1. Assets
1.1. About
An asset represents a resource exposed by an organization. Several asset types are defined:
Type | Example(s) |
ip | 1.1.1.1 |
domain / fqdn | |
custom | my keyword, mobile App #1 |
Currently, Patrowl supports IPv4 addresses only. IPv6 addresses are not managed yet.
Several types of scans are performed by Patrowl:
Passive scans are performed on all managed assets. Related scan findings are parsed and qualified to enrich the Attack Surface Management metadata.
Offensive penetration tests and security checks of Trending Attacks are performed on pentested assets only.
1.2. Pentested assets
When an asset is set with status “Pentested”, offensive security tests are started on-the-fly. First related security issues are generally released in less than 24 working hours.
Only ip and domain asset types can be set as pentested. Thus, all supported services and resources are also pentested, including WEB applications, API endpoints, remote access endpoints, exposed databases (hoping not !).
🔥 Legal Notice: Patrowl allows to automate the detection in near real time, in the State of the Art, of possible Vulnerabilities on the CLIENT's assets, exposed on Internet. The list of CLIENT assets (pentested or just discovered) can be seen in the "assets" section and only this list is authentic (For audit purpose, Patrowl keeps timestamped detailed records of additions and deletions). The CLIENT can modify this list by clicking on the "pentested" button that, for a minimum period of 2 (TWO) months, expressly authorizes Patrowl to carry out the detection in near real time, in the State of the Art, any Vulnerabilities on these assets. The CLIENT undertakes to put Patrowl under surveillance only the assets under its technical and legal responsibility.
The number of assets allowed to be pentested is limited and bind to the service contract. Please contact [email protected] to augment this limit and cover more assets.
1.3. Key features
1.3.1. List assets
Click “Assets” on the navigation menu and list all assets:
The heading KPI metrics helps you to focus on key changes and Asset repartition. Charts can be exported as PNG by clicking the upper-right download icon.
All the columns of the table are sortable on click. Filters are also available and include extra criteria.
A selection or all Assets can be exported as a CSV file. Also, a Pentest Report can be generated on a single Asset or on selection.
1.3.2. Add an asset
An asset can created from the assets list by clicking on the ➕ button. A modal opens and several values are prompted (mandatory fields are suffixed with an asterisk *):
Fields | Comments |
Value* | Asset value |
Organization* | Select an organization the Asset refers to. See more Users Management (https://www.notion.so/Users-Management-d8b993bbfdc14642943c310a5b91949e?pvs=21) |
Criticality* | Possible values: Low, Medium (default) or High |
Exposure* | Possible values: Unknown, External (default), Internal or Restricted |
Owner(s) | Asset owner(s) responsible to manage related security issues |
Tag(s) | List of existing labels |
Description | Quick description of the Asset |
Pentested | Switch button to enable the pentesting mode on this Asset |
When an Asset is created as an URL like *http://bibi.coucou.io:8080/salut?id=3*, only the related network location part bibi.coucou.io assets might be created.
1.3.3. Add assets in bulk (CSV)
It is possible to import assets in bulk using the provided CSV template:
A default organization must be set. Existing Assets will be updated if any change has been detected and the others will be created on-the-fly.