Trigger a Manual Discovery

AttackLens runs discovery automatically on a recurring schedule. However, you can trigger a discovery run manually at any time -- for example, after making infrastructure changes that you want reflected immediately.

INFO

Requires Admin role or higher.

When to Trigger Manually

Manual discovery is useful in the following situations:

After provisioning new resources: You deployed new VMs, databases, or other infrastructure and want them to appear in AttackLens immediately.
After modifying security configurations: You changed firewall rules, IAM policies, encryption settings, or other security-relevant configurations and want to verify the changes.
After decommissioning resources: You deleted or shut down resources and want the asset inventory to reflect the current state.
Before running a posture evaluation: You want to ensure the evaluation is based on the most current resource data.
During an incident investigation: You need to compare the current state of your environment with a previous snapshot.
After updating adapter credentials: You rotated secrets or access keys and want to verify the new credentials work by running a full discovery.

How to Trigger a Manual Sync

From the Adapter Detail Page

Navigate to Discovery > Adapters.
Click on the adapter you want to sync.
On the adapter detail page, click Test Connection.

Testing the connection validates that the stored credentials are still valid and that the expected permissions are in place. While this does not trigger a full discovery run, it confirms the adapter is ready for the next scheduled run.

TIP

The Test Connection action validates credentials in real time. Use it to quickly verify that your adapter configuration is correct before waiting for the next scheduled discovery run.

Scheduled Discovery

Discovery runs are managed by the platform and execute on a regular schedule for all active adapters. The schedule is configured at the platform level and is not adjustable per adapter.

Each scheduled run:

Iterates through all active adapters.
Authenticates to each cloud provider using the stored credentials.
Enumerates all resources in scope.
Creates new snapshots for every discovered resource.
Marks the previous snapshots as historical.
Synchronizes discovered resources into the asset inventory.

What Happens During a Discovery Run

When discovery executes for an adapter, the following steps occur:

1. Authentication

AttackLens decrypts the stored credentials and authenticates to the cloud provider. If authentication fails, the run is aborted and the error is recorded on the adapter.

2. Resource Enumeration

The adapter queries the provider's management APIs for all supported resource types. For multi-region providers (AWS, Azure), each configured region is queried in sequence.

3. Deep Property Collection

For each discovered resource, AttackLens collects every property exposed by the provider's API. This includes configuration details, security settings, network associations, IAM bindings, and tags.

4. Snapshot Creation

Each discovered resource is stored as a new snapshot. The previous snapshot for the same resource is marked as historical.

5. Asset Synchronization

Discovered resources are mapped to assets in the asset inventory:

New resources create new assets.
Existing resources update their corresponding assets.
Resources that are no longer detected are flagged.

6. Downstream Processing

After synchronization, AttackLens triggers:

Policy and ruleset re-evaluation against updated assets.
Vulnerability correlation for any newly discovered software or services.
Attack graph recomputation to reflect the current environment state.

Monitoring Discovery Progress

After a discovery run starts, you can monitor its progress:

Navigate to the adapter detail page.
The Last Sync timestamp and Last Sync Status fields update when the run completes.
If the run encounters an error, the Last Sync Error field shows the error message.

Discovery Timing

Discovery run time depends on several factors:

Factor	Impact
Number of resources	More resources take longer to enumerate and collect.
Number of regions	Multi-region accounts require querying each region separately.
Provider API rate limits	AttackLens respects provider rate limits, which may slow down large accounts.
Resource complexity	Resources with many nested properties (e.g., AKS clusters, RDS instances) take longer to collect.

Typical discovery times:

Scenario	Estimated Time
Small account (< 100 resources, 1 region)	1-2 minutes
Medium account (100-500 resources, 2-3 regions)	3-5 minutes
Large account (500-2000 resources, 5+ regions)	5-15 minutes
Very large account (2000+ resources, all regions)	15-30 minutes

Troubleshooting Failed Runs

If a discovery run fails, check the adapter detail page for the error message. Common issues:

Error	Cause	Solution
Authentication failed	Credentials expired or revoked	Update credentials on the adapter edit page and test the connection
Access denied	Required permissions were removed	Re-assign the necessary roles/policies in the cloud provider
Rate limited	Too many API calls	Wait for the next scheduled run; the provider's rate limit will reset
Timeout	Network issue or very large account	Check network connectivity; consider narrowing the region scope

Next Steps

View discovery snapshots to inspect the results of a discovery run.
Manage adapters to update adapter configuration.
Understand discovery for a conceptual overview of how discovery works.

Trigger a Manual Discovery ​

When to Trigger Manually ​

How to Trigger a Manual Sync ​

From the Adapter Detail Page ​

Scheduled Discovery ​

What Happens During a Discovery Run ​

1. Authentication ​

2. Resource Enumeration ​

3. Deep Property Collection ​

4. Snapshot Creation ​

5. Asset Synchronization ​

6. Downstream Processing ​

Monitoring Discovery Progress ​

Discovery Timing ​

Troubleshooting Failed Runs ​

Next Steps ​