Most vulnerability platforms stop at scanner findings. CISOs of critical-infrastructure operators need to know what they own and where the sprawl is — even when no advisory has dropped. Inventory Insights answers that on its own cadence and produces the same audit-grade evidence trail.
| Kind | Definition | Example |
|---|---|---|
patch_band_drift | OS / software at a build below supported security baseline. | Windows Server 2022 below 10.0.20348.2700 |
ot_firmware | OT firmware below a recommended minimum. | Siemens RUGGEDCOM < 5.7.0; Wabtec WIU < 3.2.0 |
network_firmware | Network device firmware in an unsupported band. | Cisco IOS-XE < 17.12.05; PAN-OS < 11.1.4 |
eol | Product past vendor end-of-support. | RHEL 7, Windows Server 2012 R2 |
version_sprawl | Same (vendor, product) running ≥3 distinct versions. | OpenSSL deployed in 5 versions across regions |
shadow_it | Vendors below a frequency floor — likely unsanctioned procurement. | Single-instance vendor with no CMDB owner |
ccs_no_owner | Critical Cyber Systems flagged but lacking documented owner. | PTC wayside RTU with empty owner field |
identity_hygiene | Service accounts on CCS systems without strong factor. | 9 SP accounts on PTC infra without FIDO2 |
CMDB — ServiceNow, Device42, iServer.
Endpoint inventory — Tanium, Intune, Jamf.
Cloud inventory — AWS Config, Azure Resource Graph, GCP Asset Inventory.
Identity — Microsoft Entra ID, Okta.
Network device backups — RANCID, Cisco Catalyst Center.
OT configuration baselines — Claroty xDome, Nozomi.
Synthetic rail simulator asset table — 6,530 MCR estate records.
Heuristic EOL / version rule set in agents/inventory_insights/agent.py.
Production deployments swap the connector layer, keep the same kind taxonomy. The UI continues to render and evidence emission continues to work — that's the abstraction.
API entrypoint triggers one full sweep so console is never empty.
POST /api/inventory/scan — useful after major CMDB syncs.
Celery beat — daily default, hourly for high-velocity tenants.