Skip to content

This website is currently under construction. Content may be incomplete or subject to change.

CERNIS PRO
DE

Features

CERNIS PRO follows a natural flow: first see what is there, then get to the bottom of something, record it, share it — all on your terms. Here is the full feature set, organised into five areas.

Around 29 functional areas, each with built-in help in plain language — in German and English.

Observe

What is there and what is happening — scan, topology, traffic, monitoring, SNI.

Situation overview

The home screen sums up the state of your network at a glance: status, quick access, notes, new vulnerabilities and live metrics. The quick access is dynamic — it moves the functions you open most often to the front, with no configuration at all.

Network scan

The heart of it: a scan searches your network for active devices, finds open ports and detects services and operating systems. Progress appears live. The result is a clear table — IP, MAC, vendor, host name, open ports, OS and response time for every device.

Facts and judgement kept apart

CERNIS cleanly separates facts (new, changed, new port) from judgements (unusual, critical). Both kinds of marking stay separate, so you can see at once what has changed and how to weigh it — without one drowning out the other.

Acknowledge findings

A port you have checked and found harmless can be acknowledged. It disappears from the active warning but stays traceably logged. So no permanent warnings pile up, and your assessments are not lost.

Device detail view

For every device: whether it is known, new or changed, which ports are open, how it fits into the network. You can classify it (trusted / neutral / watch) and add your own notes.

Topology graph

Your network as a star-shaped picture: the gateway at the centre, devices around it. Solid lines are actually measured (via LLDP/CDP), dashed ones sensibly assumed. Show either just the devices from the last scan or every device ever known.

Traffic per app

Shows which programs currently have connections to the network and how much data is flowing — organised by the application causing it. Updates run automatically or on demand, exactly as you prefer.

Names instead of IP addresses

On request, CERNIS resolves the bare IP addresses of remote peers into readable names — only when you ask, loaded in the background.

Requested host names (SNI)

Passively captures which internet addresses your programs contact — even over encrypted connections — and attributes them to the program responsible. You see where an app is talking without touching the content. This data is deliberately not stored permanently.

Process view

Lists running programs with their path and quietly points out when a program may be disguising itself as something else — a subtle but important hint at something unusual.

FRITZ!Box detail view

If you use a FRITZ!Box, the official TR-064 interface gives you a rich detail view: connection data, DSL values, WLAN clients, the event log and configured port forwardings — all in one place, without clicking through the router menu.

Network interfaces

Shows your machine’s network interfaces with their actual status and highlights the ones carrying the main traffic.

Live monitoring

Continuously watches the reachability and response time of chosen targets (gateway, internet references) and shows outages immediately — with a live chart and an optional audible signal. You can add your own targets.

Long-term recording

Records the reachability of a target over a chosen period, permanently. It runs only when you deliberately set it up and survives a restart — ideal for pinning down sporadic dropouts over hours or days.

Threshold alarms

A recording can alert you when a target becomes too slow or fails. The condition must hold several times in a row — no false alarm from a single outlier.

Investigate

Get to the bottom of something — diagnostics, vulnerabilities, resolving remote peers.

DNS lookup & route tracing

Checks whether a name resolves correctly (DNS) and which path data packets take to a target (traceroute) — the classic diagnostic tools, presented so they make sense.

Route with country and operator

Shows the path to an internet target as a list of hops, each with country and network operator (ASN). On request the exact operator name can be loaded. So you see which countries and networks your data travels through.

External IP and port check

Shows your public IP address from the outside and checks whether a given port is reachable from outside — using an external helper service. Useful for understanding how your network looks from the internet.

Search for rogue DHCP servers

Looks for devices handing out network addresses without permission. An unknown server of this kind can be a sign of a problem or an attack — CERNIS makes it visible.

Fetch service banner

Many services voluntarily reveal what they are when a connection is opened. This function fetches that banner to help you place an open port in context.

Resolve remote peer

Gathers facts about an IP address from several sources: name, network operator, country, certificate. Every detail is shown with its source, without judgement — the core principle in its purest form. You get the facts and decide for yourself.

Vulnerability monitoring (CVE)

Continuously cross-checks your known devices against a public vulnerability database (CVE) and reports known security holes — with severity, date and description, sortable by severity or device. New findings are specially marked.

Default-credentials check (opt-in)

A deliberately sharp special function: it checks, per device and model, whether a device is still reachable with default credentials (factory password) — one of the most common real-world holes in home networks. Strictly opt-in, with safeguards (session release, restriction to the private network, rate limiting).

Network-wide DNS guardian & trust model

Detects when a device (TV, IoT, phone) bypasses the intended home DNS and secretly contacts a different DNS server. Plus a trust model: CERNIS lists the observed DNS servers, groups them by type (router / local / external) and lets you decide which server you trust.

Reporting

Record and share — six report types as PDF, CSV or JSON.

Six report types

Network security report (with a “network health” score of 0–100), inventory report, CVE report, external-contacts report, DNS-guardian report and behaviour-profile report. Every report is cleanly structured and carries a logo and creation date. It describes and puts things in context — the judgement stays with you.

Export

Beyond the reports, scan results and analysis findings can be saved at any time as CSV, JSON or PDF — for archiving, sharing or your own analysis. The save dialog is your operating system’s native dialog; you decide where things go.

Settings

Everything on your terms — analysis rules, language, appearance, alarms.

Adjust the analysis rules yourself

You decide what counts as unusual: which ports are critical, how many open ports trigger a warning, which rules are active at all. You can import your own port lists from a file. CERNIS provides sensible defaults — but the final word is yours.

General settings

Language (German / English, switchable instantly, including the manual), appearance (light / dark, any time via a toggle), automatic refresh and which sections the home screen shows. Everything is stored safely in a database — you never have to touch configuration files.

Notifications

CERNIS can notify you of certain events — as a desktop notice and, if set up, by email. The email credentials are stored securely.

Fundamentals

Honesty as a principle — what makes it reliable beneath the surface.

Detection of available tools

CERNIS checks which system-level network tools are available on your machine and says so honestly when something is missing — instead of silently swallowing a function.

Elevated permissions, cleanly separated

Some deep functions (such as passive reading for SNI) need elevated system permissions. If they are missing, CERNIS says so honestly and offers the normal path — it never takes permissions in secret. Only a slim, specialised helper carries the required permission, not the whole application (privilege separation).