Asset Inventory
Maintain reusable organization-level scan targets and exclusions for recurring RedVeil projects.
Asset Inventory provides reusable organization-level scan targets for recurring RedVeil projects. Instead of re-entering scope for every project, admins can maintain inventories for external network, internal network, and web application testing, then select Asset Inventory as the project scope source.
Where to find Asset Inventory
Go to Settings -> Asset Inventory.
The page includes:
- Summary cards for External, Internal, and Web App inventory.
- Inventory tabs for adding and removing reusable assets.
- A global Exclusions tab.
- Source labels showing whether an asset was added manually or synced from DNS.
Inventory types
External
External inventory is for public-facing hosts, domains, IPs, and CIDRs used by external network projects.
Internal
Internal inventory is for internal IP ranges, hosts, and network targets reachable through deployed internal agents.
Web App
Web App inventory is for specific URLs and applications used by web application projects.
Supported asset values
Inventory entries can include:
- Domains.
- URLs.
- IP addresses.
- CIDR ranges.
Enter one value per line or comma-separated values. RedVeil normalizes valid entries and skips invalid or empty entries.
Adding inventory items
- Go to Settings -> Asset Inventory.
- Choose the External, Internal, or Web App tab.
- Enter domains, URLs, IPs, or CIDRs.
- Click Add.
The inventory list shows:
- Asset display value.
- Kind, such as domain, URL, IP, or network.
- Source badges.
- Whether the item is excluded from testing.
Removing inventory items
Click the delete button next to an item to remove manual ownership.
If the item only exists because it was manually added, RedVeil removes it from inventory.
If the item also comes from a synced DNS source, RedVeil removes the manual ownership but keeps the synced item. The UI shows a message explaining that the synced source still controls the item.
Source badges
Inventory items can have one or more sources:
- Manual: Added by an admin directly in Asset Inventory.
- Cloudflare: Synced from a connected Cloudflare DNS integration.
- Route 53: Synced from a connected AWS Route 53 DNS integration.
An item can have both manual and synced sources.
Exclusions
The Exclusions tab defines global assets that should be held back from testing.
Exclusions apply before any scan starts and take priority over:
- Manual project scope.
- Asset Inventory project scope.
- DNS-imported inventory.
Use exclusions for assets that should never be tested, such as sensitive production systems, third-party infrastructure, staging environments, or restricted network ranges.
Exclusion matching
RedVeil normalizes exclusions and assigns a match mode.
Common match modes include:
- Exact: Matches a specific IP, URL, or value.
- Domain tree: Matches a domain and related subdomains.
- CIDR: Matches assets within a network range.
When an inventory item is excluded, it remains visible in the inventory list but is marked Excluded from testing and is not included in resolved scan scope.
How Asset Inventory scope works in projects
Asset Inventory scope is available for:
- External Network projects.
- Internal Network projects.
- Web Application projects.
It is not available for segmentation, cloud, mobile app, or auth matrix projects.
When creating a supported project:
- Go to the Scope step.
- Choose Asset Inventory instead of Manual Targets.
- Review the current number of in-scope inventory items.
- Continue through settings and review.
The final scope resolves when the scan starts. This is important: if inventory or exclusions change after project creation but before scan start, the latest inventory and exclusions are used.
What happens at scan start
When a project with Asset Inventory scope starts, RedVeil:
- Loads the inventory that matches the project type.
- Applies the global exclusion list.
- Updates the project's effective scope items.
- Starts the scan against the remaining included assets.
If every target is excluded, RedVeil does not start testing and records the reason. Excluded targets can be represented in the host list with an "Excluded from testing" task so the reason is visible.
Manual scope and exclusions
Exclusions also apply to manually entered project scope. If a manually scoped project includes assets that match the exclusion list, RedVeil removes those assets before testing.
If all manually entered targets are excluded, the scan is blocked with a message explaining that every target is excluded.
CLI usage
List inventory:
pentest-agent asset list --type external_networkAdd inventory items:
pentest-agent asset add \
--type external_network \
--target example.com \
--target api.example.comRemove inventory items:
pentest-agent asset remove \
--type external_network \
--target api.example.comList exclusions:
pentest-agent asset exclusion listAdd exclusions:
pentest-agent asset exclusion add \
--target staging.example.com \
--target 192.168.50.0/24Remove exclusions:
pentest-agent asset exclusion remove \
--target staging.example.comCheck DNS sync settings:
pentest-agent asset sync statusRun DNS sync immediately:
pentest-agent asset sync now --provider cloudflareSupported inventory type values:
external_networkinternal_networkwebapp
Supported DNS provider values:
cloudflareroute53
Best practices
- Keep inventory focused on assets authorized for testing.
- Use exclusions for assets that should never be tested, even if discovered from DNS.
- Prefer Asset Inventory for recurring external, internal, and web app testing.
- Review the included and excluded counts before starting large scans.
- Keep DNS imports scoped to domains and destination inventory types that match your testing program.
- Treat Asset Inventory as the source of reusable scope, and project-level scope as the exception for one-off tests.