Understand Discovery

Discovery is the process by which AttackLens automatically connects to your cloud provider accounts and enumerates every resource in those environments. It is the foundation of the entire platform -- without discovery, there are no assets to evaluate, no vulnerabilities to correlate, and no attack graph to analyze.

What Discovery Does

When you configure an adapter (a connection to a cloud account), AttackLens uses that adapter's credentials to query the provider's APIs and collect a complete inventory of resources. Each discovery run produces a snapshot: a point-in-time record of every resource found, along with its properties, tags, and configuration.

Discovery feeds data into every downstream capability:

Assets: Discovered resources are registered as assets in the asset inventory.
Posture evaluation: Policies and rulesets are evaluated against the discovered resource properties.
Vulnerability correlation: Software and services found during discovery are matched against known CVEs.
Attack graph: The attack graph is built from the relationships and configurations discovered across your environment.

How Discovery Works

The discovery process follows a consistent cycle regardless of the cloud provider:

1. Adapter Connection

An administrator configures an adapter by providing credentials for a cloud account (Azure subscription, AWS account, or GCP project). AttackLens validates the credentials and stores them encrypted.

2. Resource Enumeration

AttackLens queries the provider's management APIs to enumerate all supported resource types. For each resource, it collects:

Resource identifier: The provider-specific unique ID (e.g., Azure Resource ID, AWS ARN, GCP resource name).
Resource type: The specific service and kind (e.g., Microsoft.Compute/virtualMachines, AWS::EC2::Instance).
Properties: All configuration attributes exposed by the provider's API, including security-relevant settings.
Tags: User-defined labels attached to the resource.
Relationships: How the resource connects to other resources (e.g., a VM attached to a subnet, a security group applied to an instance).

3. Snapshot Creation

All discovered resources are stored as a snapshot. The snapshot is compared against the previous one to determine:

New resources: Resources that appear for the first time.
Removed resources: Resources that were present before but are no longer detected.
Changed resources: Resources whose properties or configuration have changed.

4. Asset Synchronization

Discovered resources are synchronized into the asset inventory. New resources create new assets; removed resources are flagged. Changes to properties are reflected in the asset record.

5. Downstream Processing

After asset synchronization completes, AttackLens triggers:

Policy re-evaluation against updated assets.
Vulnerability correlation for newly discovered software and services.
Attack graph recomputation to reflect the current state of the environment.

The Discovery Cycle

Discovery runs on a recurring schedule. Each adapter has its own cycle:

Phase	Description
Idle	The adapter is waiting for the next scheduled run.
Connecting	AttackLens is establishing a connection using the stored credentials.
Enumerating	The adapter is querying provider APIs and collecting resource data.
Processing	Snapshots are being created, diffs computed, and assets synchronized.
Complete	The discovery run finished successfully. Results are available.
Error	The run failed. The adapter detail page shows the error message.

TIP

You can trigger a discovery run manually at any time from the adapter detail page. This is useful after making infrastructure changes that you want reflected immediately.

Supported Providers

AttackLens supports four cloud providers:

Provider	Resource Types	Authentication
Azure	80+ (Compute, Network, Storage, Data, Containers, Security, Identity, Messaging, Monitoring, Serverless, AI/ML, Delivery, Backup)	App Registration (Tenant ID, Client ID, Client Secret, Subscription ID)
AWS	190+ (EC2, VPC, S3, RDS, IAM, Lambda, ECS, EKS, CloudTrail, Config, Security Hub, and more)	IAM User (Access Key ID, Secret Access Key)
GCP	65+ (Compute, Network, Storage, Databases, Kubernetes, IAM, Cloud Functions, and more)	Service Account (Project ID, Client Email, Private Key)
VMware vSphere	VMs, Hosts, Datastores, Networks	vCenter (Host, Username, Password)

Each provider has its own adapter setup page with provider-specific configuration. See the individual guides:

Deep Property Collection

AttackLens does not just list resources -- it collects every property exposed by the provider's management API. This includes security-critical configuration such as:

Encryption settings (at-rest and in-transit)
Network exposure (public IPs, open ports, security group rules)
IAM bindings and role assignments
Logging and monitoring configuration
Backup and recovery settings
Compliance tags and policy assignments

This deep property collection is what enables AttackLens to evaluate hundreds of security checks against each resource and build an accurate attack graph.

INFO

Discovery uses read-only API access. AttackLens never modifies, creates, or deletes resources in your cloud accounts.

What Happens After Discovery

Once discovery completes:

Navigate to Discovery > Adapters to see the sync status and resource counts for each adapter.
View discovery snapshots to inspect the detailed resource data.
Check the Assets page to see the synchronized asset inventory.
Review the Attack Graph to see how discovered resources relate to each other.

Understand Discovery ​

What Discovery Does ​

How Discovery Works ​

1. Adapter Connection ​

2. Resource Enumeration ​

3. Snapshot Creation ​

4. Asset Synchronization ​

5. Downstream Processing ​

The Discovery Cycle ​

Supported Providers ​

Deep Property Collection ​

What Happens After Discovery ​