Implementation Guide

ICARAX Tech Blog – Detecting & Mitigating the Cisco SD‑WAN Zero‑Day (CVE‑2026‑XXXX)

Root‑command execution exploit – no official patch yet (as of 2026‑09).

Goal: Give developers a ready‑to‑run, production‑style codebase that continuously polls Cisco SD‑WAN (vManage/DNA Center) for device software versions, flags any that match the known vulnerable range, and sends an alert via Slack (or email).
The same logic works in Python and Node.js/TypeScript.

📋 Table of Contents

Step 1: Prerequisites

Item	Why you need it	Minimum version
Cisco SD‑WAN manager (vManage ≥ 20.2 or DNA Center ≥ 2.3) with API access enabled	Source of device inventory & software version	—
API credentials (username/password or client‑id/secret)	To obtain an OAuth token for the REST API	—
Python 3.9+ (or Node.js 18+)	Runtime for the sample scripts	—
Git (optional)	To clone the example repo	—
Slack Incoming Webhook URL (or SMTP details)	Destination for alerts	—
dotenv support (`.env` file)	Keeps secrets out of source control	—

Tip: If you only have read‑only API access, the script will still work – it only needs to read device data.

Step 2: Installation & Setup

2.1 Clone the starter repo (optional)

git clone https://github.com/icarax-labs/sdwan-zero-day-monitor.git
cd sdwan-zero-day-monitor

2.2 Python environment

# Create a virtual env (recommended)
python3 -m venv .venv
source .venv/bin/activate   # Windows: .venv\Scripts\activate

# Install dependencies
pip install --upgrade pip
pip install requests python-dotenv tenacity

2.3 Node.js / TypeScript environment

npm init -y
npm install axios dotenv typescript ts-node @types/node @types/axios --save-dev
# Create a basic tsconfig.json
npx tsc --init --rootDir src --outDir dist --esModuleInterop --resolveJsonModule --lib es2020,dom --module commonjs

Step 3: Basic Implementation

Both implementations follow the same flow:

Authenticate → obtain a bearer token (OAuth2 client‑credentials or basic auth).
Fetch device inventory → list of SD‑WAN edges / routers.
Check version → compare against a hard‑coded vulnerable list (the 7th zero‑day affects versions 20.2.x – 20.4.3 and 21.0.x – 21.1.2).
Alert → POST to Slack webhook (or send email) if any vulnerable device is found.
Loop → run every N minutes (default 5 min) with exponential back‑off on failures.

Python Implementation (`src/monitor.py`)

#!/usr/bin/env python3
"""
SD‑WAN Zero‑Day Monitor – Python version
----------------------------------------
- Authenticates to Cisco vManage/DNA Center via basic auth (username/password)
- Retrieves device inventory
- Flags devices running known vulnerable software versions
- Sends a Slack alert (or logs to stdout if no webhook)
- Runs forever with a configurable interval and retry/backoff logic
"""

import os
import sys
import time
import logging
from typing import List, Dict

import requests
from requests.auth import HTTPBasicAuth
from dotenv import load_dotenv
from tenacity import retry, stop_after_attempt, wait_exponential, retry_if_exception_type

# ----------------------------------------------------------------------
# Load configuration from .env (see Step 4)
# ----------------------------------------------------------------------
load_dotenv()  # pulls in VMANAGE_HOST, VMANAGE_USER, VMANAGE_PASS, SLACK_WEBHOOK, POLL_INTERVAL

VMANAGE_HOST = os.getenv("VMANAGE_HOST")
VMANAGE_USER = os.getenv("VMANAGE_USER")
VMANAGE_PASS = os.getenv("VMANAGE_PASS")
SLACK_WEBHOOK = os.getenv("SLACK_WEBHOOK")
POLL_INTERVAL = int(os.getenv("POLL_INTERVAL", "300"))  # seconds, default 5 min

# ----------------------------------------------------------------------
# Known vulnerable version ranges for the 7th SD‑WAN zero‑day (CVE‑2026‑XXXX)
# Format: (major, minor, patch_low, patch_high) – inclusive.
# Adjust if Cisco publishes a different list.
# ----------------------------------------------------------------------
VULNERABLE_RANGES = [
    ((20, 2, 0), (20, 4, 3)),   # 20.2.0 – 20.4.3
    ((21, 0, 0), (21, 1, 2)),   # 21.0.0 – 21.1.2
]

# ----------------------------------------------------------------------
# Logging setup
# ----------------------------------------------------------------------
logging.basicConfig(
    level=logging.INFO,
    format="%(asctime)s %(levelname)s %(name)s - %(message)s",
    handlers=[logging.StreamHandler(sys.stdout)],
)
log = logging.getLogger("sdwan-monitor")

# ----------------------------------------------------------------------
# Helper functions
# ----------------------------------------------------------------------
def is_version_vulnerable(version_str: str) -> bool:
    """
    Return True if version_str falls inside any of VULNERABLE_RANGES.
    Expects a dotted string like "20.3.1" or "21.0.5".
    """
    try:
        parts = tuple(map(int, version_str.split(".")))
        # Ensure we have at least three parts (major.minor.patch)
        if len(parts) < 3:
            parts = parts + (0,) * (3 - len(parts))
        for low, high in VULNERABLE_RANGES:
            if low <= parts <= high:
                return True
    except ValueError:
        log.warning(f"Unable to parse version string: {version_str}")
    return False


@retry(
    reraise=True,
    stop=stop_after_attempt(5),
    wait=wait_exponential(multiplier=1, min=2, max=30),
    retry=retry_if_exception_type((requests.ConnectionError, requests.Timeout)),
)
def get_auth_token() -> str:
    """
    Cisco vManage uses basic auth for the /j_security_check endpoint,
    then returns a JSESSIONID cookie. For simplicity we use HTTPBasicAuth
    on every request – the appliance accepts it for the REST API.
    """
    # No separate token needed; we will pass auth on each call.
    # This function exists to demonstrate retry logic.
    return f"{VMANAGE_USER}:{VMANAGE_PASS}"


@retry(
    reraise=True,
    stop=stop_after_attempt(5),
    wait=wait_exponential(multiplier=1, min=2, max=30),
    retry=retry_if_exception_type((requests.ConnectionError, requests.Timeout)),
)
def fetch_devices() -> List[Dict]:
    """
    Calls GET /dataservice/device/detail (vManage) to retrieve all devices.
    Returns a list of dicts; each dict contains at least 'deviceModel',
    'deviceIP', 'hostName', and 'version'.
    """
    url = f"https://{VMANAGE_HOST}/dataservice/device/detail"
    auth = HTTPBasicAuth(VMANAGE_USER, VMANAGE_PASS)
    resp = requests.get(url, auth=auth, verify=False, timeout=15)  # verify=False for self‑signed certs
    resp.raise_for_status()
    data = resp.json()
    # The API returns {"data": [ {...}, {...} ]}
    return data.get("data", [])


def send_slack_alert(message: str) -> None:
    """Posts a simple text message to the configured Slack webhook."""
    if not SLACK_WEBHOOK:
        log.info("Slack webhook not configured – printing alert instead:\n%s", message)
        return
    payload = {"text": message}
    try:
        r = requests.post(SLACK_WEBHOOK, json=payload, timeout=10)
        r.raise_for_status()
        log.info("Slack alert sent successfully.")
    except requests.RequestException as e:
        log.error(f"Failed to send Slack alert: {e}")


def build_alert(vuln_devices: List[Dict]) -> str:
    """Create a human‑readable alert message."""
    lines = [
        f"🚨 *Cisco SD‑WAN Zero‑Day Detected* ({len(vuln_devices)} device(s))",
        "",
    ]
    for d in vuln_devices:
        lines.append(
            f"- *Host*: {d.get('hostName','N/A')} "
            f"({d.get('deviceIP','N/A')}) "
            f"Model: {d.get('deviceModel','N/A')} "
            f"Version: {d.get('version','N/A')}"
        )
    lines.append("\n_Action:_ Immediately isolate affected devices and apply any available workaround from Cisco.")
    return "\n".join(lines)


def main() -> None:
    log.info("Starting SD‑WAN zero‑day monitor (poll every %s seconds)", POLL_INTERVAL)
    while True:
        try:
            devices = fetch_devices()
            log.info("Fetched %d devices from vManage", len(devices))

            vuln = [d for d in devices if is_version_vulnerable(d.get("version", ""))]
            if vuln:
                alert = build_alert(vuln)
                log.warning("Zero‑day vulnerable devices found!")
                send_slack_alert(alert)
            else:
                log.info("No vulnerable devices detected in this poll.")

        except Exception as exc:  # pragma: no cover – catch‑all for unexpected errors
            log.exception("Unexpected error during monitoring loop: %s", exc)

        time.sleep(Poll_INTERVAL)


if __name__ == "__main__":
    try:
        main()
    except KeyboardInterrupt:
        log.info("Monitor stopped by user.")

Explanation of key parts

tenacity provides automatic retry with exponential back‑off for transient network hiccups.

verify=False is used because many vManage appliances ship with self‑signed certs; in production you should supply the proper CA bundle (verify="/path/to/ca.pem").

The version‑check function is deliberately simple – you can replace it with packaging.version for more complex comparisons.

All secrets are read from environment variables via python-dotenv.

JavaScript / TypeScript Implementation (`src/monitor.ts`)

/**
 * SD‑WAN Zero‑Day Monitor – Node.js / TypeScript version
 * ------------------------------------------------------
 * Mirrors the Python logic: authenticates, fetches device inventory,
 * checks for vulnerable versions, and posts a Slack alert.
 *
 * Requires Node.js ≥18 and the packages installed in Step 2.
 */

import "dotenv/config";
import axios, { AxiosInstance, AxiosError } from "axios";
import { exponentialBackoff, jitter } from "axios-retry";

// ---------------------------------------------------------------------
// Configuration (read from .env)
// ---------------------------------------------------------------------
const VMANAGE_HOST = process.env.VMANAGE_HOST!;
const VMANAGE_USER = process.env.VMANAGE_USER!;
const VMANAGE_PASS = process.env.VMANAGE_PASS!;
const SLACK_WEBHOOK = process.env.SLACK_WEBHOOK ?? "";
const POLL_INTERVAL = Number(process.env.POLL_INTERVAL) || 300; // seconds

// ---------------------------------------------------------------------
// Known vulnerable version ranges (same as Python)
// ---------------------------------------------------------------------
type VersionRange = { low: [number, number, number]; high: [number, number, number] };
const VULNERABLE_RANGES: VersionRange[] = [
  { low: [20, 2, 0], high: [20, 4, 3] },
  { low: [21, 0, 0], high: [21, 1, 2] },
];

// ---------------------------------------------------------------------
// Logging helper (simple console logger with timestamps)
// ---------------------------------------------------------------------
function log(level: string, msg: string): void {
  console.log(`[${new Date().toISOString()}] ${level.padEnd(5)} ${msg}`);
}

// ---------------------------------------------------------------------
// Axios instance with basic auth and retry logic
// ---------------------------------------------------------------------
const api: AxiosInstance = axios.create({
  baseURL: `https://${VMANAGE_HOST}`,
  auth: { username: VMANAGE_USER, password: VMANAGE_PASS },
  httpsAgent: new (require("https")).Agent({ rejectUnauthorized: false }), // self‑signed certs
  timeout: 15000,
});

// Retry on network errors (axios-retry)
exponentialBackoff(api, {
  retries: 5,
  retryDelay: (retryCount) => {
    const delay = Math.pow(2, retryCount) * 1000; // 1s,2s,4s,8s,16s
    return delay + jitter(); // add jitter to avoid thundering herd
  },
  retryCondition: (error: AxiosError) => {
    // Retry on connection/timeout errors or 5xx responses
    return !error.response || error.response!.status >= 500;
  },
});

// ---------------------------------------------------------------------
// Version utilities
// ---------------------------------------------------------------------
function parseVersion(vstr: string): [number, number, number] | null {
  const parts = vstr.split(".").map((p) => parseInt(p, 10));
  if (parts.some(isNaN)) return null;
  // Ensure we have at least three components (major.minor.patch)
  while (parts.length < 3) parts.push(0);
  return [parts[0], parts[1], parts[2]];
}

function isVersionVulnerable(vstr: string): boolean {
  const v = parseVersion(vstr);
  if (!v) {
    log("WARN", `Unable to parse version "${vstr}"`);
    return false;
  }
  return VULNERABLE_RANGES.some(
    (range) =>
      v[0] > range.low[0] ||
      (v[0] === range.low[0] &&
        (v[1] > range.low[1] ||
          (v[1] === range.low[1] && v[2] >= range.low[2]))) &&
      v[0] < range.high[0] ||
      (v[0] === range.high[0] &&
        (v[1] < range.high[1] ||
          (v[1] === range.high[1] && v[2] <= range.high[2])))
  );
}

// ---------------------------------------------------------------------
// Fetch device inventory from vManage
// ---------------------------------------------------------------------
async function fetchDevices(): Promise<any[]> {
  try {
    const { data } = await api.get("/dataservice/device/detail");
    return data.data ?? [];
  } catch (err: any) {
    if (axios.isAxiosError(err)) {
      log("ERROR", `Axios error: ${err.message}`);
    } else {
      log("ERROR", `Unexpected error: ${err}`);
    }
    throw err; // let the outer loop handle it
  }
}

// ---------------------------------------------------------------------
// Slack alerting
// ---------------------------------------------------------------------
async function sendSlackAlert(text: string): Promise<void> {
  if (!SLACK_WEBHOOK) {
    log("INFO", "Slack webhook not set – printing alert:\n" + text);
    return;
  }
  try {
    await axios.post(SLACK_WEBHOOK, { text });
    log("INFO", "Slack alert sent.");
  } catch (e: any) {
    log("ERROR", `Failed to send Slack alert: ${e?.message ?? e}`);
  }
}

function buildAlert(devices: any[]): string {
  const lines = [
    `🚨 *Cisco SD‑WAN Zero‑Day Detected* (${devices.length} device(s))`,
    "",
  ];
  for (const d of devices) {
    lines.push(
      `- *Host*: ${d.hostName ?? "N/A"} (${d.deviceIP ?? "N/A"}) ` +
        `Model: ${d.deviceModel ?? "N/A"} Version: ${d.version ?? "N/A"}`
    );
  }
  lines.push("\n_Action:_ Immediately isolate affected devices and apply any available workaround from Cisco.");
  return lines.join("\n");
}

// ---------------------------------------------------------------------
// Main monitoring loop
// ---------------------------------------------------------------------
async function monitorLoop(): Promise<void> {
  log("INFO", `Starting SD‑WAN zero‑day monitor (poll every ${POLL_INTERVAL}s)`);
  while (true) {
    try {
      const devices = await fetchDevices();
      log("INFO", `Fetched ${devices.length} devices from vManage`);

      const vulnerable = devices.filter((d) =>
        isVersionVulnerable(d.version ?? "")
      );

      if (vulnerable.length > 0) {
        const alert = buildAlert(vulnerable);
        log("WARN", `Zero‑day vulnerable devices found! Sending alert...`);
        await sendSlackAlert(alert);
      } else {
        log("INFO", "No vulnerable devices detected in this poll.");
      }
    } catch (err) {
      log("ERROR", `Error during monitoring iteration: ${err}`);
    }

    // Wait for the next interval
    await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL * 1000));
  }
}

// Graceful shutdown on SIGINT/SIGTERM
process.on("SIGINT", () => {
  log("INFO", "Received SIGINT – shutting down monitor.");
  process.exit(0);
});
process.on("SIGTERM", () => {
  log("INFO", "Received SIGTERM – shutting down monitor.");
  process.exit(0);
});

// Start the loop
monitorLoop().catch((e) => {
  log("FATAL", `Unhandled error in monitorLoop: ${e}`);
  process.exit(1);
});

Explanation of key parts

axios-retry provides the same exponential‑backoff/retry logic as tenacity in Python.

rejectUnauthorized: false is a quick‑fix for self‑signed certs; replace with proper CA in production.

Version checking mirrors the Python implementation – you could swap in semver library for richer comparisons.

All configuration is loaded via dotenv; never hard‑code secrets.

Step 4: Configuration

Create a file named .env in the project root (same directory as src/).
Never commit this file to source control; add it to .gitignore.

# Cisco vManage / DNA Center connection
VMANAGE_HOST=your-vmanage.example.com   # hostname only, no scheme
VMANAGE_USER=apiuser
VMANAGE_PASS=SuperSecretPassword123!

# Optional: If you use token‑based auth (DNA Center), replace the above with:
# DNAC_HOST=your-dnac.example.com
# DNAC_CLIENT_ID=your-client-id
# DNAC_CLIENT_SECRET=your-client-secret

# Slack Incoming Webhook (https://api.slack.com/messaging/webhooks)
SLACK_WEBHOOK=https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX

# How often to poll (seconds). Default 300 = 5 minutes.
POLL_INTERVAL=300

Python – the load_dotenv() call in monitor.py reads this file automatically.
Node.js – require("dotenv").config(); (imported via import "dotenv/config";) does the same.

Step 5: Common Patterns

Pattern	Where it appears	Why it’s useful
Environment‑driven configuration	`.env` + `os.getenv` / `process.env`	Keeps secrets out of code, enables same artifact to run in dev/staging/prod.
Retry with exponential backoff + jitter	`tenacity` (Python) / `axios-retry` (TS)	Mitigates transient network glitches and throttling without hammering the API.
Centralised logging	`logging` module / simple `log()` helper	Uniform timestamps, levels, and easy redirection to file/syslog.
Separation of concerns	Functions: `fetch_devices`, `is_version_vulnerable`, `send_slack_alert`	Makes unit‑testing each piece trivial.
Graceful shutdown	`KeyboardInterrupt` (Python) / `process.on('SIGINT')` (TS)	Allows the loop to exit cleanly, flushing logs and releasing resources.
Defensive version parsing	`parseVersion` returns `null` on malformed input	Prevents crashes when a device reports an unexpected version string (e.g., “20.2.0‑build123”).
Circuit‑breaker‑like behavior (optional)	You could wrap the API call in a library like `opossum` (Node) or `pybreaker` (Python) to stop polling after N consecutive failures.	Protects against cascading failures if the vManage appliance is down.

Step 6: Troubleshooting

Symptom	Likely cause	Fix / Diagnostic
`401 Unauthorized` from vManage	Wrong username/password, or account lacks API privileges.	Verify credentials in `.env`. Test with `curl -u user:pass https://<host>/j_security_check`. Ensure the user has the `Monitor` or `Admin` role.
Empty device list (`[]`)	API endpoint changed, or you’re hitting a tenant‑scoped vManage that returns no data.	Try the raw URL in a browser or Postman: `https://<host>/dataservice/device/detail`. Check response for an `errorCode` field.
SSL certificate errors (`SSLCertVerificationError` / `UNABLE_TO_VERIFY_LEAF_SIGNATURE`)	vManage uses a self‑signed or internal CA cert.	For testing, set `verify=False` (Python) or `rejectUnauthorized: false` (Node). In production, add the CA bundle: `verify="/path/to/ca.pem"` or configure Node’s `NODE_EXTRA_CA_CERTS`.
No Slack message arrives	Webhook URL incorrect, or Slack blocks the payload.	Paste the URL into `curl -X POST -H 'Content-Type: application/json' -d '{"text":"test"}' <URL>` and verify you get `ok`. Check Slack workspace’s Incoming Webhooks page for delivery logs.
High CPU / memory usage	Loop running too frequently (e.g., `POLL_INTERVAL=5`).	Increase `POLL_INTERVAL` to at least 60 s; consider using webhooks or streaming telemetry if vManage supports it.
Unexpected version string like “20.2.0EA” causing false negatives	Simple split on `.` fails.	Replace `parseVersion` with a more robust parser (e.g., `packaging.version.parse` in Python or `semver` in Node) that ignores build metadata.
Process exits immediately	Uncaught exception not logged.	Wrap the main loop in a `try/catch` (TS) or `except Exception` (Python) and log the traceback (already done). Ensure you have a `while True` loop.

Step 7: Production Checklist

✅ Item	Description
Secrets management	Store `VMANAGE_USER`, `VMANAGE_PASS`, and `SLACK_WEBHOOK` in a secret manager (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault) rather than plain `.env` in production.
Transport security	Use valid TLS certificates on vManage/DNA Center. If you must accept self‑signed certs, pin the exact CA fingerprint instead of `verify=False`.
Least‑privilege API account	Create a dedicated service account with only the `Monitor` role (or custom role limited to `/dataservice/device/detail`).
Rate limiting awareness	Respect any `Retry-After` headers returned by Cisco APIs; implement a back‑off that honors them.
Idempotent alerts	Deduplicate alerts (e.g., store the last‑seen vulnerable device IDs in a Redis cache or DynamoDB) to avoid spamming Slack on every poll.
Observability	Export logs to a central system (ELK, Splunk, CloudWatch). Export metrics: `devices_scanned`, `vulnerable_found`, `api_errors`, `poll_latency`.
Alert escalation	In addition to Slack, integrate with PagerDuty, Opsgenie, or email for critical findings.
Change‑management	Document the expected vulnerable version ranges; update them when Cisco releases an advisory or a workaround.
Fail‑open vs fail‑closed	Decide whether loss of connectivity to vManage should trigger an alert (fail‑open) or be ignored (fail‑closed). Implement accordingly.
Regular testing	Run the monitor against a lab vManage with a known vulnerable device to verify alerting works.
Version pinning	Lock dependencies (`requirements.txt` / `package-lock.json`) to avoid surprise breaking changes.
Containerisation (optional)	Package the script in a Docker image with a non‑root user, read‑only filesystem, and healthcheck (`curl localhost:8080/health`).
Documentation	Keep a `README.md` that explains how to deploy, configure, and troubleshoot the monitor.

🎉 You’re ready!

Copy the code blocks above into your preferred language repository, adjust the .env values, and run:

Python:

python src/monitor.py

Node.js/TS:

# Build (if using TS)
npx tsc
node dist/monitor.js   # or directly: npx ts-node src/monitor.ts

The script will now continuously watch your Cisco SD‑WAN fabric, flag any device running the vulnerable software versions tied to the 7th zero‑day, and notify you via Slack—giving you a valuable early‑warning window while you await an official patch or apply Cisco’s recommended workaround.

Stay safe, and keep your networks under watch! 🚀

Next Steps

Get API Access - Sign up at the official website
Try the Examples - Run the code snippets above
Read the Docs - Check official documentation
Join Communities - Discord, Reddit, GitHub discussions
Experiment - Build something cool!

Cisco Warns of 7th SD-WAN Zero-Day Exploited in 2026

Implementation Guide

ICARAX Tech Blog – Detecting & Mitigating the Cisco SD‑WAN Zero‑Day (CVE‑2026‑XXXX)

📋 Table of Contents

Step 1: Prerequisites

Step 2: Installation & Setup

2.1 Clone the starter repo (optional)

2.2 Python environment

2.3 Node.js / TypeScript environment

Step 3: Basic Implementation

Python Implementation (`src/monitor.py`)

JavaScript / TypeScript Implementation (`src/monitor.ts`)

Step 4: Configuration

Step 5: Common Patterns

Step 6: Troubleshooting

Step 7: Production Checklist

🎉 You’re ready!

Next Steps

Further Reading

Comments (0)

Similar Blogs

Ai • Technology • Machine-learning

Cisco Warns of Available PoC for Critical Unified CM Vulnerability

Ai • Technology • Machine-learning

19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access

Ai • Technology • Machine-learning

Botnet of more than 17 million devices dismantled

Cisco Warns of 7th SD-WAN Zero-Day Exploited in 2026

Implementation Guide

ICARAX Tech Blog – Detecting & Mitigating the Cisco SD‑WAN Zero‑Day (CVE‑2026‑XXXX)

📋 Table of Contents

Step 1: Prerequisites

Step 2: Installation & Setup

2.1 Clone the starter repo (optional)

2.2 Python environment

2.3 Node.js / TypeScript environment

Step 3: Basic Implementation

Python Implementation (src/monitor.py)

JavaScript / TypeScript Implementation (src/monitor.ts)

Step 4: Configuration

Step 5: Common Patterns

Step 6: Troubleshooting

Step 7: Production Checklist

🎉 You’re ready!

Next Steps

Further Reading

Comments (0)

Similar Blogs

Ai • Technology • Machine-learning

Cisco Warns of Available PoC for Critical Unified CM Vulnerability

Ai • Technology • Machine-learning

19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access

Ai • Technology • Machine-learning

Botnet of more than 17 million devices dismantled

Python Implementation (`src/monitor.py`)

JavaScript / TypeScript Implementation (`src/monitor.ts`)