Every time I've walked into a new environment and asked "show me all your file transfers," the answer has been some version of "we have a pretty good idea" followed by a list that covers maybe 60% of what's actually running. The other 40% are shadow transfers: cron jobs nobody documented, batch scripts inherited from someone who left, scheduled tasks that were supposed to be temporary.

Here's a 30-minute audit you can run right now to find out what's actually happening on your network. You'll need SSH access to your Linux servers and RDP or admin access to your Windows boxes. A terminal and a notepad.

Minutes 1-10: Find the Transfers

Linux

# Find all cron jobs system-wide grep -r "" /etc/cron* /var/spool/cron/* 2>/dev/null # Search for common transfer commands in scripts grep -rl "scp\|sftp\|rsync\|wget\|curl\|ncftpput\|lftp" /usr/local/bin/ /opt/ /home/ 2>/dev/null # Check for running transfer processes right now ps aux | grep -E "scp|sftp|rsync|wget|curl|ftp" | grep -v grep # Look for SSH keys used by automated processes find /home /root -name "id_*" -o -name "*.pem" 2>/dev/null

Windows

# List all scheduled tasks (PowerShell) Get-ScheduledTask | Where-Object {$_.Actions.Execute -match "ftp|scp|robocopy|pscp|winscp"} | Format-Table TaskName, State # Search for transfer scripts Get-ChildItem -Path C:\ -Recurse -Include *.bat,*.ps1,*.cmd -ErrorAction SilentlyContinue | Select-String -Pattern "ftp|sftp|scp|robocopy|pscp" | Select-Object Path, LineNumber, Line # Check for WinSCP or FileZilla configs Get-ChildItem -Path $env:APPDATA -Recurse -Include "*.ini","*.xml" -ErrorAction SilentlyContinue | Select-String -Pattern "ftp|sftp" | Select-Object Path

Write down everything you find. Server, transfer type, schedule (if you can tell), source and destination. Don't worry about whether it's still active yet — just inventory.

Minutes 10-20: Check the Obvious Problems

Now go through your list and check for these red flags:

Security Checklist

  • Plaintext FTP (port 21). Any transfer using FTP instead of SFTP or FTPS is sending credentials and data in the clear. This is a compliance failure under POPIA, GDPR, and SOC 2.
  • Hardcoded passwords in scripts. Search for password strings in your batch files and shell scripts. grep -ri "password" /path/to/scripts/. Every hardcoded password is an audit finding.
  • SSH keys without passphrases. Run ssh-keygen -l -f <keyfile> on every key you found. If it doesn't require a passphrase, anyone who gets that file can access the destination server.
  • Keys older than 1 year. Check key creation dates. SSH keys should be rotated annually at minimum.
  • Credentials shared across transfers. If three scripts use the same username/password to connect to the same server, that's a single point of failure and a lateral movement risk.

Reliability Checklist

  • No retry logic. Most raw scp/curl/ftp commands fail permanently on first error. No retry, no backoff, no notification. The transfer just dies and nobody knows.
  • No success verification. Does the script check that the file arrived intact? Most don't. They run the command and assume it worked.
  • No alerting on failure. When a cron job fails, cron sends mail to root — which nobody reads. Check if anyone gets notified when transfers fail.
  • Overlapping schedules. If transfer A writes to a directory while transfer B reads from it, you have a race condition. Check for timing overlaps.

Minutes 20-25: Check Compliance Gaps

Compliance Checklist

  • Audit trail. Can you show a compliance auditor who transferred what file, when, and whether it succeeded? If the answer is "check the log files on server 3," you don't have an audit trail.
  • Encryption in transit. Every transfer should use TLS/SSL (FTPS, HTTPS) or SSH (SFTP, scp). No exceptions.
  • Encryption at rest. Are transferred files stored encrypted on the destination? If they land in a plain directory, the encryption in transit only protected them on the wire.
  • Access controls. Who has access to the transfer credentials? Who can modify the scripts? If the answer is "everyone in the dev team," that's too broad.
  • Data residency. Do any transfers move data outside your jurisdiction? Cross-border transfers may trigger additional requirements under POPIA or GDPR.

Minutes 25-30: Score and Prioritise

Count your findings. Use this rough scoring:

Finding Risk Level Fix Priority
Plaintext FTP Critical This week
Hardcoded passwords Critical This week
No audit trail High This month
No retry / alerting High This month
Stale SSH keys Medium Next quarter
Undocumented transfers Medium Ongoing

If you found more than 10 transfers and more than 3 red flags, you're dealing with transfer sprawl. The fix isn't one script replacement at a time — it's an orchestration layer that gives you visibility and control over everything at once.

What Comes After the Audit

The audit tells you where you stand. The next step is closing the gaps:

  1. Kill plaintext FTP. Replace with SFTP or FTPS. This is non-negotiable for compliance.
  2. Move credentials out of scripts. Use a credential store (MFTPlus has one built in, or use HashiCorp Vault, or even environment variables — anything but hardcoded strings in batch files).
  3. Add monitoring. Every transfer should report success or failure somewhere you actually check. A dashboard is better than email alerts, which are better than nothing.
  4. Document everything. Build a transfer catalog: source, destination, schedule, protocol, credentials, owner, business purpose. If you can't explain why a transfer exists, that's a candidate for removal.

We're building an automated discovery tool that does steps 1-4 of this audit for you — scans your network, finds every transfer, flags the red flags, produces the report. If you want to be notified when it's ready, sign up at mftplus.co.za.

In the meantime, run this audit manually. Thirty minutes now saves you from finding out about a plaintext FTP server during a compliance review.

MFTPlus handles encryption, credential management, retry logic, audit trails, and monitoring out of the box. Close the gaps this audit uncovers.

Try MFTPlus Free
Armin Marxer
Building MFTPlus. File transfer infrastructure for teams that ship.

FAQ

What is a file transfer audit?
A file transfer audit is a systematic review of all file transfer activity on your network: finding every transfer (including undocumented ones), checking for security issues like plaintext FTP and hardcoded credentials, verifying compliance with regulations like POPIA and GDPR, and assessing reliability gaps like missing retry logic and alerting.
How often should I audit file transfers?
At minimum, quarterly. If you're in a regulated industry or preparing for SOC 2 certification, monthly. The audit takes 30 minutes manually. MFTPlus provides continuous monitoring that catches issues as they appear.
What are shadow file transfers?
Shadow transfers are file transfers that run on your network but aren't documented or monitored. They're usually cron jobs, batch scripts, or scheduled tasks that someone set up months or years ago and forgot about. In most environments, 30-40% of transfers are shadow transfers.
Is plaintext FTP still a compliance issue in 2026?
Yes. FTP transmits credentials and data without encryption, which violates POPIA (South Africa), GDPR (Europe), PCI DSS (payment data), and SOC 2 requirements. If an auditor finds FTP on port 21, it's an automatic finding.
How do I find undocumented file transfers?
Search cron jobs, Windows Scheduled Tasks, and script files for transfer commands (scp, sftp, rsync, wget, curl, robocopy). Check for SSH keys used by automated processes. Look for FTP client configurations (WinSCP, FileZilla). MFTPlus is building an automated discovery tool that scans for all of these.