How to Build an Effective Vulnerability Management Process – Part 1: Asset Discovery and Scanning

Dave HallDave Hall
4 min read

Getting Started: Mapping and Monitoring Your Assets

This post is part of the “Building a Real-World Vulnerability Management Process” series — a practical guide to documenting what actually works in the field.

A vulnerability management process starts with a single truth: you can’t secure what you don’t know exists. Discovery and scanning form the foundation for every other step in the vulnerability lifecycle. If your asset inventory is incomplete — or your scanning coverage is unreliable — all downstream efforts will be inconsistent at best, and misleading at worst.

This post outlines how to build the Discovery and Scanning section of your vulnerability management process documentation — with actionable controls that can be reviewed, validated, and audited.

Step 1: Define Asset Scope

Your first task is to clearly define what’s in scope for vulnerability management.

Asset Types to Include:

  • On-prem servers and workstations

  • Cloud instances (e.g. AWS EC2, Azure VMs)

  • Containers and ephemeral compute

  • Network devices (firewalls, load balancers, routers)

  • Endpoints (laptops, desktops)

  • External-facing assets (e.g. public IPs, exposed services)

  • Third-party hosted infrastructure (where applicable)

Common Oversights:

  • Shadow IT (untracked cloud assets, dev instances)

  • Short-lived containers or test environments

  • Dormant IP ranges with legacy systems

  • Remote endpoints or unmanaged devices

A formal inventory should be sourced from:

  • CMDB (e.g. ServiceNow)

  • Cloud APIs and infrastructure-as-code

  • Endpoint management platforms (e.g. Intune, JAMF, SCCM)

  • Discovery tools (e.g. network probes, EASM platforms)

Step 2: Asset Discovery Mechanisms

Discovery mechanisms should run continuously or on a regular cadence to identify:

  • Newly provisioned assets

  • IPs in use but untracked

  • Unexpected changes to asset states (e.g. previously offline servers)

Sources of Truth May Include:

  • DHCP leases, DNS logs

  • Cloud control planes (Terraform, AWS Config)

  • Active Directory or Entra ID device joins

  • External IP monitoring

Use asset tags or naming conventions to track:

  • Business owner

  • Location or region

  • Platform (Windows, Linux, cloud type)

  • Criticality (CBS/IBS classification)

Step 3: Scan Configuration

Once assets are discovered, define how they will be scanned.

Key Parameters:

  • Authenticated or agent-based scanning (recommended for depth)

  • Unauthenticated scans for attacker-simulated perspective

  • Internal vs external scans based on exposure

  • Scan frequency aligned to asset criticality and risk appetite

Typical Frequency:

  • Critical external systems: Daily or continuous

  • Internal infrastructure: Weekly

  • Endpoints: Daily (via agents) or weekly

  • Cloud assets: Integrated via API or infrastructure automation

  • Ad hoc scans: Before go-live, post-patch, or security incidents

Scan Tuning:

  • Limit scan windows to avoid business disruption

  • Include DNS/NetBIOS resolution to identify assets from IP

  • Schedule re-authentication record checks for credentialed scans

Step 4: Coverage Validation

The final — and most often missed — part of scanning is validation.

How Do You Know You’re Scanning Everything?

  • Compare scan targets against CMDB, cloud asset lists, and endpoint platforms

  • Look for IPs not seen in the last 30 days

  • Track scan success/failure rates by asset

  • Identify blind spots (e.g. legacy systems, segmented networks)

Suggested Controls

  • All in-scope assets are defined, including infrastructure, endpoints, cloud workloads, and external services.

  • A centralised inventory is maintained using data from CMDB, cloud APIs, and endpoint management platforms.

  • New assets are added to scanning within 24 hours of provisioning or onboarding.

  • Scan coverage includes all internal and external IP ranges, with defined frequency per asset type.

  • Authenticated or agent-based scanning is used for internal systems; unauthenticated scans cover external-facing assets.

  • Scan failures are tracked and remediated, with owners and due dates clearly assigned.

  • Monthly reconciliation is performed between the asset inventory and active scan coverage.

  • Asset tags (e.g. owner, environment, criticality) are applied consistently during onboarding or discovery.

Summary

Discovery and scanning are the foundation of any vulnerability management program. Get this part wrong, and everything that follows will be incomplete or misleading.

As you document your process, focus on:

  • What assets are in scope

  • How they’re discovered and added to scanning

  • The method and frequency of scans

  • How coverage is verified and monitored

In the next post, we’ll move into Assessment and Prioritisation — where raw scan data becomes actionable risk intelligence.

➡️ Want to connect, ask a question, or suggest a topic? Find me on LinkedIn.

0
Subscribe to my newsletter

Read articles from Dave Hall directly inside your inbox. Subscribe to the newsletter, and don't miss out.

vulnerabilityVulnerability management#cybersecurity

Written by

Dave Hall
Dave Hall