What is Asset Discovery?

Asset discovery answers a deceptively simple question: what does our organization actually expose to the internet right now? In practice the answer is almost never the tidy list a security team imagines. Marketing spins up a campaign microsite, a developer launches a staging API on a forgotten subdomain, an acquired company brings its own ASN, and a contractor stands up a cloud bucket that never gets decommissioned. Each of these is a live entry point. Gartner created the External Attack Surface Management (EASM) market category in 2021 specifically because organizations were consistently unaware of internet-facing assets and systems they owned, and discovery is the capability that closes that visibility gap.

Effective discovery begins with seeds - a small set of confidently-owned, verified anchors such as a primary brand domain, a known corporate IP range, a registered organization name in WHOIS, or an Autonomous System Number (ASN). From these seeds, discovery expands outward through attribution. DNS enumeration walks subdomains and resolves them to hosts; WHOIS and registrant data link sibling domains; reverse DNS and PTR records map IPs back to names. The goal is to grow a defensible inventory where each discovered asset can be traced back to a seed, so the team avoids both blind spots and false attributions that waste analyst time.

Certificate Transparency (CT) is one of the most powerful discovery signals available, and it exists because of RFC 9162. CT logs are public, append-only, cryptographically-verifiable records of every TLS certificate that participating certificate authorities issue. They were designed to let anyone detect misissued certificates, but they double as a discovery goldmine: when an engineer requests a certificate for an internal-sounding hostname like vpn-test.internal.example.com, that name becomes publicly searchable the moment the certificate is logged. Querying CT logs routinely surfaces subdomains, staging environments, and pre-launch services that never appear in any internal asset register.

ASN and netblock expansion handles the IP-layer half of the problem. An ASN identifies a block of IP networks under a single administrative control, and large organizations are frequently allocated their own ASNs or registered netblocks in the regional internet registries (ARIN, RIPE, APNIC, and others). Discovery tools enumerate the prefixes announced by an organization's ASN and the netblocks registered to its name, then probe those ranges to fingerprint live hosts and services. Cloud assets complicate this picture - addresses are ephemeral and shared - so discovery must also correlate cloud provider ranges, DNS records pointing at cloud endpoints, and service banners to attribute transient cloud resources correctly.

It is worth distinguishing asset discovery from adjacent terms. Discovery is about enumeration - building a complete, attributed inventory of what exists. It is not the same as vulnerability scanning, which inspects already-known assets for weaknesses, nor exposure validation, which confirms whether a discovered weakness is actually reachable and exploitable. Discovery is also broader than asset inventory in the IT-management sense: traditional inventory tracks assets the organization deliberately provisioned, while attack-surface discovery deliberately hunts for the assets nobody remembered to provision, decommission, or document - the shadow IT and orphaned infrastructure that attackers find first.