Asset Management
Escape records every discovered Asset—external or internal—in a single ASM.
This section explains how the platform enriches each Asset, tracks its lifecycle, and lets you make bulk edits.
Attribute Enrichment & Fingerprinting¶
Some of the approaches we take to categorize and add more context to each Assets when they are identified. Not all are always assigned depending on the data we get.
| Attribute | How it’s derived | Typical uses |
|---|---|---|
Reachability (External-<Region> / Internal) | IP geolocation, Private Location ID | Filter by attack surface exposed to the Internet vs on-prem |
Environment (Production / Staging / Development) | Regex on subdomain/path (e.g. *.staging.*), Git branch tags | Distinguishes Dev Services from Prod services |
| Framework Technology | HTTP headers, TLS banner, byte-signature matching | Identify outdated stacks (e.g. PHP 5) |
| Cloud Hosting | ASN lookup, integration metadata | Track AWS vs Azure vs self-hosted Hosts |
| WAFl | Reverse-proxy headers (e.g. cf-ray), WAF fingerprints | Spot Assets missing a WAF layer |
| Authentication | Response codes + heuristic probes | Pinpoint open Admin panels |
| Code Owners | CODEOWNERS file pulled through SCM integration | Route Findings to the right team |
All attributes are searchable and filterable; you can also export them via the API.
Asset Status Lifecycle¶
| Status | Meaning | Effect on scans & alerts |
|---|---|---|
| Monitored | Asset is in scope and actively scanned. | Findings generated and routed. |
| Deprecated | Asset is not reachable anymore (decommissioned). | Findings marked as resolved, kept for audit |
| Out Of Scope | Legitimate Asset but excluded by policy (such as Third-Party Assets for instance). | Findings marked as resolved, kept for audit |
| False Positive | Discovery error or duplicate entry. | Findings marked as resolved, kept for audit |
| Third Party | Third-party service displayed in the asm but not scanned. | Findings marked as resolved, kept for audit |
Status changes apply immediately to both ASM surface tests and queued DAST runs.
After 30 days without be seeing, asset MONITORED are updated to asset DEPRECATED.
Manually Set Status¶
Manually set status prevents automatic systems from overwriting your status changes. Assets with manually set status will not have their status automatically updated by discovery scans or workflow runs.
Manually set status is automatically enabled when:
- You create an asset through the platform or API (receives
MONITOREDstatus) - You manually change an asset's status through the UI or API
- An asset is marked as
FALSE_POSITIVE
You can still manually change the status of assets with manually set status at any time.
Bulk Editing & Tagging¶
- Select multiple Assets with Shift-click or table filters.
- Click Bulk Edit to update:
- Status (Monitored, Deprecated, etc.)
- Environment (Production, Staging, ... )
- Custom Tags — free-form
key:valuepairs for additional grouping.
- Review the summary and confirm. Edits are logged in ASM Changes for traceability.
Bulk edits can also be scripted via the REST API (see /assets/bulk-edit).
Project Propagation¶
When Escape discovers a new asset under an existing one—such as a subdomain under a domain, or an endpoint under a subdomain—that new asset automatically inherits the projects of its parent. Only assets within the parent's scope are affected: for example, subdomain.example.com and https://api.example.com/ inherit projects from example.com, but an unrelated domain that was discovered via example.com does not.
You can disable project propagation in Organization Settings → General.
- Enabled (Default): Newly discovered child assets inherit the projects of their parent asset.
- Disabled: Newly discovered assets do not inherit projects automatically.
Tip
When project propagation is disabled, you can use Workflows to assign projects to newly discovered assets automatically. Configure a workflow with the Asset Found trigger and an Update Asset action.