Inverted Checks
Inverted checks flip the normal success/failure logic: they alert when a check succeeds instead of when it fails. This is ideal for security monitoring—alerting when something that should be inaccessible becomes accessible.
How It Works
| Normal Check | Inverted Check |
|---|---|
| Alert on failure | Alert on success |
| Port closed = failure | Port closed = success (no alert) |
| Port open = success | Port open = failure (alert!) |
Use Cases
Firewall Validation
Verify that internal ports remain closed to the public internet. If a firewall rule is accidentally removed, you'll know immediately.
{
"name": "internal-db-should-be-closed",
"type": "tcp",
"config": {
"host": "db.example.com",
"port": 5432
},
"inverted": true,
"regions": ["na-east-ewr", "eu-central-fra"],
"interval_seconds": 300
}Private Endpoint Monitoring
Ensure admin panels, staging environments, or internal APIs aren't accidentally exposed.
Development Server Detection
Alert if development servers with debug mode enabled become accessible from the internet.
Rate Limiting Validation
Verify that rate limiting is working by checking that requests are blocked when they should be.
Deployment Version Detection
Create an inverted check that alerts when a new version string appears, confirming deployments happened.
{
"name": "detect-new-deployment",
"type": "https",
"config": {
"url": "https://api.example.com/version",
"expected_body": "v2.0.0"
},
"inverted": true,
"regions": ["na-east-ewr"],
"interval_seconds": 60
}This alerts when the response no longer contains "v2.0.0", indicating a new version was deployed.
API Usage
Set inverted: true when creating a check:
curl -X POST https://api.quismon.com/v1/checks \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "admin-panel-not-public",
"type": "https",
"config": {
"url": "https://example.com/admin",
"expected_status": [401, 403]
},
"inverted": true,
"regions": ["na-east-ewr", "eu-central-fra", "ap-southeast-sin"],
"interval_seconds": 300
}'Inverted Logic by Check Type
| Check Type | Normal | Inverted |
|---|---|---|
| TCP | Alert if port closed | Alert if port open |
| HTTP/HTTPS | Alert if status/body mismatch | Alert if status/body match |
| Ping | Alert if host unreachable | Alert if host reachable |
| DNS | Alert if resolution fails | Alert if resolution succeeds |
Terraform Example
# Ensure database port is NOT accessible from outside
resource "quismon_check" "db_not_public" {
name = "db-port-not-public"
type = "tcp"
inverted = true
config = jsonencode({
host = "db.example.com"
port = 5432
})
regions = ["na-east-ewr", "eu-central-fra"]
interval_seconds = 300
}
# Alert rule for inverted check
resource "quismon_alert_rule" "db_exposed" {
name = "database-port-exposed"
check_id = quismon_check.db_not_public.id
condition = "failed_for_1m"
severity = "critical"
message = "Database port is accessible from the internet!"
notification_channels = [quismon_notification_channel.slack.id]
}Console Indicators
Inverted checks are clearly marked in the console with:
- A purple "Inverted" badge next to the check name
- Tooltip explaining: "alerts on success instead of failure"
- Status indicators show inverted logic (success = red, failure = green)