AttackLens Docs

Appearance

Understanding Inventory

Inventory is the foundation of security evaluation in AttackLens. It represents the software, configurations, and metadata collected from your assets by sensors and discovery adapters. Policies, rulesets, and vulnerability detection all operate on inventory data.

What Is Inventory?

Inventory is the structured data that AttackLens collects from your infrastructure. It includes:

  • Installed packages: Software packages with names, versions, and ecosystems
  • Security policies: Operating system security configurations (password policies, audit policies, account lockout settings)
  • Running services: Active services and their configurations
  • OS information: Operating system family, version, kernel version
  • Network configuration: Network interfaces, listening ports, firewall rules
  • User accounts: Local user accounts and group memberships
  • Cloud resource metadata: Properties and configurations of cloud resources discovered by adapters

How Inventory Is Collected

Inventory data comes from two collection sources:

Sensors

Sensors are lightweight agents installed on your endpoints (servers, workstations, containers). They collect inventory data locally and send it to the AttackLens backend.

Sensors collect:

  • Installed packages and software
  • Security policy configurations
  • Running services
  • OS information
  • Network configuration
  • User accounts and group memberships

Sensors perform full snapshots on initial collection and delta snapshots for subsequent updates, transmitting only the changes.

Discovery Adapters

Adapters connect to cloud providers (AWS, Azure, GCP) and retrieve resource metadata and configurations.

Adapters collect:

  • Cloud resource properties (VMs, storage, databases, networking, identity)
  • Security configurations (firewall rules, IAM policies, encryption settings)
  • Resource relationships and dependencies

INFO

Sensor-collected data and adapter-collected data are stored in the same inventory system. Rulesets can evaluate data from either source using the appropriate dataset type.

Collection Cycle

Sensor Collection

  1. The sensor wakes up on a configurable interval
  2. It collects all configured dataset types from the local system
  3. Data is normalized into a standard format
  4. A snapshot is created and sent to the AttackLens backend
  5. The backend processes the snapshot and updates inventory records
  6. Changes are detected and recorded in the change history

Adapter Collection

  1. A discovery sync is triggered (manually or on schedule)
  2. The adapter connects to the cloud provider API
  3. Resources are discovered and their properties are collected
  4. Data is mapped into the AttackLens inventory format
  5. The backend processes the results and updates inventory records

Dataset Types

Inventory data is organized into dataset types, which categorize the kind of data collected. Common dataset types include:

Dataset TypeSourceDescription
InstalledPackageSensorSoftware packages installed on the system
SecurityPolicySensorOS security configurations (password, audit, lockout policies)
RunningServiceSensorCurrently active services and daemons
OsInfoSensorOperating system details (family, version, kernel)
NetworkInterfaceSensorNetwork adapter configurations
ListeningPortSensorOpen network ports and bound services
LocalUserSensorLocal user accounts
LocalGroupSensorLocal groups and their members
FirewallRuleSensorHost-based firewall rules
ScheduledTaskSensorScheduled tasks and cron jobs
CloudResourceAdapterCloud provider resource metadata

Inventory Records

Each inventory record contains:

FieldDescription
Dataset TypeThe category of data this record belongs to
Record KeyA unique identifier for this record within the dataset (e.g., package name, service name)
Display NameA human-readable name
Normalized DataThe structured data for this record (JSON format)
OS FamilyThe operating system family (Windows, Linux, macOS)
SourceHow this data was collected (sensor or adapter)
ConfidenceA confidence score (0-100%) indicating data quality
Collected AtWhen this data was last collected
StatusActive or Deleted

Snapshots and Versioning

Inventory collection produces snapshots: point-in-time captures of an asset's inventory state.

Snapshot TypeDescription
FullA complete capture of all inventory data. Performed on first collection or when requested.
DeltaContains only changes since the last snapshot. More efficient for routine updates.

Each snapshot has a version number and a hash for integrity verification. The snapshot history provides a complete audit trail of inventory changes.

Change Detection

AttackLens automatically detects changes between snapshots:

Change TypeDescription
AddedA new record appeared in the inventory
RemovedA record that was previously present is no longer found
ModifiedAn existing record's data has changed

Change detection tracks which specific fields were modified, along with a summary of the change. This is critical for understanding when a security-relevant configuration changed and triggering re-evaluation of applicable policies.

Collection Runs

Each sensor collection is recorded as a collection run with metadata:

  • Status: Success, Partial, Failed, Running
  • Mode: Full or Delta
  • Datasets collected vs datasets requested
  • Agent version: The sensor version that performed the collection
  • Duration: How long the collection took
  • Error summary: Any errors encountered during collection

How Inventory Powers Security Evaluation

Inventory data is consumed by multiple AttackLens subsystems:

ConsumerHow It Uses Inventory
Posture evaluationRulesets check inventory data to determine Pass/Fail/Error
Vulnerability detectionInstalled packages are correlated against vulnerability databases
Attack graphResource properties and configurations feed the graph model
PrerequisitesPolicy and ruleset prerequisites check inventory conditions

AttackLens - Continuous Exposure Management

Copyright 2026 AttackLens. All rights reserved.