Network Discovery Best Practices for Enterprise IT

You cannot secure what you do not know about. Yet most organisations have a significant gap between what they think is on their network and what is actually there. Studies consistently show that enterprises underestimate their asset count by 20–40%.

Accurate network discovery is the foundation for:

Security: Unknown devices are unpatched, unmonitored, and unprotected. They are the entry points attackers exploit.

Compliance: Frameworks like NIS2, BIO, ISO 27001, and CIS all require a complete and accurate asset inventory. You cannot demonstrate compliance without one.

Cost management: Unknown devices consume licenses, bandwidth, and IP addresses. Shadow IT drives up costs without visibility.

Incident response: When an incident occurs, you need to know immediately which devices are affected, who owns them, and what they are connected to.

There are several approaches to network discovery, each with strengths and limitations:

ARP/Ping sweep: The simplest method. Sends ARP requests or ICMP pings to every address in a subnet. Discovers IP and MAC addresses. Fast but provides minimal detail. Cannot cross network boundaries without agents.

SNMP polling: Queries network devices (switches, routers, firewalls) for their MAC address tables, ARP tables, and interface data. Provides rich detail about network topology and connected devices. Requires SNMP credentials.

Credential-based scanning: Uses SSH, WMI, or WinRM credentials to log into devices and collect detailed system information (OS version, installed software, hardware specs, running services). Provides the richest data but requires managing credentials securely.

Agent-based: Deploys a lightweight agent on endpoints that reports back system information continuously. Provides the most detailed and up-to-date information but requires installation on each device. Does not work for network equipment, printers, or IoT devices.

Passive monitoring: Analyses network traffic to identify devices by their communication patterns. Non-intrusive but requires network tap or span port access. Best for detecting rogue devices.

The optimal strategy combines multiple methods. Use SNMP for network infrastructure, credential scanning for servers and workstations, agents for detailed endpoint monitoring, and passive detection for catching unknown devices.

Many organisations still rely on periodic scans — running a discovery sweep weekly or monthly. This creates blind spots:

Devices that join the network between scans go undetected. Temporary devices (contractor laptops, conference room equipment) may never be captured. Changes to existing devices (OS upgrades, service changes) are not tracked in real-time.

Continuous discovery addresses these gaps by:

Monitoring switch MAC address tables in real-time via SNMP traps or polling. Detecting new ARP entries as they appear. Running scheduled micro-scans of individual subnets throughout the day. Processing syslog and DHCP lease data for immediate device detection.

The goal is to reduce your "detection gap" — the time between a device appearing on the network and your systems knowing about it — from days to minutes.

Enterprise networks span multiple physical sites, cloud environments, and remote locations. Discovery must work across all of them.

Remote agents: Deploy lightweight scanning agents at each site. They perform local discovery and report results to the central platform. This avoids routing scan traffic across WAN links and works through firewalls.

VPN and SD-WAN considerations: Discovery traffic should be prioritised appropriately. Coordinate scan schedules to avoid overloading WAN links. Use agents rather than centralised scanning for bandwidth efficiency.

Cloud environments: Cloud-native APIs (AWS, Azure, GCP) provide asset data more efficiently than network scanning. Integrate these APIs alongside traditional discovery.

Air-gapped networks: For networks without internet connectivity, deploy a local instance of your discovery platform. Export and import data via secure media when needed.

Raw discovery data is only useful when it feeds into a structured Configuration Management Database (CMDB). The transition from discovery to CMDB involves:

Deduplication: The same device appears in multiple scans with different identifiers (IP address, MAC address, hostname). Merge these into a single record.

Enrichment: Augment discovered data with vendor information (MAC vendor lookup), vulnerability data (CVE matching), and lifecycle data (end-of-life dates).

Classification: Categorise devices by type (server, workstation, switch, printer, IoT). Assign owners and locations.

Relationship mapping: Map how devices connect to each other, which applications run on which servers, and which switches connect to which access points.

Automate as much of this pipeline as possible. Manual CMDB maintenance is a losing battle — the data goes stale faster than humans can update it.