The Problem

A security team scans its known IP ranges and finds nothing unusual. Two weeks later, a developer's test server gets hit. It was running on an internal machine that had become reachable from the internet through an exposed port.

Assets like this fall through the gap constantly. Cloud adoption and developer self-service mean new services get spun up quickly and outside formal IT processes. Devices get reconfigured. Ports get opened for maintenance and never closed. The security team's view of what is exposed rarely keeps up with how quickly the environment changes.

The result is blind spots. And blind spots are where attackers look first. Any service that is reachable from outside the network that is not being monitored is a potential entry point. It does not matter whether it was intentional or accidental.

Compliance frameworks including PCI DSS, CIS Controls, and NIST SP 800-53 require organizations to maintain accurate asset inventories and assess their exposure continuously. Maintaining an accurate inventory of internet-facing assets and continuously monitoring their exposure is a foundational security requirement.

The Use Case

IT maintains a documented list of assets and runs periodic scans against known IP ranges. On paper, the environment looks covered. But that picture only holds for assets someone already knows about and has added to the scope.

A developer stood up a staging environment eight months ago to test a new checkout flow. The project stalled, but the server was never decommissioned. It is still running, still reachable, and using an older version of the application with a known vulnerability. An administrative dashboard intended for internal use is sitting on a non-standard port with basic authentication. Nobody flagged it because nobody knew to look for it.

None of these show up in the periodic scan because none of them were included in the scan scope. The security team needs continuous visibility into every device, open port, and running service across the network, not just the assets they already know about.

Common examples of assets that create unintended exposure include:

• Development and staging servers that were never decommissioned

• Administrative interfaces left accessible after a maintenance window

• Services running on non-standard ports outside regular scan scope

• Devices added to the network outside the formal IT process

• Internet-facing services that were never intended to be publicly accessible

How It Is Generally Solved

Security teams typically use some combination of the following to get visibility into their network assets and exposure.

• Periodic vulnerability scans that probe known IP ranges and domains for exposed services and vulnerabilities on a scheduled basis.

• Manual asset inventories maintained by IT and security teams, listing approved devices, systems, and services that are supposed to be on the network.

• Network scanning tools that sweep defined IP ranges to identify active hosts, open ports, and running services.

• Penetration testing engagements that probe the environment at a point in time, typically once or twice a year.

Each of these has a significant limitation.

• Scheduled scans only cover IP ranges and domains already in scope. Any device provisioned outside the documented inventory, or on an address not included in the scan range, never gets assessed.

• Manual asset inventories go stale quickly. Any device or service added after the last update is missing, and keeping the register current depends entirely on people remembering to record changes.

• Network scanning tools require someone to define the scope. Devices outside that scope are invisible, and the scan results reflect a point in time, not the current state of the network.

• Penetration tests are valuable but represent a single moment. A device exposed or misconfigured the day after a test concludes will not be found until the next engagement.

The net result is that security teams often have reasonable visibility into the assets they already know about and very little visibility into the ones they do not.

How Saner Solves It

Saner CVEM gives security teams continuous visibility into every device and service running across the network, with vulnerability context attached to every finding. Here is how it works.

1. Discover every device on the network

Saner's Device Discovery scanner identifies devices across your network by scanning specified IP addresses and IP ranges. It does not rely on a pre-existing asset list. Any device within the configured scan scope is discovered, including devices added outside formal IT processes. Scans can be configured to run daily, weekly, or monthly, and results appear directly in the Device Discovery dashboard with operating system and host details included.

2. Deploy agents and build a continuous asset inventory

Once devices are discovered, Saner agents can be deployed on managed endpoints across Windows, macOS, and Linux. Agents run continuous and on-demand scans, collecting hardware details, installed software, running processes, open ports, and active services. The Asset Exposure module keeps this inventory continuously updated, so the picture of what is externally exposed reflects what is actually there, not what was there during the last scheduled review.

3. Identify unmanaged and out-of-scope assets

Saner builds a unified asset view that includes both agent-managed devices and devices discovered through network scanning. Assets that appear in discovery but have no agent installed are flagged, giving security teams a clear view of what is present on the network but outside active management. This closes the gap between what IT thinks is on the network and what is actually running.

4. Assess vulnerabilities across all discovered assets

For every discovered and managed asset, Saner runs vulnerability assessments using its built-in vulnerability database covering more than 190,000 checks. Saner also identifies internet-facing ports and the services listening on them, helping security teams quickly determine which systems are externally reachable and whether that exposure is expected. Open ports, outdated software, missing patches, and misconfigurations are all surfaced alongside the asset record. Security teams can see not just what is on the network but the security posture of each asset.

5. Prioritize and remediate from a single platform

Saner's Risk Prioritization module classifies findings using the CISA SSVC framework, categorizing risks into Act, Attend, Track, and Track* so teams focus on what needs attention first. Remediation, including patch deployment, can be initiated directly from the same console without leaving the platform.

Security and Operational Benefits

Security teams get a continuously updated view of every device and service on the network, including assets that were never in scope for periodic scans.

Gaps between the documented asset inventory and what is actually running are identified quickly. Devices added outside the IT process, services left running after a project ends, and open ports from maintenance tasks all become visible before attackers can exploit them.

And when a compliance audit requires evidence of asset coverage and vulnerability assessment, the data is already there, continuously maintained and ready to present.