Scanning the Devices You Can't Log Into
Every network has a pile of devices nobody has credentials for. Cameras. Badge readers. Appliances. The ESXi host that came with an acquisition. The vendor-managed box in the DMZ.
Discovery tools file all of these under "failed" and move on. So the least patched, least owned, least documented things on your network are exactly the ones missing from your inventory.
Our latest scanner release fixes that. It's called credentialless discovery, and it's available now in the scanner's Settings tab.
Devices tell you who they are — if you listen
Here's the thing nobody exploits enough: most devices identify themselves to anyone who connects, before any login happens. A Windows server reveals its name, domain, and OS version during the first seconds of an SMB connection. Certificates carry hostnames. A camera we scanned recently announced itself as axis-00408c1a2b3c — hostname, manufacturer, and its MAC address, all volunteered.
The scanner now reads these introductions. No passwords, no exploitation, no agent on the device — just the same information any browser or SSH client receives when it connects.
What you get out of it:
- The unmanaged corner of your network shows up in inventory. Appliances, printers, cameras, network gear, unmanaged servers — named, classified, and tracked, not just "something at 10.140.2.61".
- Audit and segmentation questions get answers. "What's actually on this VLAN?" stops requiring a walk to the server room.
- Vulnerability coverage widens. A version banner is enough to match a device against known CVEs, even with zero access.
- Shadow IT surfaces on its own. If it's reachable and it speaks any common protocol, it's on the map.
No junk records — that's the hard part
Anyone can grab banners. The reason we took our time with this feature is what happens next: if you create asset records carelessly, DHCP alone will fill your CMDB with duplicates within a month.
So the rule is simple: everything found is recorded, but only devices with a reliable identity become assets. A device that produced a real, stable identifier — something we can recognize again on the next scan — gets a CI. A device that's merely "alive with open ports" stays visible in the discovery log until it earns one. Your CMDB grows, but it stays clean.
And when you eventually do get credentials for one of these devices, the full scan enriches the same record. No duplicates, no merge cleanup.
Your security team stays in control
Unauthenticated scanning done carelessly gets your scanner's IP blocked — or worse, paged about. So the defaults are deliberately boring:
- Upgrading changes nothing. All new probes ship disabled. Your scan traffic stays exactly as it was until you decide otherwise.
- You choose the depth. A "Safe" profile reads only what normal client connections expose. Everything beyond that is opt-in, per probe, with rate limits.
- Sensitive equipment is protected automatically. Devices that look like industrial/OT systems are excluded from the more talkative probes.
- Everything is logged. Which probes ran, against what, allowed by which setting — your SOC always has the answer to "why did this packet hit that host".
Honest inventory
One more thing we cared about: a device fingerprinted from the network is not the same as a server fully inventoried with credentials, and your CMDB shouldn't pretend it is. Every credentialless asset is labeled with how it was discovered and how confident the identification is. You always know which records are rock solid and which ones deserve a follow-up.
The devices you couldn't log into were always the ones auditors and incident responders asked about first. Now they're at least on the map.
Turn it on in the scanner's Settings tab — start with the Safe profile on a subnet you know well, and compare what comes back with what your CMDB thought was there.
Tripl-i discovers your infrastructure with credentials where you have them — and now without, where you don't. Read the documentation or visit tripl-i.com.
