Skip to main content

Cyber Asset Management

Asset inventory

The Asset Inventory is the heart of Cyber Asset Management: one searchable list of every asset your connected tools have seen, merged so each real-world asset appears once. This page covers browsing and filtering that list, opening a single asset to see everything known about it (including what other ThreatWeaver modules know about it), checking your inventory against a baseline, and running the sensors that collect it.

What it's for

  • Find any asset fast — search by name, address, serial, cloud id, or business unit, then narrow with filters.
  • See how trustworthy each record is — how many tools saw it, and whether they agree.
  • Go deep on one asset — open its detail panel for an AI-generated summary, what other modules (vulnerabilities, threats, attack paths) know about it, and how it relates to its evidence and to other assets.

The screens in it

  • Asset Inventory — the main list, with filters, columns, export, and a detail panel for each asset.
  • Inventory Baseline — compares a source you trust as the "source of truth" (such as your directory) against the endpoints actually reporting in.
  • Inventory Sensors — the on-premises collectors that gather inventory from your internal network.
Asset Inventory — the searchable list with filters, columns, and pagination

The Asset Inventory list

Open Asset Inventory to see every asset in one table. A short subtitle reminds you this is "every asset seen by your connected security tools, in one searchable list."

Searching and filtering

A filter bar sits above the table.

ControlWhat it does
SearchFinds assets by hostname, full domain name (FQDN), IP address, serial number, cloud instance id, or business unit.
SourceLimits the list to a single connected tool, or All.
VerificationFilters by how well the sources agree — Verified, Partial, Stale, Conflict, or Unverified (or All).
EntityFilters by the kind of thing the asset is (for example a host, cloud resource, or identity).
OSFilters by operating-system family.
SeverityFilters by the highest finding severity on the asset.
CriticalityFilters by how business-critical the asset is.
StatusFilters by the asset's status.
Clear filtersAppears when any filter or search is active; resets them all.
Most filters only search the page you're looking at

Source and Verification are sent to the server, so they narrow the entire inventory and the Showing 1–100 of N total updates to match.

Every other filter or search — Search, Entity, OS, Severity, Criticality, and Status — only narrows the roughly 100 rows currently loaded on screen. The N in the footer still reflects the unfiltered total for the whole inventory, not your filtered result, so a real match sitting on page 3 won't appear while you're filtering page 1.

If you need a filtered search across the whole inventory rather than just the current page, use Export CSV — it re-queries the server with your Source, Verification, Entity, OS, and Status filters applied across the full dataset (see Exporting the list below), then applies Search, Severity, and Criticality on top of that complete result.

Choosing columns

Use the column selector in the top-right to show or hide columns, and Reset to return to the defaults. Column headers can be dragged to resize them. Available columns include:

  • Hostname, FQDN, IPv4, MAC, Serial, and Cloud Instance — the identifiers for the asset.
  • Entity and OS — what it is and what it runs.
  • Sources — badges for each tool that reported the asset, and # Sources, the count of tools.
  • Verification — a badge reading Verified, Partial, Stale, Conflict, or Unverified.
  • BU (business unit), Criticality, Location, and Site — business context.
  • Severity and Score — the risk on the asset.
  • Last seen, First seen, Status, and Lifecycle — timing and state.

Exporting the list

  • Export CSV re-queries the server for up to 50,000 matching rows — not just the roughly 100 rows currently on screen — applying your Source, Verification, Entity, OS, and Status filters, then your Search, Severity, and Criticality filters on top. The download contains exactly the columns you currently have visible.
  • Export… opens a builder where you can name the export and carry your current filters into it. Choose Generate now for a one-time file, or choose a delivery cadence — Daily, Weekly, or Monthly — to have it run automatically. Scheduled exports are managed from CAM Reports → Scheduled.

Paging through results

The footer shows Showing 1–100 of N and gives you Previous and Next buttons to move through pages. As noted above, N is always the unfiltered inventory total, not the count of rows matching your on-page filters.

If the inventory is empty

Before any sources are connected, the list shows "No assets in CAM yet" and explains that inventory is built from your connectors. If your workspace already has vulnerability-scanner assets that aren't part of CAM yet, you'll see a count and two shortcuts: Import Tenable VM assets to bring existing scanner assets in, and Add Connector to connect a new source. See Sources and connectors.

Viewing a single asset

Click any row to open the asset detail panel, which slides in from the side and gathers everything known about that one asset — its identifiers, the tools that reported it, when it was last seen, its risk, and its business context — in one place. Close the panel to return to the list.

Some list columns aren't shown here yet

Criticality, Location, and Site appear as columns in the list and in exports, but the detail panel doesn't currently repeat them. If you need those values for a specific asset, check the columns in the main table instead.

Asset detail panel — identifiers, sources, and risk for one asset

Beyond the identifiers, the panel has three sections that go further than a flat record:

  • AI summary — if your workspace has AI features enabled, an AI summary button generates an ephemeral, on-demand summary of the asset's evidence, flags anomalies, and calls out a possible duplicate record if one is suspected. It's a suggestion to help you investigate faster — nothing is written back to the asset, and you should verify anything it surfaces before acting on it.
  • External context — a panel showing what other ThreatWeaver modules know about this same asset: open vulnerabilities, active threat alerts, and active attack paths, each with a deep link into the owning module (Vulnerabilities, Threat Radar, or Scanner). If you aren't licensed or permitted to see one of those modules, that card explains why instead of showing data.
  • Relationships — a graph of how this asset connects to its evidence and to other records, with three view presets:
    • Overview — evidence, related identity signals, and business context together.
    • Identity — focuses on source evidence and other assets that share identity signals with this one (a good place to check for possible duplicates).
    • Risk — focuses on business, severity, location, cloud, and verification context.

Inventory Baseline

The Inventory Baseline screen answers a specific question: is every endpoint my source of truth knows about actually reporting in? It compares a baseline source you trust — such as your directory service — against the endpoints that have resolved agent coverage.

Inventory Baseline — expected endpoints measured against agent coverage

A row of cards summarizes the picture: Baseline assets, Expected endpoints, Missing any agent, Stale baseline, and Pending identity (assets awaiting a matching decision). Below them:

ControlWhat it does
Baseline sourceA free-text field — type the exact internal identifier for the source you want to treat as the source of truth (for example, your directory connector's identifier).
ViewFocuses the table — All baseline assets, Expected endpoints, Missing agents, Stale / no last-seen, Baseline-only, Pending identity, or Non-endpoint.
Stale windowHow many days without being seen counts as "stale".
SearchFinds a specific host in the baseline.
CSVDownloads the current baseline view.
RefreshRe-runs the comparison.
Agent CoverageJumps to the coverage screen. See Coverage and agents.
Baseline source is typed, not chosen from a list

There's no dropdown or autocomplete for Baseline source — you have to type the exact identifier your workspace uses for that connector. There's no validation against your real source list, so a small typo (or the wrong capitalization) won't show an error — it will just silently return no matches. If a baseline you expect to see rows for looks empty, double-check the identifier first.

The table lists each host with its baseline last-seen date, its state (badges such as expected, baseline-only, or stale), which agents are installed and which are missing, the sources that saw it, and why it's expected. When a baseline source has assets whose identity hasn't been resolved yet, a Pending identity panel lists those open decisions.

Inventory Sensors

Some inventory lives on your internal network where the cloud can't reach it directly. Inventory Sensors are lightweight collectors you deploy on-premises to gather it. The screen has two tabs.

Inventory Sensors — the connected-sensor fleet and the deploy tab
  • Connected sensors lists the sensors you've deployed, each with its name, platform, profile, status, last heartbeat, and capabilities. An AD eligible badge marks sensors that can inventory your directory, and a Health link opens a panel with that sensor's health detail. Refresh re-checks the fleet.
  • Deploy a sensor walks you through enrolling a new one, from choosing a sensor type through downloading the installer.

Workflow: deploy a sensor and confirm it's live

  1. Open Inventory Sensors and switch to the Deploy a sensor tab.

    Step 1 — the Deploy a sensor tab
  2. Choose a sensor type — for Cyber Asset Management this is either an inventory-only sensor or a combined scan-and-inventory sensor. Which options are available depends on your subscription; a type your workspace isn't licensed for still shows in the list with the reason it's locked, rather than disappearing.

  3. Generate an enrollment token.

  4. Download artifacts — signed installers for each operating system, each checked against a SHA-256 fingerprint so you can confirm the file wasn't tampered with before you run it. Run the installer on a machine inside the network you want to inventory.

  5. Switch to Connected sensors. Your sensor appears once it sends its first heartbeat.

    Step 5 — the new sensor listed under Connected sensors
  6. Click Health on the sensor's row to confirm it's reporting normally. The health panel also has a Rotate access key action for that sensor — use it if you suspect the sensor's key has been exposed. The new key is shown once at rotation time, so save it immediately; treat it as a secret just like any other credential.

Asset classification

Asset classification — the rules that decide which system-type category an asset falls into, and power the All Systems / Windows Server / Linux / Network-style filter tabs elsewhere in ThreatWeaver — is managed in Exposure Management, not in Cyber Asset Management. If you need to change how an asset is classified, use that module instead.