Datasheet

Asset Inventory and Risk Management

4 min read

Get the document

Tell us where to send it. The PDF lands in your inbox in under a minute.

About

About this datasheet

Build one trustworthy inventory of everything you defend, deduplicated, owned, enriched, and grouped at enterprise scale, with every read scope-enforced.

An asset is any manageable entity in a customer environment: a server, a workstation, a network device, a cloud instance, a web application, a code repository, a database, or an IoT or SCADA device. The Asset domain is the inventory backbone, because every finding, scan, and risk score ultimately resolves to an asset.

A trustworthy inventory has to be deduplicated so the same host does not appear three times under three names, owned so an alert reaches an accountable person, enriched without losing curated values, and scoped so one company never sees another tenant machines.

Enrichment writes only eight allowlisted fields, every write provenance-stamped and audited.
Enrichment writes only eight allowlisted fields, every write provenance-stamped and audited.

The hard problem at enterprise scale is not storing assets. It is keeping the inventory trustworthy while scanners, CMDB connectors, and analysts all write to it at once.

At a glance

  • Backend domains: asset, asset/enrichment, assetgroup (Go modular monolith)
  • Bulk import: Up to 5000 assets per request; optional NDJSON streaming with per-row progress
  • Duplicate handling: Match by name and IP within the company; dup_action of error, skip, or merge
  • License gate: Asset quota checked before every create; HTTP 402 at the cap
  • Ownership: Polymorphic users and teams; roles owner, custodian, approver; per-binding notify flag
  • Enrichment: Eight allowlisted type_data fields merged from scanners; every write audit logged
  • Multi-tenancy: ScopeFilter on every list, export, and facet; two-tier single-asset check

How it works

One asset model, fed by humans, files, and scanners, kept deduplicated, owned, scoped, and enriched so every finding and risk score resolves to a single trustworthy record.

Onboarding a network segment or syncing a CMDB cannot be a row-at-a-time exercise. The bulk create endpoint accepts up to 5000 assets in one request, and for interactive imports the same endpoint streams one progress event per row, so an operator sees a live progress bar instead of a frozen spinner.

Selecting individual assets for every scan and report goes stale immediately. Asset groups give teams a reusable scoping layer that scan, report, and dashboard all accept by group identity, while the tenant boundary is enforced on every path the inventory exposes.

Key capabilities

  • Static and dynamic groups. A group is one of two types, fixed at creation. Static membership is a hand-curated list with bulk add of up to 5000 IDs. Dynamic membership is a JSONB rule re-evaluated against the live inventory on every read, so membership self-heals as the environment changes.
  • Preview before you commit. The preview endpoint evaluates a dynamic rule body against the live inventory without persisting anything, powering a two-panel builder: criteria on the left, matching assets on the right in real time, and the same preview drives the CIDR add-all picker.
  • Polymorphic ownership. The asset_owners table binds both users and teams, each with a role of owner, custodian, or approver and a per-binding notify flag. A dry-run resolver answers which owners would be notified for a new finding, pre-populating the assignee picker.
  • Wave matrix and coverage. A finding by scan cross-tab colours each cell from the finding current status, so a finding that drops to absent and returns as reopened is a remediation that did not hold. Coverage shows which integrations actually produced findings for the asset.

Use cases

  • Onboard a new network segment. A security engineer uploads an Nmap export of a freshly acquired subsidiary. Streaming bulk import resolves duplicates by name and IP, merges where a host exists, checks the license quota once up front, and lands several thousand assets with a per-row failure report.
  • Triage and own the inventory. A vulnerability manager filters to internet-facing hosts with no owner, selects the batch, and assigns a custodian team in a single bulk-owner call, closing an ownership gap across hundreds of assets, then exports the filtered view to XLSX.
  • Track risk posture. A CISO watches aggregate risk score and criticality distribution, using the has-findings and criticality facets to see where exposure concentrates, relying on the inventory being deduplicated so counts reflect real machines.

One deduplicated, owned, enriched record for everything you defend.

All resources

Keep exploring

Related resources

See it live

Ready to see PMAP in action?

Talk to our team or jump straight into a guided tour of the platform.

We use your email only to set up your guided tour. No marketing drip, no third-party tracking.