Unknown Asset Discovery: What EASM Finds That Scanners Miss

Unknown asset discovery is a sub-category of External Attack Surface Management the process of identifying internet-facing assets that an organization owns but has never inventoried - assets that exist outside internal records, outside scan scopes, and outside any existing security coverage.

These aren't hypothetical risks. They're real, externally accessible entry points. An attacker enumerating your external surface doesn't check your CMDB first. They find whatever is exposed - whether you know about it or not.

ULTRA RED customers consistently discover 30% more assets than they knew they had. That gap between what organizations think they own and what's actually exposed is where most successful attacks begin.

Why Unknown Assets Exist

No security team sets out to have unknown assets. They accumulate from normal business operations:

Shadow IT - development teams, marketing, and business units deploy tools and cloud services without security review. By the time security learns about them, they're already internet-facing.
Cloud sprawl - AWS, Azure, and GCP make it trivial to spin up infrastructure. Test environments, development instances, and staging servers get created and forgotten.
M&A-inherited infrastructure - every acquisition brings domains, subdomains, and hosted services that the acquiring organization didn't build and may never have inventoried.
Decommissioned assets left running - campaign microsites, demo environments, temporary landing pages. The campaign ends; the server stays up.
AI and LLM endpoints - increasingly, engineering teams deploy AI services and API endpoints that never appear in any security documentation.
Third-party and partner-hosted assets - infrastructure managed by external parties but connected to your environment and associated with your domains.
Delegated DNS - subdomains delegated to third-party services that may change hands, expire, or become vulnerable independently.

Each of these categories represents assets that a traditional vulnerability scanner will never find - because scanning requires a target list, and unknown assets aren't on any list.

How Attackers Find What You Don't Know About

Attackers don't start from your asset inventory. They start from your domain and recursively enumerate everything connected to it: subdomains, IP ranges, ASNs, certificates, open ports, hosted services. This process takes hours, not weeks. And it finds everything - including the assets your team forgot existed.

This is precisely the approach Open House Group encountered: an internal test environment was externally accessible and was identified by an attacker shortly after it was set up - before the security team knew it existed. The window between an asset appearing and an attacker finding it is far shorter than most organizations realize.

The asymmetry is the problem. Attackers run continuous, automated reconnaissance. Most security teams run periodic scans of known assets. Unknown assets sit in that gap indefinitely.

What Unknown Asset Discovery Actually Finds

In practice, the assets ULTRA RED surfaces in initial discovery cycles include:

Forgotten subdomains - dev.company.com, staging.company.com, old.company.com - often running outdated software with no patch coverage
Dangling DNS records - pointing to decommissioned cloud infrastructure that can be re-registered by an attacker (subdomain takeover)
Exposed cloud storage - S3 buckets, Azure blobs, GCP buckets with misconfigured access controls
Open administrative interfaces - dev portals, database admin panels, monitoring dashboards exposed to the public internet
M&A-inherited domains - acquired companies bring their own attack surface, often unmapped and unpatched
AI endpoints - LLM APIs and AI-hosted services deployed by engineering without security review
Certificate-associated assets - TLS certificates reveal subdomains and services that don't appear in DNS records
Expired or misconfigured certificates - visible signals of neglected infrastructure

Leaf Home used ULTRA RED specifically to gain continuous visibility into unknown and forgotten assets - including infrastructure that had never appeared in their internal inventory. The discovery process surfaced assets across the organization that had no security coverage and no owner on record.

How Agentless Unknown Asset Discovery Works

Traditional scanners are inside-out: they require a list of targets, credentials, or agents deployed inside the network. They can only scan what they're told to scan.

Agentless EASM is outside-in: it starts from a seed - typically a primary domain - and recursively maps everything connected to it using the same techniques an attacker would use. No deployment. No agents. No prior asset list required.

ULTRA RED's discovery process uses:

DNS enumeration - recursive subdomain discovery including brute-force and certificate transparency logs
IP range mapping - ASN-based mapping to identify IP ranges associated with the organization
Certificate transparency analysis - surfaces assets associated with TLS certificates, including those not in DNS
Port and service fingerprinting - identifies what's running on discovered assets
Technology stack detection - identifies software versions, frameworks, and services for vulnerability correlation
Continuous re-check - runs continuously so new assets are discovered as they appear, not on a weekly schedule

The discovery process is the first stage of External Attack Surface Management (EASM) - and the foundation on which all validation and prioritization depends.

Discovery Without Validation Is Still Half the Picture

Finding unknown assets is essential. But discovery alone produces a list of potential risks - it doesn't tell you which ones are actually exploitable.

That's the distinction between EASM and a full CTEM program - covered in detail in EASM vs. CTEM: Where Discovery Ends and Validation Begins.

This is where most asset discovery tools stop. ULTRA RED doesn't. Every asset discovered is tested against the live environment under real-world conditions. If exploitable, the finding is returned with a working proof-of-concept, the precise HTTP request and response chain, and the full attack path.

For a full explanation of what validated findings look like, see What Is Proof of Exploitability?

Frequently Asked Questions

What is unknown asset discovery?

Unknown asset discovery is the process of identifying internet-facing assets an organization owns but has never inventoried. These are assets outside internal records and scan scopes that are nonetheless visible and accessible to attackers.

Why do organizations have unknown assets?

Unknown assets accumulate from shadow IT, cloud sprawl, M&A-inherited infrastructure, decommissioned assets left running, AI and LLM endpoints deployed without security review, and third-party or partner-managed assets associated with the organization's domains.

How does agentless asset discovery work?

Agentless discovery starts from a primary domain and recursively maps everything connected to it - subdomains, IP ranges, certificates, open ports, and hosted services - using the same techniques an attacker would use. No deployment, agents, or prior asset list required.

How long does initial asset discovery take?

ULTRA RED completes initial discovery within hours of setup. The platform runs continuously from that point, identifying new assets as they appear rather than waiting for the next scheduled scan.

What's the difference between asset discovery and vulnerability scanning?

Vulnerability scanning requires a target list - it tests known assets for known vulnerabilities. Asset discovery builds that list from scratch, finding assets that don't appear in any internal inventory. Without discovery, scanners miss everything that isn't already known.

Can asset discovery find AI and cloud services?

Yes. ULTRA RED's discovery covers cloud APIs, AI-hosted services, LLM endpoints, and cloud storage across all providers - agentlessly, with no pre-configuration required.