Declarative data syntax
Want to understand the exact format of the data collected during an air-gap scan, or create an asset manually without going through the scripts? The documentation on declarative syntax is built for precisely that.
It lists every key available in air-gap mode and covers two use cases: understanding the structure of the data exported from your assets, and manually creating an asset from the air gap add page.
In that second case, instead of importing a file, you get an editable text field to declare the asset’s properties directly using the declarative syntax. That’s especially handy for devices the scripts don’t support natively, such as certain industrial equipment or Android and iOS mobile devices.
Finally, you can check the full list of devices Cyberwatch supports, including those monitored through the air gap method.
Wrapping up
Air gap environments meet very specific cybersecurity needs, but they’re far from rare. In defense, industry, energy, and healthcare, they’re often the norm.
Cyberwatch has spent years working alongside organizations that operate in these environments.
That field experience, built up with organizations facing some of the toughest security constraints out there, has led us to develop concrete, proven mechanisms for the specific challenges of air gap: offline analysis scripts, multi-format imports, and centralized vulnerability management with no network traffic.
If you manage isolated environments and want to learn more about how Cyberwatch can help, our team is happy to talk it through.
FAQ
What is an air-gapped environment?
An air-gapped environment is an information system deliberately isolated from any external network, including the internet. The isolation is physical: no cable, Wi-Fi, or other network connection links these machines to the outside world.
What’s the difference between a firewall-isolated network and a true air gap?
A firewall filters traffic, but the network connection still exists. A true air gap removes that connection by design: there’s simply nothing to intercept or compromise remotely.
Does an air gap protect against every cyberattack?
No. It neutralizes the vast majority of remote attacks, but vectors like removable media (USB drives), uncontrolled physical access, and supply chain compromises remain real threats.
How do you scan for vulnerabilities on an air gap machine?
Cyberwatch provides analysis scripts that run locally on the isolated machine. The results are exported to a file, transferred manually, then imported into Cyberwatch, with no network traffic required.
Can you run compliance checks in air-gap mode?
Yes. Cyberwatch offers downloadable compliance scripts that you run locally on the isolated device, then import back into the platform via CLI or PowerShell.