If you run Debian servers long enough, you eventually hit the same question: which of my installed packages are actually affected by known vulnerabilities right now? Package managers can show what is upgradable. CVE databases can show that a vulnerability exists somewhere. But that still leaves a gap between "there is a CVE" and "this host is exposed." That is the gap debsecan is built to close. debsecan checks the packages installed on the current Debian system and reports vulnerabilities that affect them. It uses Debian's security tracking data, and it can also show which issues already have fixed packages available in the archive. In this guide, I’ll show a practical workflow for using debsecan for host-level triage on Debian.…