The Asset Inventory Reality Check: 17k vs 1.1M Assets
Just caught the latest on how Lumen Technologies rebuilt their exposure management, jumping from tracking 17,000 to 1.1 million assets. The 2026 Axonius report backs this up, noting that less than half of us consolidate asset and exposure data effectively.
We often assume our CMDBs are accurate until a breach proves otherwise. This blind spot is where vulnerabilities like Log4Shell (CVE-2021-44228) or ProxyShell (CVE-2021-34523) thrive. If you don't know the asset exists, you aren't patching it.
I've been trying to improve our visibility by cross-referencing Active Directory against our vulnerability scanner. Here is a quick PowerShell snippet I use to identify potentially stale computers that might be "ghost" assets:
$daysInactive = 90
$time = (Get-Date).Adddays(-($daysInactive))
Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -Properties LastLogonTimeStamp |
Select-Object Name, @{N='LastLogon';E={[DateTime]::FromFileTime($_.LastLogonTimeStamp)}} |
Export-Csv -NoTypeInformation -Path "./StaleAssets.csv"
Discovery is only half the battle; managing the noise at scale is the real headache. How is everyone else handling the "unknown" assets in their environment? Are you relying on commercial scanners or home-grown bash/python scripts for discovery?
The scale of Lumen's discovery is insane but believable. In my experience, the biggest gaps usually come from shadow IT and cloud instances. We found dozens of unaccounted EC2 instances just by querying AWS CLI directly against our inventory list.
aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,State.Name,Tags[?Key==`Name`].Value]' --output table
Consolidating that into a single pane of glass is the holy grail. We're currently trialing Axonius, but the integration work is heavier than expected.
Great script share. I'd add that you also need to look for IP conflicts or duplicates. We use Nmap to sweep our subnets weekly and compare it against our IPAM.
nmap -sn 192.168.1.0/24 | grep "Nmap scan report" | awk '{print $5}' > live_hosts.txt
Comparing live_hosts.txt against our DHCP leases usually reveals rogue IoT devices or dev boxes that never made it to the procurement list.
From an external perspective, forgotten subdomains are a massive blind spot. Attackers love Certificate Transparency logs because they reveal assets IT forgot to decommission. You can start mapping these immediately without internal access using a tool like subfinder:
subfinder -d your-company.com -silent
Cross-referencing this list against your CMDB is usually a sobering reality check.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access