Prerequisites

Resource requirements

• The host is only acting as a WireGuard relay, so your system requires only minimal CPU and RAM.
• The client **does not perform any scanning. **Scanning is done on Beagle Security’s servers.

Network requirements

Before setting up Cosmog, make sure **outbound UDP traffic is allowed. **This is used by WireGuard (a secure networking protocol). 

Network access

The system should have must have outbound access to the following URLs/hosts:

• https://beagle-web.s3.amazonaws.com/cosmog
• https://api.beaglesecurity.com/
• https://hub.docker.com/r/beaglesecurity/

These endpoints are required to download the Cosmog client, communicate with Beagle Security, and pull the necessary Docker images.

Choosing the right setup

Before you begin, make sure you are using the correct Cosmog setup

Choose **Standard Platforms **setup if:

• Your applications runs on
• • Virtual machines (VMs)
  • Bare metal servers

• Your app is not inside kubernetes 

Choose Kubernetes setup if:

• Your application runs inside a kubernetes cluster

What is Beagle Security Cosmog?

Beagle Security Cosmog allows you to test the security of applications that are inside your internal network, without exposing them to the internet.

Many organizations have internal applications like:

• HR systems
• Management portals
• Test/pre-release environments.

These are usually not publicly accessible, but they still need to be tested for security.

Cosmog solves this by creating a secure, private tunnel between your internal network and the Beagle Security platform.

How Cosmog works (Quick overview)

Cosmog uses three main components

• Cosmog Server

Managed by Beagle Security, it handles scan requests, actions and processes results.

• Cosmog Client

Runs inside your internal network (via Docker) and connects securely to Beagle Security.

• Cosmog Profile

Defines bridge IP and test IP.

Here’s how it works:

• Deploy: You run the Cosmog Client (Docker or K8s) in your network.

• Connect: The Client initiates an outbound connection to the Beagle Security Server.

• **Bridge: **A secure tunnel is established. (using WireGuard)

• Scan: Beagle Security’s engine sends scan requests through the tunnel to your internal target (e.g., http://internal-app:8080).

• Results: Responses traverse back through the tunnel to the scanning engine.

The Cosmog client only acts as a secure relay, all security testing is performed by Beagle Security’s servers.

No inbound ports need to be opened.

The connection is outbound from the network.

Why test internal applications?

Internal applications are often assumed to be safe, but that’s not always true

Common risks include:

• Weak security controls on internal tools.
• Phishing attacks that give attackers internal access.
• Insider threats from users with access.

Testing these applications helps you:

• Identify vulnerabilities early.
• Prevent internal attack chains.
• Meet compliance requirements.

Updated on: 06/05/2026