Yes. OpenKAT is open source under the EUPL 1.2 licence and can be downloaded, self-hosted and modified without licence costs. Costs only arise if you opt for hosting, management or a managed service.

What is OpenKAT — and what it is not

Q: Can I get help with a local or self-hosted installation?

Yes. If you want to run OpenKAT in your own environment because of data residency, an air-gapped network or government frameworks, but do not want to figure everything out yourself, Hasecon handles the local installation, management and custom work such as custom boefjes and bits.

Published on June 16, 2026

There are two kinds of confusion around OpenKAT. One is technical: what does it actually do? The other is more persistent and more harmful: providers appear online presenting OpenKAT as a paid, "official" or even legally mandatory government platform. That last claim is false — and precisely because OpenKAT has government origins, the misunderstanding is easy to sell.

This article sets both straight. What OpenKAT is, how it works, who built it and who maintains it now, and — just as important — what it is not.

In short

OpenKAT is free and open source. It is published under the EUPL 1.2 licence. You may download, self-host and modify it without licence costs.
It is a vulnerability analysis tool, not a compliance certification and not a total solution. KAT stands for "Kwetsbaarheden Analyse Tool" (vulnerability analysis tool).
Originally built by the Dutch Ministry of Health (VWS), during the coronavirus pandemic. From early 2026 VWS is ending its maintenance role and OpenKAT is being continued by the community around the LibreKAT Foundation.
OpenKAT is not mandatory and there is no "official SaaS". No law prescribes OpenKAT — or any specific tool, for that matter.

What OpenKAT is: the vulnerability analysis tool

OpenKAT scans networks and systems, analyses what it finds and reports on it. Where most tools take a single piece of the puzzle — only a port scan, only a vulnerability scan, only an asset inventory — OpenKAT bundles well-known, proven open-source security tools into one modular framework and adds external sources to it (such as Shodan). The result is a broad picture: not only technical vulnerabilities, but also misconfigurations and anomalies that can pose compliance risks.

Two characteristics make it special. First, it is intended for continuous monitoring rather than a one-off snapshot — you keep sight of an attack surface that changes constantly. Second, it records a timeline: you see not only the current status, but also how it develops.

How OpenKAT works

Under the hood, OpenKAT works with a recognisable, cat-themed vocabulary:

Boefjes ("little crooks") are the plugins that gather information — a port scan, a TLS check, a DNS query, a lookup in an external database. Each boefje does one thing.
Normalisers (whiskers) translate that raw output into structured data objects, so that everything becomes comparable in the same way.
Bits are business rules: they reason about the objects, derive findings from them and can in turn trigger new boefjes.
Everything comes together in a searchable object model, on which OpenKAT builds reports — per asset, per group or organisation-wide.

You do not need to know these internal names to use OpenKAT, but they reveal the core: it is not a standalone scanner, but a framework that ties scanning, normalisation, reasoning and reporting together.

Who made OpenKAT — and who maintains it now

OpenKAT originated at the Dutch Ministry of Health, Welfare and Sport (VWS) during the coronavirus pandemic, when new systems had to be delivered securely at high speed. It has been developed as open source from the outset, under the EUPL 1.2 licence, and in collaboration with parties from the security sector.

Important for the current picture: as of early 2026 VWS is ending its management, maintenance and further development. OpenKAT is since being continued as a community project, housed under the LibreKAT Foundation. The source code is public on GitHub and the documentation on docs.openkat.nl. Anyone who wants to contribute can — that is the point of an open-source project.

This is exactly why claims about an "official, mandatory government platform" do not hold up: the government is in fact stepping back and handing it over to a foundation and the community.

What OpenKAT is not — the misunderstandings in a row

It is not a mandatory tool. No law, not even NIS2 or the Dutch Cybersecurity Act, prescribes OpenKAT or any specific product. Legislation requires appropriate measures; how you implement them is up to you. What NIS2 does and does not require is covered in the NIS2 supply-chain duty of care: what is really required (and what is not).

There is no "official SaaS" you have to buy. OpenKAT is free and self-hostable. A provider that presents itself as "the official platform of the ministry" or that sells OpenKAT as a mandatory subscription is making a claim the facts do not support. Be alert to that.

It is not a compliance certification. OpenKAT provides technical insight and evidence, not a legal stamp. A scan says something about your vulnerabilities, not about your governance, incident reporting or organisational measures.

It is not a total solution. OpenKAT is a strong, broad monitoring tool — but one building block in a larger whole of policy, processes and people.

Three ways to use OpenKAT

Because OpenKAT is open source, you are free to choose how to deploy it. There are roughly three routes — which one fits depends on your needs, not your budget.

1. Run it yourself (DIY). You install OpenKAT yourself on a Linux or Docker environment with the installation script and manage it entirely in-house. Maximum control and no software costs, but you are responsible for hosting, updates, maintenance and interpreting and recording the results.

2. Run it locally, with help on installation, management and custom work. Do you want to run OpenKAT locally or in your own environment — for example because of data-residency requirements, an air-gapped network, government frameworks or an in-house infra team that wants to keep control — but not figure everything out yourself? Then Hasecon handles the local installation, management and custom work, including custom boefjes and bits. That is deliberately the work of people who contribute to OpenKAT themselves: you get a setup that matches how the tool really works, while you retain full control over your own environment.

3. Managed via Exposentry. If you want the result without the operational burden, Exposentry offers OpenKAT as a managed service: NL-sovereign hosted, forensically substantiated evidence of what was found and when, and monitoring of your own domains and your supplier chain. It explicitly remains a building block, not a full compliance guarantee; that honesty is part of it. More about who is behind it is on About Exposentry.

Torn between running it yourself and a managed service? That is a legitimate consideration. Choose based on how much you want to keep in-house — not on price alone.

See how supplier monitoring works at Monitor my suppliers.
View the transparent pricing at Pricing.
Or start a scan of your organisation right away.

OpenKAT and NIS2

Continuous vulnerability monitoring with OpenKAT fits well with the duty of care under NIS2: you can demonstrate that you know and manage your attack surface. But mind the boundary — scanning is not compliance. Read about that in scanning is not NIS2 compliance, but it is a necessary building block and, for the bigger picture, the NIS2 supply-chain duty of care: what is really required (and what is not).

Want to first understand what is actually visible on your attack surface? Start with what an attacker sees of your domain.

Frequently asked questions

Is OpenKAT free? Yes. OpenKAT is open source under the EUPL 1.2 licence. You can download, self-host and modify it without licence costs. Costs only arise if you opt for hosting, management or a managed service.

Is OpenKAT mandatory? No. No law prescribes OpenKAT or any other specific product. NIS2 and the Cybersecurity Act require appropriate measures, not a particular tool.

Who owns OpenKAT now? OpenKAT was originally built by the Dutch Ministry of Health (VWS). VWS is ending its maintenance role in early 2026; the project is being continued by the community and is housed under the LibreKAT Foundation. The source code is public.

Do I need a SaaS subscription to use OpenKAT? No. You may run OpenKAT entirely yourself. A managed service is convenient if you do not want to set up your own hosting and management, but it is a choice, not an obligation.

What is the difference between OpenKAT and Exposentry? OpenKAT is the open-source tool. Exposentry is a managed service that hosts OpenKAT in an NL-sovereign way, records forensically substantiated evidence and can also monitor your supplier chain — so you get the results without having to manage the tool yourself.

Can I run OpenKAT myself? Yes. With a Linux or Docker environment and the installation script you can get started. Bear in mind that you are responsible for maintenance, updates and interpreting and recording the results.

Can I get help with a local or self-hosted installation? Yes. If you want to run OpenKAT in your own environment — for example because of data residency, an air-gapped network or government frameworks — but do not want to figure everything out yourself, Hasecon handles the local installation, management and custom work such as custom boefjes and bits. This combines full in-house control with the knowledge of people who contribute to OpenKAT.

Written by Edward Hasekamp, founder of Exposentry and core maintainer of the open-source OpenKAT project. See the project on GitHub and the profile at github.com/hasecon. Exposentry provides NL-sovereign, forensically substantiated vulnerability monitoring based on OpenKAT. More articles in the Knowledge base.