Asset Management
Escape records every discovered Asset—external or internal—in a single ASM.
This section explains how the platform enriches each Asset, tracks its lifecycle, and lets you make bulk edits.
Attribute Enrichment & Fingerprinting¶
Some of the approaches we take to categorize and add more context to each Assets when they are identified. Not all are always assigned depending on the data we get.
| Attribute | How it’s derived | Typical uses |
|---|---|---|
Reachability (External-<Region> / Internal) | IP geolocation, Private Location ID | Filter by attack surface exposed to the Internet vs on-prem |
Environment (Production / Staging / Development) | Regex on subdomain/path (e.g. *.staging.*), Git branch tags | Distinguishes Dev Services from Prod services |
| Framework Technology | HTTP headers, TLS banner, byte-signature matching | Identify outdated stacks (e.g. PHP 5) |
| Cloud Hosting | ASN lookup, integration metadata | Track AWS vs Azure vs self-hosted Hosts |
| WAFl | Reverse-proxy headers (e.g. cf-ray), WAF fingerprints | Spot Assets missing a WAF layer |
| Authentication | Response codes + heuristic probes | Pinpoint open Admin panels |
| Code Owners | CODEOWNERS file pulled through SCM integration | Route Findings to the right team |
All attributes are searchable and filterable; you can also export them via the API.
Asset Status Lifecycle¶
| Status | Meaning | Effect on scans & alerts |
|---|---|---|
| Monitored | Asset is in scope and actively scanned. | Findings generated and routed. |
| Deprecated | Asset is not reachable anymore (decommissioned). | Findings marked as resolved, kept for audit |
| Out Of Scope | Legitimate Asset but excluded by policy (such as Third-Party Assets for instance). | Findings marked as resolved, kept for audit |
| False Positive | Discovery error or duplicate entry. | Findings marked as resolved, kept for audit |
| Third Party | Third-party service displayed in the asm but not scanned. | Findings marked as resolved, kept for audit |
Status changes apply immediately to both ASM surface tests and queued DAST runs.
After 30 days without be seeing, asset MONITORED are updated to asset DEPRECATED.
Manually Set Status¶
Manually set status prevents automatic systems from overwriting your status changes. Assets with manually set status will not have their status automatically updated by discovery scans or workflow runs.
Manually set status is automatically enabled when:
- You create an asset through the platform or API (receives
MONITOREDstatus) - You manually change an asset's status through the UI or API
- An asset is marked as
FALSE_POSITIVE
You can still manually change the status of assets with manually set status at any time.
Bulk Editing & Tagging¶
- Select multiple Assets with Shift-click or table filters.
- Click Bulk Edit to update:
- Status (Monitored, Deprecated, etc.)
- Environment (Production, Staging, ... )
- Custom Tags — free-form
key:valuepairs for additional grouping.
- Review the summary and confirm. Edits are logged in ASM Changes for traceability.
Bulk edits can also be scripted via the REST API (see /assets/bulk-edit).
Project Propagation¶
By default, when Escape's ASM discovers new assets (e.g., via subdomains or spidering), these new assets automatically inherit the project assignment of their source asset. This ensures that assets related to a specific project remain grouped together.
If you require strict segmentation—where each asset must be explicitly categorized or belong to a single project—you can disable project propagation in the Organization Settings.
- Enabled (Default): Discovered assets inherit the projects of the asset that led to their discovery.
- Disabled: Discovered assets do not inherit projects from their source.