Changelog

Introducing Asset Inventory

Stop hand-typing scope into every project. RedVeil now keeps a living inventory of your external, internal, and web app assets — manageable from the platform UI or the pentest-agent CLI.

May 1, 2026

Every penetration test starts with the same boring conversation:

"What's in scope?" "Uh, let me find that spreadsheet…"

We've been there too. Half the friction in running a quality pentest isn't the test itself — it's reconciling what you think you own against what's actually exposed. New subdomains pop up. Old infrastructure gets decommissioned but never deleted. The ops team adds a load balancer Friday afternoon. And by Monday, your scope document is already wrong.

Today, we're shipping the cure: Asset Inventory, a living source of truth for every target your team can test with RedVeil.

One inventory, three surfaces

Asset Inventory organizes everything you can test into three buckets:

  • External Network — public-facing domains, IPs, and CIDR ranges
  • Internal Network — private IP ranges and CIDRs that your Sigil agents can reach
  • Web Apps — specific URLs and endpoints for application-layer testing

Add assets manually with a paste-and-go bulk input (commas, newlines, mixed types — we figure it out), then point any number of projects at the inventory instead of restating scope every time you start an engagement.

Manage from the platform — or from your terminal

Asset Inventory ships with two equally first-class management surfaces from day one:

On the platform. Open Settings → Asset Inventory and you're one click away from adding, removing, and reviewing every asset across all three inventories. Bulk-paste a list of domains, drop in a CIDR range, or remove anything that's been retired.

From the pentest-agent CLI. If your team lives in the terminal — or in CI — every inventory action is a pentest-agent asset subcommand away. A few examples:

# List everything in your external inventory
pentest-agent asset list --type external_network
 
# Add a batch of new domains from a file
pentest-agent asset add --type external_network --targets-file ./new-domains.txt
 
# Remove a retired asset
pentest-agent asset remove --type webapp --target https://old-app.acme.com
 
# Manage org-wide exclusions
pentest-agent asset exclusion list
pentest-agent asset exclusion add --target 10.0.0.0/8

That means you can wire Asset Inventory directly into the systems that already know what you own — CI/DC pipelines, deploy hooks, etc. — without writing a single line of integration code. The CLI is the same surface our platform uses; everything you can do in the UI, you can script.

Org-wide exclusions, done right

Every security team has the list of "do not touch this" assets — the executive's home IP, the third-party SaaS you don't own, the legacy host that falls over if you breathe on it. Asset Inventory ships an org-wide exclusion list that travels with every project automatically.

Exclusions support:

  • Individual IPs
  • CIDR ranges
  • Domains & Domain Trees

When you create or update a project, RedVeil pre-validates your scope against the exclusion list. If every target is excluded, the scan won't start until you widen scope — no more wasted runs, no more accidental tests against systems you didn't mean to touch.

What you can do with it today

  • Bulk-add assets with paste-and-go input that auto-detects domains, IPs, CIDRs, and URLs
  • Manage everything from the platform UI — One centralized asset inventory for testing
  • Manage everything from the pentest-agent CLI — list, add, and remove assets and exclusions from your terminal or CI pipeline
  • Maintain org-wide exclusions - Keep off limits, actually off limits
  • Pre-validate project scope before any scan kicks off
  • Reuse inventory across projects — define your scope once, point any number of engagements at it

Why we built it this way

A few principles guided the design:

  • Scope is not a static document. Your attack surface changes daily; your inventory should too.
  • Meet teams where they work. Some security folks live in dashboards; others live in shells. Both should be first-class.
  • Exclusions are a safety feature, not a UX feature. A pentest platform that runs against the wrong system is worse than one that doesn't run at all.
  • Provenance matters. Auditors and security teams need to know where a target came from and when it was last validated.

Pricing and availability

Asset Inventory is included in every RedVeil tier — no add-on, no separate license. Admins can manage exclusions, bulk-import assets through the platform, and run pentest-agent asset commands today.

Coming soon

We're working on automatic sync from the source systems your assets actually live in:

  • Live DNS sync from Cloudflare and AWS Route 53 — connect once, let the inventory keep itself current as zones change
  • Additional DNS providers — Azure DNS, Google Cloud DNS, NS1, and DNSimple
  • CSP-native asset discovery — pull assets directly from AWS, Azure, and GCP accounts so we can see what's running, not just what's in DNS
  • Internal asset enrichment — feed live discovery from Sigil agents back into Internal inventory automatically
  • Tagging and ownership — assign owners and business-unit tags so reports tell you who to ping, not just what broke

Stop chasing scope. Start treating your inventory like the living, scriptable source of truth it always should have been.

Previous

New Test Type: Authorization Matrix Testing

Next

Introducing Compliance Framework Mapping