All Products
Search

This Product

    Security Center:Asset discovery

    Document Center

    Security Center:Asset discovery

    Last Updated:Mar 31, 2026

    Asset discovery automatically maps your Alibaba Cloud assets and any associated assets exposed to the internet — including domain names, IP addresses, and certificates. It identifies exposure risks, generates attack path graphs, and gives you a complete inventory to reduce your attack surface.

    Edition requirements: This feature is in public preview and is available only on Enterprise Edition and Ultimate Edition. It is free of charge during the public preview.

    Key concepts

    Cloud Assets are instances of cloud products enabled in your Alibaba Cloud account that asset discovery supports — for example, Elastic Compute Service (ECS), Server Load Balancer (SLB), and elastic IP addresses (EIPs).

    Shadow Assets are assets not directly created by your account. The system discovers them through association analysis of public information, such as Certificate Transparency logs and DNS records.

    Every asset has an ownership status that controls whether it is scanned and analyzed:

    StatusDescriptionEffect on scanning
    AttributedConfirmed to belong to the current account.Continuously scanned for vulnerabilities and exposure. Also used as a starting point to discover associated Shadow Assets.
    UnconfirmedDiscovered by the system, but ownership not yet confirmed.Not included in vulnerability scanning or attack path analysis.
    To Be InvestigatedOwnership is under investigation.Not included in vulnerability scanning or attack path analysis.
    IgnoredConfirmed as a non-corporate asset, or excluded from scanning scope.Excluded from all scanning and risk analysis.
    Important

    Only Attributed assets are scanned. Confirming Unconfirmed assets as Attributed expands the scan baseline and enables the system to discover more associated Shadow Assets.

    How it works

    image

    1. Asset mapping — The system syncs Cloud Assets in your account (marked Attributed) and uses association analysis to discover Shadow Assets (marked Unconfirmed).

    2. Cloud product exposure analysis — Vulnerability scanning and exposure analysis run on all Attributed assets.

    3. Attack path analysis — The system integrates high-risk assets and their access relationships to generate attack path graphs and Attack Risk data.

    4. Asset inventory — Manually confirm the ownership of Unconfirmed assets. Assets confirmed as Attributed become a new scan baseline, triggering discovery of more associated Shadow Assets.

    5. Attack risk handling — Review and remediate exposed ports, vulnerabilities, and other risks surfaced by the scan.

    Prerequisites

    Before you begin, ensure that you have:

    • A Security Center Enterprise Edition or Ultimate Edition subscription

    • (Optional) Web Application Firewall (WAF), Cloud Firewall, or other access control policies — if deployed, add the scanner IP ranges to your allowlist first (see Step 1)

    Supported cloud products: Web Application Firewall, Elastic Compute Service, public-facing Server Load Balancer, and more. For more information, see Supported cloud products.

    Scan assets

    Assets in the Chinese mainland and assets outside the Chinese mainland require separate scan tasks. Select the correct region in the top-left corner of the console before starting a scan.

    Step 1: Add scanner IPs to your allowlist (optional)

    If WAF, Cloud Firewall, or host security policies are active in your environment, add the Security Center scanner IP ranges to your allowlist to prevent scans from being blocked:

    • Outside Chinese mainland: 43.106.35.0/24

    • Chinese mainland: 47.102.22.128/25

    Step 2: Start a scan

    1. Log on to the the Security Center console. In the top-left corner, select the region where your assets are located: Chinese mainland or Outside Chinese mainland. In the left navigation pane, choose Risk Governance > Attack Management.

    2. In the Identify Assets dialog box, select a scan method:

      • Quick Scan: In the Data Statistics section, click Quick Scan in the Asset Scan area. The scan starts immediately across all supported Alibaba Cloud products.

      • Scheduled Scan: In the upper-right corner, click Scan Policy. On the Scan Policy Management tab, turn on Scheduled Scan and set the scan rules:

        • Scan Schedule Settings: Choose Every Day, Every Week (specify the day of the week), or Every Month (specify the day of the month). > Note: To avoid affecting your services, schedule scans during off-peak hours.

        • Scan Time: The system starts the scan at a random time between 00:00 and 24:00 within the specified cycle. You cannot set an exact start time.

        • Scan Target Exclusion List: Exclude specific attributed Domain Name or IP Information assets from the scan. If left blank, all Attributed assets are scanned. > Note: This setting is only available after you have run at least one Quick Scan or Scheduled Scan. On the first run, the Domain Name and IP Information lists are empty.

        • Sensitive Assets: Set the scope of cloud products to scan. For a full list of supported products, see Supported cloud products.

      Scan methodWhen to use
      Quick ScanImmediate, comprehensive asset inventory — for example, emergency response to a security incident or a check after deploying a new service.
      Scheduled ScanOngoing attack surface monitoring. Run weekly or monthly to track changes continuously.

    3. After the scan starts, Security Center runs three subtasks in sequence:

      1. Refresh Cloud Assets — Discovers and updates Cloud Assets and associated Shadow Assets in your account.

      2. Cloud Product Exposure Analysis Task — Runs vulnerability scanning and exposure analysis on Attributed assets.

      3. Attack Path Analysis — Analyzes access paths to generate Attack Risk data.

      Important

      All subtasks take about one hour to complete.

    Step 3: Monitor scan progress

    1. In the upper-right corner of the Attack Management page, click Task Management.

    2. On the Task Management page, find your task. Each task type corresponds to a scan method:

      Task typeScan method
      Manual Scan TaskQuick Scan
      System Scan TaskScheduled Scan

    3. In the Operation column for the main task, click Details to view the execution status of the three subtasks: Refresh Cloud Assets, Cloud Product Exposure Analysis Task, and Attack Path Analysis.

    4. In the subtask list, click Details in the Operation column to view the assets and instances associated with that subtask.

      Note

      • You cannot retry a scan for a single failed asset. Wait for the next scan cycle or manually trigger a "Quick Scan" to rescan all assets.

      • The failure of a scan on a single asset does not affect the scan results of other assets.

    Step 4: Review and confirm asset ownership

    After the scan, review newly discovered Shadow Assets and confirm their ownership.

    1. Go to the Identify Assets tab. On the Domain Name, IP, and Certificate subtabs, filter by Unconfirmed status.

    2. For each asset, verify ownership — for example, by consulting the business owner or checking your internal Configuration Management Database (CMDB).

    3. Click Change Status in the Operation column for the target asset. To process multiple assets at once, select them and click Change Status at the bottom of the list.

    4. In the Change Status dialog box, select a Handling Method:

      • Attributed — The asset belongs to the current account. It will be included in future scans and used to discover more Shadow Assets.

      • To Be Investigated — Ownership is unclear; keep investigating.

      • Ignored — The asset is a non-corporate asset or does not need scanning.

    5. (Optional) Enable Update to apply the status change in batches based on system association logic — for example, applying the same status to all domain names under the same certificate.

    Step 5: Handle attack risks

    Risks discovered during the scan — such as exposed ports and vulnerabilities — are aggregated on the Attack Risk tab. For each risk, you can:

    • View the Attack Path and address risk points node by node along the path.

    • Use AI Analysis to get repair suggestions.

    • Click Add to Whitelist to exclude paths that are confirmed as risk-free.

    For detailed remediation steps, see View and handle attack risks.

    FAQ

    Why did the scan fail or time out?

    The scanner IP is likely blocked by WAF, Cloud Firewall, or a host security policy. Add all official scanner IP ranges to your allowlist (see Step 1), and make sure the asset is powered on and reachable during the scan.

    Why wasn't an asset discovered?

    Check the following:

    • The asset type must be a supported cloud product.

    • Asset discovery starts from Attributed assets. If the starting assets are still Unconfirmed, the system cannot use them to find associated assets.

    • If the asset is a Shadow Asset, its association with existing Attributed assets may be too weak for the system to detect automatically.