Installing OpenKAT: A Complete Guide by a Code Owner

OpenKAT is a powerful open-source vulnerability monitoring framework, but getting it up and running requires careful planning. As a code owner of the official OpenKAT repository, we’ve deployed it dozens of times — from single-server setups to multi-node enterprise deployments. This guide walks you through the key decisions and steps.

Prerequisites

Before you begin, ensure you have:

• A clean Debian 12 (Bookworm) server — the officially supported platform
• Minimum 4 GB RAM and 2 CPU cores (8 GB / 4 cores recommended for production)
• At least 40 GB disk space (more if storing historical scan data)
• Root or sudo access
• A domain name pointing to your server (for TLS/SSL)

Choosing Your Deployment Method

OpenKAT offers three deployment methods, each with its own trade-offs:

1. Debian Package Installation (Recommended for production)

The Debian installer script is the simplest path to a production-ready deployment. It installs all components as system services with proper systemd integration, log rotation and automatic restarts.

curl -sSL https://raw.githubusercontent.com/SSC-ICT-Innovatie/nl-kat-coordination/main/scripts/installation/install.sh | sudo bash

The installer will prompt you for configuration options including database credentials, the hostname and which boefjes to enable. For a first installation, the defaults are sensible — you can always adjust later.

Pro tip from our deployments: Always run the installer on a dedicated machine or VM. OpenKAT uses PostgreSQL, RabbitMQ and several Python services that can conflict with existing installations.

2. Docker Compose (Recommended for testing and development)

Docker Compose is ideal for quickly spinning up OpenKAT for evaluation, development or CI/CD pipelines.

git clone https://github.com/SSC-ICT-Innovatie/nl-kat-coordination.git
cd nl-kat-coordination
make kat

This pulls all container images and starts the full stack. The web interface will be available at https://localhost:8443.

Our experience: Docker deployments work well for testing, but for production we recommend the Debian packages. Docker adds a layer of complexity around networking, storage persistence and log management that you’ll need to handle yourself. We contributed katalogus settings for containerized boefjes to make Docker deployments more configurable.

3. Kubernetes / Helm (For large-scale deployments)

For organisations running Kubernetes clusters, community-maintained Helm charts are available. This is the path for multi-tenant deployments or when integrating OpenKAT into an existing cloud-native platform.

Post-Installation: Essential Configuration

Once OpenKAT is running, there are several critical steps before you start scanning:

1. Create your first organisation and user

Log into Rocky (the web interface) and create an organisation. This is your logical container for all scanned objects. Set up user accounts with appropriate roles — admin, superuser or regular user.

2. Enable the right boefjes

Boefjes are the scanning plugins that power OpenKAT. Start with the essentials:

• DNS boefjes — SPF, DMARC, DKIM validation
• SSL/TLS checks — certificate expiry, protocol versions
• Port scanning — via Nmap integration
• Web scanning — Nikto, Nuclei for common vulnerabilities
• CVE lookup — since release 1.21 “Lapjeskat”, this uses a local CVE database (a feature we contributed) to prevent information leakage

3. Add your first objects

Add the hostnames and IP addresses you want to monitor. OpenKAT will automatically discover related objects (DNS records, certificates, open ports) as boefjes run their scans.

4. Set up clearance levels

OpenKAT uses a clearance level system (L0–L4) to control scan intensity. Start with L1 or L2 for non-invasive scans and increase as you gain confidence. This is crucial for production environments where aggressive scanning could cause issues.

Hardening for Production

For production deployments, consider these hardening steps:

• TLS everywhere — use a reverse proxy (Nginx, Traefik) with Let’s Encrypt certificates
• Firewall rules — restrict access to the web interface and database ports
• Backup strategy — our cross-platform backup scripts (available in the repository) handle PostgreSQL dumps, Bytes storage and configuration files
• Monitoring — integrate OpenKAT’s health endpoints with your existing monitoring stack
• Updates — follow the release channel and plan regular update cycles

Common Issues and Solutions

From our experience deploying OpenKAT across government, healthcare and enterprise environments:

• Boefjes not starting: Check RabbitMQ connectivity and ensure the katalogus service is healthy. Container networking issues are the most common cause in Docker setups.
• Slow scans: Increase worker count in the scheduler configuration. For large scan scopes (100+ hosts), consider distributing boefjes across multiple workers.
• Database growth: Octopoes can grow quickly with many objects. Set up data retention policies and regular vacuum operations on PostgreSQL.
• Memory issues: The Octopoes graph database is memory-intensive. Allocate at least 2 GB to Octopoes alone in enterprise deployments.

Need Help?

Installing OpenKAT is one thing — getting the most out of it requires expertise. As the only service provider that is also a code owner of the platform, Hasecon offers:

• Professional installation and configuration
• Custom boefjes development for your specific needs
• Training for your security team
• Managed OpenKAT service — we handle everything