Skip to main content

Credentialless Discovery

Credentialless Discovery lets Tripl-i find and identify assets without any credentials at all. By safely reading the information that devices already advertise on the network — service banners, certificates, naming responses, and host fingerprints — the platform builds a picture of what is on your network even where you have no username or password to log in.

It is designed to close the most common gap in any CMDB: the assets nobody has credentials for. Network gear, storage and security appliances, hypervisors, printers, IP phones, cameras, IoT/OT devices, and unmanaged or forgotten hosts all tend to fall outside credentialed discovery — and therefore outside your inventory. Credentialless Discovery surfaces them.

Why Use Credentialless Discovery?

  • Eliminate blind spots — see the devices you can't authenticate to, not just the ones you can.
  • Faster first inventory — get a meaningful asset picture immediately, before credentials are arranged for every system.
  • Safe and non-intrusive — uses read-only network probes only; no login attempts, no agents, no changes to the target.
  • A bridge, not a dead end — when you later add credentials, Tripl-i recognizes the same device and upgrades the existing record to a full inventory automatically (no duplicates).
  • Better security coverage — surfaces expiring certificates, exposed services, and unmanaged devices that would otherwise go untracked.

What Gets Discovered

Credentialless Discovery assembles an identity from whatever a device is willing to reveal. Different devices reveal different things, so results vary by host.

SignalWhat it reveals
Windows networking (SMB)Operating system version, computer name, and domain
Remote Desktop / TLS certificatesThe machine's name (FQDN), and certificate details such as issuer and expiry
SSHSoftware version (e.g. OpenSSH release) and a stable host fingerprint
NetBIOS / mDNS / SSDPHostname and, in some cases, the network adapter address
Web service bannersProduct/appliance identification (e.g. "Avaya phone", printer model)
Device certificatesManufacturer (from the certificate's organization field) and a device serial/model where present

Tripl-i translates raw technical signals into friendly, consistent values — for example, mapping a Windows build number to a readable OS name like "Windows Server 2019" — so your inventory stays clean and comparable across devices.

Machine identity vs. service identity

A web server certificate often names a public website or application (for example, a wildcard domain), not the physical machine hosting it. Tripl-i is careful to name each asset by its machine identity (from Remote Desktop, Windows networking, or NetBIOS), and records website/application certificates separately as certificate inventory — so a host is never mislabeled after the public site it happens to serve.

How Credentialless Assets Appear

Discovered assets show up as normal Configuration Items in your CMDB, with a few important distinctions:

  • Provenance — each is marked as discovered without credentials, along with a confidence level (high, medium, or low) and the signals it was found by. This lets you tell a fingerprinted asset apart from a fully inventoried one at a glance.
  • Device classification — Tripl-i classifies each asset by evidence (for example, an Avaya web banner ⇒ Phone, an SSH-only Linux host ⇒ Server, an industrial protocol ⇒ Network/OT device). A reachable host with no usable classification signal is never blindly recorded as a "Server" — avoiding the inventory pollution that naive network scanning causes.
  • Manufacturer & model — filled in where they can be derived from device certificates or service banners.
  • Certificates — TLS/RDP certificates seen during discovery are recorded as certificate inventory, including expiry dates, so you can track and renew them.

Safe by Design

Credentialless Discovery is built to be the least intrusive form of discovery:

  • Read-only — it only reads what devices voluntarily advertise. It never attempts to log in and never writes to a target.
  • OT/ICS aware — when an industrial control protocol is detected, intrusive probes are automatically skipped and only gentle, read-only checks are used, protecting fragile operational technology.
  • Kubernetes aware — short-lived container/pod addresses are suppressed so they don't create churn or duplicate records; containerized environments should be discovered through the dedicated Kubernetes Scanning path instead.
  • Off by default depth — discovery runs at the depth your scan profile allows, and credentialless behavior is governed by per-tenant settings (below).

From Fingerprint to Full Inventory

The real power of Credentialless Discovery is what happens after you add credentials.

  1. First pass (no credentials): Tripl-i creates a lightweight, low-/medium-confidence record for the device using the most stable identity it could read.
  2. Later (credentials added): when a credentialed scan reaches the same device, Tripl-i recognizes it — by its hardware address, its SSH host fingerprint, or its machine name — and enriches the existing record with full inventory (operating system, software, hardware, relationships).
  3. Result: one clean asset that simply gets richer over time. No duplicate entries, and the asset's provenance updates from "discovered without credentials" to fully inventoried.

This is why credentialless results are safe to act on early: they converge with your credentialed inventory rather than competing with it.

Identity and Duplicate Prevention

To keep your CMDB clean, Tripl-i only creates an asset when it has a stable identifier it can recognize again later:

  • a hardware (MAC) address,
  • an SSH host fingerprint, or
  • a specific, non-generic machine name.

A host that is reachable but offers no stable identity (for example, an SSH endpoint that reveals only a fingerprint with no name yet) is recorded in the Discovery Logs as "seen but not inventoried" rather than turned into an empty record. Network (IP) addresses are never used on their own as an asset's identity, because they change with DHCP and would create duplicates.

Settings

Credentialless behavior is controlled per tenant, so administrators stay in charge:

SettingPurpose
Allow credentialless assetsWhether fingerprint-only results may create new Configuration Items. On by default — this is the main value of the feature. Turn off for a strictly credential-only CMDB.
Minimum confidenceThe minimum identity confidence required to create a new asset. Lower-confidence results still enrich existing assets, but won't create new ones.
Accept certificates / host keysWhether discovered certificates and SSH host fingerprints are recorded.

These settings are authoritative: they govern behavior regardless of how an individual scan is configured, so a misconfigured scan can never flood your CMDB.

Best Practices

  • Scope your scans. Point credentialless discovery at the network ranges where unmanaged assets live. Keep it away from Kubernetes pod ranges and sensitive OT segments — the scan range is your first and best control.
  • Use it as a first pass. Run credentialless discovery to reveal what's out there, then add credentials for the systems that warrant deep inventory; Tripl-i will merge the two automatically.
  • Review low-confidence assets. Treat low-confidence, credentialless-only records as leads to investigate — they often point to forgotten or shadow IT.
  • Track the certificates it finds. Use the certificate expiry data to get ahead of outages caused by lapsed certificates.

Frequently Asked Questions

Does this need any credentials? No. Credentialless Discovery works entirely without usernames, passwords, keys, or community strings.

Is it safe to run against fragile or industrial devices? Yes. Intrusive probes are skipped automatically when an industrial protocol is detected, leaving only gentle, read-only checks.

Will it create duplicates when I add credentials later? No. A later credentialed scan recognizes the same device and enriches the existing record instead of creating a new one.

Why do some reachable hosts not appear as assets? A host is only turned into an asset when it offers a stable identity Tripl-i can recognize again. Hosts that are alive but offer no stable identity are visible in Discovery Logs as "seen but not inventoried."

How is this different from a basic port scan? A port scan tells you something is there. Credentialless Discovery goes further and tells you what it is — its name, operating system, manufacturer, device type, and certificates — and turns that into a managed asset.