Ask any security leader to list every device, identity, SaaS application, and cloud workload in their environment. Then ask their EDR vendor for the same list. Then their identity provider. Then their cloud account. You'll get four different answers. None will match.
This is the inventory problem, and it's the most under-appreciated risk in cybersecurity. You cannot defend, patch, or even prioritize what you don't know about. Yet industry research consistently shows that 60–80% of organizations don't have a complete or accurate asset inventory.
Why traditional CMDBs fail
"CMDB" — Configuration Management Database — is the term IT teams have used for decades to describe the central record of all IT assets. The idea is sound. The execution, almost universally, is broken. Here's why:
- Manual entry doesn't scale. By the time a human types in a new device, three more have been provisioned by someone in another team.
- Sources of truth disagree. Active Directory says you have 1,200 devices. CrowdStrike says 1,150. Intune says 980. The CMDB says 1,500. Which is right? All of them — and none.
- Cloud sprawl is invisible. Spinning up a Lambda or an Azure Function happens in seconds. Decommissioning often never happens at all.
- Shadow IT bypasses everything. Marketing's HubSpot, sales's Salesforce add-ons, ops's Tailscale install — none of it ever shows up in IT's inventory.
- Lifecycle events are missed. Devices get re-imaged, employees leave, contractors come and go. A CMDB built at one point in time decays from day one.
What good looks like
The right model doesn't try to maintain a CMDB. It derives one, continuously, from the systems that already know the truth. AttackShield's Risk Management approach pulls authoritative data from where it actually lives:
- Identity — Entra ID, Okta, Active Directory.
- Endpoints — CrowdStrike, SentinelOne, Defender, Intune, Jamf.
- Network — firewall NAT tables, switch MAC tables, DHCP leases, mDNS discovery.
- Cloud — AWS, Azure, GCP inventory APIs and Resource Graph.
- SaaS — Microsoft 365, Google Workspace, GitHub, and the long tail of OAuth-connected apps.
Then it reconciles. The same physical laptop showing up in CrowdStrike, Entra, and your DHCP server is collapsed into one asset record with all three sources cross-linked. Discrepancies — a host in CrowdStrike but missing in Entra — get flagged automatically. Now you have a single record that mirrors reality, updated continuously.
Why it matters beyond inventory
An accurate, real-time asset inventory isn't just a CMDB exercise. It's the foundation of every security capability that follows:
- Detection rules can be tuned to asset criticality and ownership.
- Vulnerability scanning becomes prioritized by what's actually reachable from an attacker's perspective.
- Incident response includes the right context — owner, asset class, recent activity — automatically.
- Executive risk reporting actually represents reality, not the optimistic snapshot from last quarter.
Asset visibility is the foundation. Everything else built on a bad foundation will eventually fall over.
The hard truth
If your team can't list every internet-facing service, every privileged identity, and every cloud workload right now — your risk model is fiction. The good news: the fix isn't a five-year ITIL project. It's connecting your existing systems to a platform that knows how to reconcile them.