Next Article in Journal
Enhancing Darknet Traffic Classification: Integrating Traffic-Aware SMOTE and Adaptive Weighted Feature Aggregation
Next Article in Special Issue
Design and Implementation of a Microgrid Testbed for Cybersecurity Analysis and Resilience Testing
Previous Article in Journal
Deciding on Cybersecurity Awareness Initiatives: Insights from the Public Sector
Previous Article in Special Issue
An Examination of LPWAN Security in Maritime Applications
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
JCP
Volume 6
Issue 2
10.3390/jcp6020067
jcp-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

An Evidence-Based Architecture for Trustworthy Asset Discovery in Cybersecurity-Critical IT Environments

by
Ivana Ogrizek Biškupić
1,*,
Mislav Balković
1,2,3,* and
Ivan Bencarić
3
1
Department for Interdisciplinary Sciences, Algebra Bernays University, Gradišćanska ulica 24, 10000 Zagreb, Croatia
2
Rectorate of the Algebra Bernays University, Algebra Bernays University, Gradišćanska ulica 24, 10000 Zagreb, Croatia
3
Department for System Engineering and Cybersecurity, Algebra Bernays University, Gradišćanska ulica 24, 10000 Zagreb, Croatia
*
Authors to whom correspondence should be addressed.
J. Cybersecur. Priv. 2026, 6(2), 67; https://doi.org/10.3390/jcp6020067
Submission received: 5 February 2026 / Revised: 24 March 2026 / Accepted: 2 April 2026 / Published: 7 April 2026
(This article belongs to the Special Issue Building Community of Good Practice in Cybersecurity)
Browse Figures
Versions Notes

Abstract

Asset discovery is a fundamental but inherently flawed capability in cybersecurity, as current methodologies frequently confuse preliminary discovery observations with definitive asset inventories, thereby obscuring uncertainty, restricting auditability, and eroding trust in security-critical decision-making. This work addresses the issue of inconsistent asset identification in dynamic IT settings by presenting an evidence-based architectural paradigm that clearly distinguishes observation, identity resolution, and inventory representation. The principal research aim is to develop and authenticate an architecture that maintains discovery evidence, facilitates deterministic, verifiable identity resolution, and supports interpretable inventory derivation. In contrast to state-centric and model-driven methodologies, the proposed architecture enhances (i) traceability through the preservation of time-scoped, method-attributed observations, (ii) identity continuity amidst dynamic conditions such as IP reassignment and infrastructure modifications, and (iii) auditability by facilitating the reconstruction of inventory claims from foundational evidence. An examined proof-of-concept implementation in a controlled yet realistic network environment shows superior identity stability, greater discovery traceability, and retention of historical context relative to traditional inventory models. The results validate the practicality and architectural benefits of the strategy; nevertheless, the evaluation is constrained by a lack of formalised performance indicators and adversarial robustness, which are recognised as priorities for further investigation.

1. Introduction

Precise asset identification is essential for successful cybersecurity governance, vulnerability management, and regulatory compliance in modern IT settings. Contemporary infrastructures are progressively dynamic and diverse, encompassing physical hardware, virtualised platforms, cloud services, and software-defined networks. In these situations, security measures are fundamentally reliant on the accuracy and reliability of asset inventories. Unidentified, misclassified, or outdated assets create vulnerabilities that diminish defensive capabilities, complicate incident response, and jeopardise compliance with regulatory standards such as the European Union’s NIS2 rule.
Notwithstanding its significance, asset discovery remains a formidable task. Numerous current solutions emphasise enumerating hosts and services while implicitly conflating raw discovery data with the declared inventory status. This design decision conceals ambiguity, restricts auditability, and complicates the analysis of asset identity over time, especially in contexts where locations, names, and configurations constantly alter. Consequently, security-related inventories may convey an unwarranted impression of completeness and precision, obscuring vulnerabilities rather than mitigating them.
Recent cybersecurity research increasingly characterises digital assets as dynamic sources of security risk rather than static infrastructure elements. Rossi et al. define cyberspace as a unique asset category, where its visibility, interaction, and connectivity significantly influence governance and risk management strategies [1]. This perspective underscores how ambiguity in asset representation influences higher-level security decisions, necessitating systematic methods for identifying and managing assets.
Expanding on this perspective, studies on security frameworks highlight that efficient governance inherently relies on precise asset inventories. Milaat and Lubell illustrate that a risk-based security council, linked to standards such as the NIST Cybersecurity Framework, becomes ineffective when asset documentation lacks traceability and structural coherence [2]. Reyes-Acosta et al. demonstrate that cybersecurity frameworks for edge and IoT environments prioritise identity and asset awareness within governance models. However, they fail to adequately define the mechanisms of discovery and correlation in highly dynamic contexts [3]. Policy-oriented research underscores this reliance, as Hossain et al. [4] note that cybersecurity regulations often falter at the operational level due to inadequate or obsolete asset documentation.
The challenge of maintaining reliable asset visibility escalates in scattered, essential infrastructure. Progoulakis et al. examine offshore oil and gas systems and demonstrate that geographically dispersed, remotely operated assets substantially complicate monitoring and discovery operations, thereby increasing vulnerability to cyber incidents [5]. Similar issues are recognised in IoT-enabled asset management, where Oyeniyi et al. emphasise data integration and consistency as ongoing impediments to sustaining coherent asset representations across diverse sources [6]. These data suggest that scale and heterogeneity intensify deficiencies in state-centric inventory models.
In cyber-physical and safety-critical systems, asset visibility is intricately linked to resilience and risk management. Amro and Gkioulos demonstrate that proficient cyber risk assessment for autonomous maritime systems relies on ongoing, verifiable knowledge of system components rather than static inventories [7]. This conclusion aligns with extensive maritime cybersecurity research, which consistently identifies unmanaged or poorly recognised assets as precursors to successful attacks rather than outcomes of detection failures [8]. Comparable outcomes are obtained in railway cybersecurity studies, where asset diversity and configuration drift hinder the integration of safety and security as well as incident response [9].
In addition to domain-specific studies, extensive cybersecurity research underscores the repercussions of incorrect asset data. Temara demonstrates that AI-driven cybersecurity systems adopt the assumptions inherent in their foundational asset inventories, thereby allowing erroneous or inadequately attributed asset data to influence automated decision-making processes directly [10]. Meta-analyses on governance indicate that audit readiness and compliance outcomes improve only when asset identification is consistent and traceable across security and GRC systems [11]. These findings establish that asset detection is necessary for effective automation and compliance, rather than merely an operational issue.
Numerous studies examine asset visibility from both evidential and temporal viewpoints. Vala and Vekariya assert that the reliability of digital forensic investigations depends on the preservation of contextual information about assets, including the methods and timing of observations [12]. Research on asset management in critical infrastructure highlights the need to address inventory inconsistencies, which impede response and recovery capacities [13]. The literature on dynamic risk assessment argues that real-time risk evaluation requires continuously updated, temporally relevant knowledge of assets [14].
Sector-specific cybersecurity assessments further substantiate these conclusions. Research in healthcare settings indicates that cyber risk management is hindered by a lack of understanding of interconnected assets, resulting in recurrent system exposures rather than isolated incidents [15]. Research on digital assets within financial systems underscores that vulnerability classification and risk analysis necessitate accurate asset attribution across protocol layers [16]. Reviews of cybersecurity in higher education often identify asset misclassification as a fundamental driver of institutional security failures [17].
Ultimately, technical analyses of healthcare IT infrastructures reveal that compromised systems are often due to deficiencies in detection and inventory processes rather than cryptographic vulnerabilities [18]. A cloud-centric cybersecurity study substantiates this assertion, highlighting that asset turnover and abstraction confound conventional inventory models and increase the risk of oversight [19]. Reviews of enterprise cybersecurity analytics similarly indicate that heterogeneous telemetry and insufficient asset correlation compromise the reliability of advanced security insights [20]. Recent work collectively emphasises the need for architectural methodologies that treat discovery outputs as evidence rather than established truths, thereby requiring a clear distinction between observation, identity resolution, and inventory status.
Recent surveys and analyses further substantiate the perspective that asset discovery is an architectural concern rather than merely an operational task. Effective threat categorisation in smart manufacturing systems relies on reliable identification of assets, attack surfaces, and their interdependencies across multiple system levels [21]. From a broader cybersecurity perspective, infrastructure visibility and contextual understanding of assets are increasingly recognised as prerequisites for effective defensive operations. Recent research extending the Cyber Kill Chain framework with a pre-chain phase emphasises that defensive activities must begin before traditional reconnaissance and intrusion stages by establishing situational awareness of the operational environment and its infrastructure components [22]. This perspective reinforces the importance of reliable asset identification and traceable infrastructure knowledge as foundational elements of cybersecurity governance and operational security.
Nevertheless, many security models implicitly assume stable, well-defined asset representations despite continual changes in operational environments. Kayan et al. assert that enhanced interconnectivity in industrial cyber-physical systems broadens the attack surface and blurs asset boundaries, suggesting that security failures frequently stem from inadequate visibility into system components rather than from shortcomings in individual controls [23]. Research on governance and learning reinforces this viewpoint, highlighting that reliable, verifiable asset modelling is essential to effective security operations, incident response preparedness, and decision-making across operational, analytical, and strategic domains [24].
Despite comprehensive studies on asset management, cybersecurity governance, and discovery tools, asset discovery is still primarily viewed as a state-centric enumeration task, in which discovery results are directly converted into authoritative inventory records. Such methodologies implicitly presuppose the stability, completeness, and accuracy of discovery data, despite extensive documentation indicating that observations are partial, temporally constrained, and methodologically dependent in dynamic and hybrid IT environments. Current solutions consequently tend to obscure uncertainty, restrict auditability, and complicate forensic and governance-related reasoning regarding asset status over time.
The literature examined consistently underscores the importance of accurate asset inventories for cybersecurity governance, risk management, and incident response. Nonetheless, numerous fundamental deficiencies persist inadequately addressed in current research and operational frameworks.
Primarily, most discovery methodologies treat discovery outputs as definitive representations of asset status rather than as temporally bound evidence. This assumption conceals uncertainty and restricts the capacity to reconstruct the derivation of asset-related findings. Secondly, identification resolution is generally executed via implicit or private correlation methods, complicating the verification of how observations relate to asset identities. Consequently, maintaining asset continuity during infrastructure modifications remains a significant challenge. Third, current discovery systems frequently lack a clear architectural distinction among observation collecting, identification resolution, and inventory interpretation. This conflation limits auditability and diminishes the ability to reinterpret discovery data as policies or operational conditions evolve.
These gaps underscore the need for design methodologies that view asset discovery as an evidence-based process rather than a state-centric enumeration. This study’s proposed architecture mitigates these shortcomings by maintaining discovery observations, implementing explicit identity resolution techniques, and deriving inventory state as a comprehensible abstraction.
The phrase digital asset in cybersecurity literature encompasses a range of meanings, including digital documents, media, cryptographic artefacts, and blockchain-based tokens. In this study, the word is employed in a more specific operational context pertaining to cybersecurity governance and infrastructure management. Digital assets denote recognisable components of IT infrastructure that can be detected using network or platform discovery methods and that are involved in operational system setups. The assets encompass physical and virtual hosts, network interfaces, IP addresses, services, and other infrastructure elements that constitute an organisation’s operational attack surface.
This work emphasises infrastructure-level assets rather than digital content or data artefacts, necessitating ongoing discovery and verification of their existence, configuration, and relationships to facilitate cybersecurity operations, including vulnerability management, attack surface monitoring, and compliance auditing.
The suggested architecture effectively tackles the challenge of dependable infrastructure asset discovery, specifically the accurate identification and monitoring of infrastructure entities under dynamic network settings characterised by partial, inconsistent, or temporally limited observations.
This paper proposes an evidence-based architectural model for asset discovery that clearly differentiates between observations, identity resolution, and inventory representation as distinct yet interconnected issues. The architecture specifically tackles the issue of unreliable identification of infrastructure assets in dynamic environments, where discovery observations are incomplete, time-sensitive, and frequently misintegrated into authoritative asset inventories. The proposed architecture treats discovery outputs as immutable, time-scoped evidence rather than definitive assertions of asset existence, employs deterministic, auditable identity-resolution processes, and derives inventory state as an interpretable, reversible abstraction. To the best of our knowledge, this work is among the first to formalise this separation as a general architectural principle for cybersecurity-critical asset discovery, with particular focus on traceability, identity continuity, and applicability of governance in dynamic environments. A few examples of cybersecurity situations where accurate asset detection is important to show why the suggested architecture is useful:
  • Monitoring the security of an enterprise network. In large businesses, network scans, endpoint agents, and cloud APIs continuously monitor hosts, interfaces, and services. Traditional inventory systems may create duplicate asset records or mistakenly combine unrelated observations because network identities, such as IP addresses, change frequently due to DHCP, virtualisation, or container orchestration. The suggested architecture enables retaining these observations as evidence, while deterministic identity resolution associates them with enduring infrastructure assets.
  • Industrial and important infrastructural settings. Operational technology (OT) networks and industrial systems frequently comprise diverse devices characterised by restricted agent support and insufficient visibility. Network-based discovery might sometimes find devices, depending on how they communicate or how they are split up. The design allows security analysts to piece together changes in device presence and configuration over time by keeping discovery outputs as time-scoped observations. That helps with incident investigation and regulatory auditing.
  • Managing cloud and hybrid infrastructure. In hybrid settings that mix on-premise systems with cloud platforms, assets can be automatically created, moved, or deleted. Platform APIs give you some information about resources, and network observations give you different views of the same infrastructure. The suggested design allows these observations to be connected into consistent asset identities without discarding information that does not fit.
In all of these situations, the system should automatically discover digital assets at the infrastructure level, including hosts, network interfaces, IP addresses, services, and virtual resources. These assets are part of the operational attack surface and must be continuously monitored to support vulnerability management, incident response, and compliance.
In these contexts, traditional methods that rely on human-assigned labels or static inventories do not work, since asset identities change constantly, infrastructure components may appear and disappear dynamically, and observations come from different discovery techniques. Because of this, static inventory models typically lose their identity continuity and capacity to trace history. The evidence-based architecture presented in this work solves these limitations by storing discovery observations, explicitly resolving asset identity, and deriving inventory state as an interpretable abstraction. The scientific contributions of this paper are as follows:
  • An evidence-based asset discovery architecture that distinctly delineates time-sensitive observations generated by discovery mechanisms, identity resolution processes that link observations over time, and the resultant inventory state utilised for operational and security decision-making. The proposed architecture enhances auditability, facilitates reliable change tracking, and strengthens trust in security-related asset data in dynamic, hybrid IT systems by maintaining discovery evidence separately from inventory statements.
  • Practical validation in cybersecurity contexts via a proof-of-concept implementation assessed in authentic network environments. The assessment reveals that the clear delineation of observation, identity, and inventory status is achievable through modern open-source technologies, thereby addressing prevalent cybersecurity vulnerabilities such as asset duplication, loss of historical context, and undetected configuration drift.
This paper provides a conceptual and architectural framework for evidence-based asset discovery from a methodological standpoint. The suggested model delineates the distinction among discovery observations, identity resolution procedures, and inventory interpretation layers, which are frequently confounded in current discovery systems. The framework offers a structured architectural paradigm that facilitates deterministic identification resolution, preservation of discovery data, and auditable derivation of asset inventories, rather than presenting a discovery technique. The work formalises architectural principles for reliable asset discovery in cybersecurity-critical environments.
The subsequent sections of this paper are structured as follows. Section 2 examines asset discovery from a cybersecurity lens and evaluates the structural deficiencies of existing methodologies. Section 3 presents a comparative analysis of current asset discovery techniques and their deficiencies, followed by Section 4, which presents the proposed evidence-based asset discovery architecture and its fundamental design concepts. Section 5 delineates the proof-of-concept execution and its assessment in operational settings. Section 6 examines the implications for cybersecurity governance and delineates constraints before we conclude this paper with a discussion of future research directions.

2. Asset Discovery, Cybersecurity, and Structural Deficiencies of Existing Methodologies

Asset discovery is a fundamental capability in cybersecurity, as it delineates the extent of systems, services, and components that require protection, monitoring, and governance. Fundamental security functions—such as vulnerability management, configuration compliance, incident detection, and response—implicitly depend on the presumption that asset inventories are precise, comprehensive, and current. When this assumption is violated, security measures rest on unreliable foundations, leading to undetected vulnerabilities, misallocated risks, and misplaced confidence in the organisation’s security posture. The increasing adoption of virtualisation, cloud computing, and hybrid deployment models has transformed asset discovery from a periodic administrative task into a continuous, highly structured process.
This section analyses asset discovery through the lenses of cybersecurity and governance, focusing on the architectural assumptions that influence the generation, correlation, preservation, and interpretation of discovery data. The analysis emphasises structural characteristics that affect identity continuity, evidence traceability, and trust in security-critical asset inventories, rather than offering a comprehensive review of discovery tools.

2.1. Principal Asset Identification Methodologies

Modern asset discovery methods can be classified into three primary categories: network-based, agent-based, and platform-integrated. Each method offers distinct benefits and drawbacks, and none provides a comprehensive or definitive assessment of asset condition when used in isolation.
Network-based discovery utilises active probing methods to detect hosts, accessible services, and exposed network interfaces. These methods provide extensive coverage without requiring prior access to target systems, making them suitable for preliminary reconnaissance and external attack-surface evaluation. Network-based discovery inherently provides a temporary perspective on reachability rather than a conclusive assessment of asset existence, and network segmentation, access controls, and temporal availability limit its efficacy.
Agent-based discovery gathers comprehensive system-level data by executing software components directly on controlled hosts. This method provides comprehensive insight into configuration, installed software, and runtime attributes, but relies on deployment viability, credential management, and platform compatibility. Consequently, agent-based discovery frequently yields inconsistent coverage and systematic gaps, especially in heterogeneous or partially managed settings.
Platform-integrated discovery uses authoritative data sources from hypervisors, orchestration platforms, or cloud provider control planes. These methods provide organised, high-fidelity data on allocated resources, yet they reflect the stated system condition rather than the actual operational reality. Assets created, altered, or disposed of outside formal provisioning processes may consequently evade detection, especially in highly automated or decentralised settings.
Although contemporary discovery solutions often integrate these methodologies, the architectural handling of discovery outputs is a more critical factor in determining reliability than the techniques utilised. Within the scope of this study, these discovery strategies are employed to pinpoint infrastructure assets detectable via network and platform telemetry, rather than more general classifications of digital assets such as documents, data artefacts, or cryptographic entities.

2.2. Discovery Outputs Represented as State Rather than Evidence

A widespread structural constraint in discovery methodologies is the characterisation of discovery outputs as conclusive inventory states rather than as temporal observations subject to uncertainty and deterioration. Discovery outcomes are typically integrated into a singular authoritative representation, superseding previous data and eliminating ambiguity.
Active scans yield snapshots of network accessibility instead of exhaustive inventories of assets. Agent-based systems are a subset of hosts on which agents are deployed and operational. API-driven discovery reveals the stated condition of managed platforms but may not reflect their true operational status. In all instances, discovery outputs are incomplete, method-dependent, and time-constrained.
By integrating these observations directly into inventory records, current systems conceal the origin and constraints of the foundational data. This architectural decision reduces auditability, complicates forensic reconstruction, and fosters a false sense of certainty in dynamic environments.

2.3. Identity Resolution and Asset Continuity

Identity resolution is a continual, inadequately addressed challenge within asset discovery frameworks. Numerous discovery systems associate observations using variable identifiers such as IP addresses, hostnames, or network locations, despite the widespread use of dynamic addressing, virtualisation, containerisation, and network address translation.
Consequently, assets may be duplicated, improperly merged, or discreetly replaced within inventories over time. Although certain platforms use heuristic or probabilistic matching algorithms to address these challenges, such mechanisms are often opaque, irreversible, and difficult to audit. The absence of clear, well-defined identity resolution undermines trust in asset inventories and propagates inaccuracies into subsequent security processes that depend on consistent asset identifiers.
From a cybersecurity standpoint, identity instability hinders longitudinal analysis, impedes vulnerability tracking, and complicates incident investigation, particularly in environments with short asset lifecycles and rapidly evolving configurations.

2.4. Auditability, Historical Traceability, and Temporal Reasoning

A significant shortcoming of current discovery architectures is inadequate support for historical traceability and temporal reasoning. Most tools emphasise providing a contemporary “source of truth” perspective on assets, often disregarding or consolidating previous discovery evidence. These limitations directly influence the evaluation criteria introduced in Section 3.
This design obscures the provenance of asset records and hinders temporal analysis. Security teams frequently struggle to determine the initial appearance of an asset, the duration of a vulnerable configuration, or the method of discovery that yielded a specific assertion. The lack of preserved discovery evidence limits forensic analysis, undermines compliance verification, and complicates the validation of security assertions.
In cybersecurity-critical environments, where accountability and evidentiary precision are paramount, the absence of temporal context constitutes a fundamental architectural deficiency rather than a mere usability issue.

2.5. Operational and Governance Limitations

The operational realities exacerbate these structural constraints. Enterprise-grade discovery platforms offer comprehensive coverage and governance capabilities, yet often entail substantial licensing costs, architectural rigidity, and vendor dependence. These factors impede accessibility for smaller organisations, research settings, or regulated industries, necessitating architectural transparency.
In contrast, lightweight and open-source tools generally prioritise deployability and transparency but lack comprehensive identity reconciliation, governance controls, and scalable orchestration mechanisms. Organisations are often compelled to exchange coverage for transparency or operational feasibility for architectural integrity.
Credential management, data residency, and access control present supplementary governance challenges. Discovery systems frequently require elevated privileges and collect sensitive infrastructure metadata; however, few platforms provide precise control over who can generate, interpret, or assert inventory conclusions. These deficiencies hinder adoption in settings governed by rigorous regulatory or security standards.

2.6. Architectural Considerations

These observations collectively suggest that the primary limitations of existing asset discovery solutions stem not from individual scanning methods but from state-centric architectural assumptions. Approaching discovery as a mere act of enumeration, rather than as a process of generating evidence, leads to inventories that obscure uncertainty, deteriorate with change, and impede substantive auditing.
Rectifying these deficiencies necessitates reimagining asset discovery as a pipeline that retains raw observations, implements explicit, deterministic identity resolution, and derives inventory state as an auditable, reversible interpretation rather than as an unassailable truth. To clarify the conceptual stages involved in asset discovery and to highlight where structural assumptions are commonly introduced, Figure 1 presents a high-level asset discovery pipeline, illustrating the progression from raw observations to identity resolution and inventory representation:
This architectural reconfiguration lays the groundwork for the evidence-based asset discovery model detailed in the subsequent sections.

3. Comparative Analysis of Current Asset Discovery Techniques

This section provides a comparative analysis of notable asset discovery tools and methodologies to assess their effectiveness in addressing the architectural deficiencies outlined in Section 2. This analysis aims to investigate how various architectural design decisions influence evidentiary traceability, identity continuity, auditability, and governance appropriateness in cybersecurity-critical contexts, rather than ranking tools based on feature completeness or operational maturity.

3.1. Assessment Framework and Selection Justification

The comparative analysis is organised according to five architectural evaluation dimensions, directly derived from the deficiencies identified in Section 2:
  • Observation fidelity refers to the degree to which discovery outputs are maintained as time-specific, method-credited evidence instead of being reduced to inferred states;
  • Identity resolution transparency refers to the clarity, determinism, and auditability of the methods employed to associate observations with asset identities;
  • Temporal traceability refers to the capacity to reconstruct the evolution of an asset over time, encompassing its appearance, disappearance, and configuration alterations;
  • Governance and audit support—the extent to which discovery processes and resultant inventories facilitate accountability, access control, and compliance verification;
  • Architectural transparency and extensibility—the clarity of internal data models and the capability to incorporate supplementary discovery sources or alter correlation logic.
Tools were chosen to exemplify specific architectural philosophies rather than to offer comprehensive coverage of the asset discovery domain. The analysis concentrates on four prevalent and conceptually distinct methodologies:
  • Nmap signifies low-level, evidence-based network surveillance;
  • Open-AudIT Community, signifying inventory-focused normalisation and change monitoring;
  • NetBox exemplifies model-driven “source-of-truth” architectures;
  • Lansweeper exemplifies an enterprise-level, multifaceted discovery and governance platform.
Collectively, these tools span from basic observation to comprehensive inventory and governance solutions.

3.2. Nmap: Evidence-Based Network Surveillance

Nmap represents the fundamental tier of asset discovery: direct, replicable observation of network-accessible systems and services. Its discovery mechanisms integrate ICMP-based methods with TCP and UDP probing to facilitate host detection under diverse network filtering conditions. In local networks, ARP and IPv6 Neighbor Discovery augment detection reliability.
Nmap’s principal strength, from an architectural standpoint, resides in its observational fidelity. Each scan generates precise, time-stamped outcomes that represent the observable network condition at the time of execution. The extensible scripting engine facilitates targeted enhancements, enabling discovery to be tailored to specific security contexts.
Nmap intentionally refrains from implementing persistent identity management. Observations lack inter-scan correlation, historical continuity is absent, and no inventory abstraction is provided. Identity resolution, temporal reasoning, and governance controls are explicitly excluded from the scope. Thus, although Nmap provides robust evidence, it requires integration into advanced frameworks to support asset continuity, auditability, and operational decision-making.

3.3. Open-AudIT Community: Transitioning from Observation to Inventory

The Open-AudIT Community enhances network discovery by integrating active scanning with authenticated interrogation of managed hosts. This hybrid method facilitates enhanced system profiling, encompassing hardware features, installed software, and configuration parameters.
Open-AudIT signifies a shift from mere observation to a continuous inventory representation in its architecture. Discovery results are standardised and linked to asset records, whereas configuration changes are monitored over time rather than overwritten. That offers an effective method for identifying asset emergence, alteration, and elimination.
However, identity resolution in Open-AudIT relies on implicit, difficult-to-examine, and difficult-to-modify correlation rules. Although historical changes are documented, the foundational evidence of discovery is not maintained in a manner that facilitates independent reinterpretation or forensic verification. The governance features in the Community edition are limited; advanced access control, orchestration, and reporting capabilities are exclusive to commercial versions. Consequently, Open-AudIT enhances operational visibility but only partially fulfils evidentiary transparency and governance obligations.

3.4. NetBox: Architectures of Model-Driven Sources of Truth

NetBox employs a fundamentally distinct architectural approach, prioritising the explicit modelling of the desired infrastructure state over automated discovery. The data model encodes relationships among physical devices, virtual resources, network interfaces, IP addresses, and services, facilitating accurate reasoning regarding topology and dependencies. Discovery within the NetBox ecosystem occurs indirectly through external agents and ingestion pipelines that map observed data to NetBox’s established schema. This method guarantees structural uniformity and promotes integration with automation and infrastructure-as-code processes.
NetBox demonstrates proficiency in identity clarity, relationship modelling, and governance integration; however, its effectiveness is highly contingent on the quality and comprehensiveness of the ingested data. Observations that cannot be reconciled with the model are frequently discarded rather than retained as ambiguous evidence. Thus, NetBox emphasises inventory accuracy over evidentiary comprehensiveness, making it appropriate for environments with established governance practices but less effective as a primary discovery tool in highly dynamic or partially observed systems.

3.5. Lansweeper: Integrated Discovery at an Enterprise Scale

Lansweeper is a comprehensive, enterprise-focused asset discovery platform that incorporates multiple methods, including agentless scanning, endpoint agents, passive device identification, and cloud provider APIs. This multifaceted approach facilitates extensive coverage of on-premises, remote, and cloud-managed assets. Lansweeper architecturally distinguishes between decentralised data collection and centralised normalisation, enrichment, and analytics. Local scanning components operate in proximity to monitored assets, whereas a centralised platform performs correlation and inventory consolidation. This design facilitates scalability, diminishes network complexity, and provides comprehensive global visibility.
From a functional standpoint, Lansweeper demonstrates strong identity resolution and temporal continuity, consolidating observations into stable asset representations enriched with lifecycle, vulnerability, and dependency context. Nonetheless, its internal correlation logic and data models are proprietary, restricting transparency and auditability. Vendor-defined interfaces constrain customisation and extensibility, whereas cloud-centric deployments raise concerns about data residency and regulatory compliance. Lansweeper, despite its high operational maturity, sacrifices architectural openness to achieve convenience and scalability.

3.6. Comparative Analysis Across Architectures

The comparative analysis reveals that differences among asset discovery solutions are fundamentally architectural rather than incremental. Nmap emphasises evidentiary accuracy without persistence; Open-AudIT balances discovery with operational inventory needs; NetBox prioritises model consistency and governance; Lansweeper integrates discovery, inventory, and analytics at enterprise scale.
These methodologies embody contrasting assumptions regarding trust, uncertainty, and control. Tools favouring openness and transparency typically require greater architectural integration effort, whereas enterprise platforms offer convenience at the cost of internal visibility. No singular solution effectively addresses all evaluative dimensions concurrently.
Importantly, the analysis indicates that asset discovery effectiveness depends less on individual techniques than on how observations are preserved, correlated, and interpreted. This finding motivates the need for an architecture that decouples evidence collection from identity resolution and inventory assertion. These constraints arise from ambiguous identity reconciliation, the absence of historical evidence, and restricted auditability.

3.7. Implications for Evidence-Based Asset Discovery

The limitations observed in current asset discovery solutions indicate a common dependence on state-centric architectural assumptions, rather than merely highlighting isolated implementation deficiencies. Comparative analysis indicates that reliable asset discovery requires not merely the enhancement of individual tools but also an architectural distinction among evidence collection, identity resolution, and inventory assertion.
The tools examined illustrate that reliable asset discovery requires treating observations as first-class evidence, applying explicit, reversible identity resolution, and deriving the inventory state as an auditable interpretation. Section 4 formalises these insights by introducing an evidence-based asset discovery architecture that explicitly separates observation, identity resolution, and inventory representation as independent but interrelated concerns.

3.8. Architectural Novelty of the Proposed Approach

The proposed architecture diverges from current asset-discovery paradigms in several essential respects. Most contemporary discovery tools regard asset discovery outcomes as definitive inventory status. In these systems, discovery findings are promptly normalised and consolidated into a singular asset representation, frequently superseding prior knowledge. This state-centric methodology presupposes that discovery outcomes are comprehensive and reliable enough to reflect asset reality accurately.
This paper proposes an architecture that establishes an evidence-based discovery paradigm, distinctly separating observations, identification resolution, and inventory interpretation.
Initially, discovery outputs are maintained as immutable, time-bound observations instead of being promptly transformed into inventory status. That allows discovery data to be regarded as evidence that can be reinterpreted as correlation logic advances. Secondly, asset identities are created through explicit, predictable identity-resolution criteria applied to observations. This method substitutes ambiguous heuristic merging with verifiable correlation reasoning.
The inventory state is seen as a developed interpretation rather than an authoritative depiction of reality. Consequently, various inventory perspectives can coexist, all originating from the identical foundational finding evidence.
This architectural separation enables attributes that are challenging to achieve in traditional discovery systems, such as identity continuity across infrastructure changes, comprehensive traceability of inventory claims, and retrospective reconstruction of asset conditions. Thus, the innovation of the proposed study is not in a novel discovery approach but in a new architectural paradigm for asset discovery that regards discovery outputs as evidence rather than as a conclusive system state.

3.9. Comparison with Existing Architectural Paradigms

In addition to comparing specific discovery methods, it is beneficial to analyse asset discovery methodologies within the context of architectural paradigms. Diverse discovery systems inherently make different assumptions about the management of discovery observations, asset identities, and inventory representations. Three predominant paradigms can be discerned in current systems: state-centric inventory designs, model-driven source-of-truth architectures, and integrated enterprise discovery platforms. The architecture described in this study embodies a fourth paradigm centred on evidence preservation and clear identity resolution.
  • State-centric inventory systems generally regard discovery outputs as definitive representations of asset status. Discovery results are standardised and integrated into inventory records, frequently superseding prior information. This method streamlines operational utilisation but conceals uncertainty and restricts historical traceability.
  • Model-driven architectures, exemplified by source-of-truth systems, prioritise explicit infrastructure modelling and configuration consistency. They frequently depend on external discovery mechanisms and may exclude findings that cannot be aligned with the established data model.
  • Enterprise discovery platforms combine multiple discovery processes and provide robust operational capabilities. Nonetheless, their internal correlation mechanisms are often proprietary and opaque, limiting transparency and auditability.
This study’s evidence-based design distinctly delineates the processes of observation gathering, identification resolution, and inventory interpretation. Discovery outputs are maintained as unalterable evidence, identity resolution is executed using deterministic rules, and inventory state is obtained as a comprehensible abstraction. Table 1 delineates the principal architectural distinctions among these models.

4. Evidence-Based Asset Discovery Architecture

This section presents an evidence-based architectural model for asset discovery to address the structural deficiencies identified in Section 2 and Section 3. The architecture, therefore, serves as a conceptual framework that formalises how discovery evidence, identity resolution, and inventory interpretation should interact in cybersecurity asset discovery systems. The goal is to ensure reliable asset visibility in dynamic environments by ensuring traceability, identity continuity, and auditability throughout the asset lifecycle. Building on the deficiencies identified in existing approaches, Figure 2 presents the proposed evidence-based asset discovery architecture, which explicitly separates observation, identity resolution, and inventory interpretation as independent but interconnected layers:
The architecture redefines asset discovery as a multi-phase evidentiary process in which observations are maintained as primary data, asset identities are clarified through explicit and verifiable methods, and inventory state is formulated as an interpretable abstraction rather than asserted as an indisputable fact.
The architecture makes three main distinctions to make sure that concepts are clear: observation, asset identity, and inventory representation. These entities represent several phases in the asset discovery process.
An observation is a time-based record that describes a property of an infrastructure element discovered using a specific discovery method. An observation can be formally expressed as a tuple:
O = (t, m, A)
where t is the time of the observation, m is the technique used to obtain the observation, and A is a set of observed traits that describe the infrastructure component. Common attributes may consist of network IDs, interface specifications, service details, or platform-specific metadata.
An asset identification is a permanent logical entity that collects observations about the same infrastructure asset throughout time.
An asset identity can be formally described as a collection of observations linked by identity resolution rules:
I = {O1, O2, …, On}
where each observation Oi meets the correlation requirements that decide if two or more observations are about the same asset. Asset identities give things a sense of continuity throughout time, even when things like IP addresses change.
An inventory representation is a developed interpretation of asset IDs used for operational or governance objectives. An inventory state can be formally represented as a function:
S = f(I)
where f stands for the rules for interpreting the set (S) of asset IDs (I), these rules may say whether observations are valid, how disagreements are settled, and how asset lifecycle phases are shown.

4.1. Logical Model of Identity Resolution

Identity resolution determines whether repeated observations refer to the same piece of infrastructure. In the proposed architecture, identity resolution is characterised as a deterministic correlation process applied to observation attributes. Let O be the group of all observations:
O = {O1, O2, , On}
Every observation Oi is a tuple:
Oi = (ti, mi, Ai)
where: ti is the time stamp, and mi indicates the way the finding was made. Ai is the group of traits that were seen. Identity resolution is defined as a mapping function:
R:O → I
where I denotes the set of asset identifiers, the R function uses a set of deterministic correlation criteria to assign each observation exactly one asset identity.
Let C(Ai, Aj) be a correlation predicate that checks to see if two observations are about the same infrastructure asset. When certain prerequisites for matching attributes are met, the predicate returns true. In a formal way:
C(Ai, Aj) = true if correlation_rules (Ai, Aj) are satisfied
If two observations pertain to the same asset identity
R(Oi) = R(Oj) ⇔ C(Ai, Aj)
The correlation rules may involve matching persistent identifiers, such as MAC addresses or platform instance identifiers, or network attributes, such as hostnames and interface information.

4.2. Algorithmic Workflow for Identity Resolution

The identity resolution process can be represented as a structured workflow that evaluates new observations against previously established asset identities. The workflow implements the logical model described in Section 4.2 and determines whether a new observation corresponds to an existing asset or represents a new infrastructure entity.
Figure 3 illustrates the algorithmic workflow of this process, including the following steps:
  • Observation ingestion—a new observation is received from the observation layer.
  • Attribute extraction—identifying attributes such as IP addresses, MAC addresses, hostnames, or platform identifiers.
  • Candidate search—the identity registry is queried to identify potential matching asset identities.
  • Correlation evaluation—deterministic correlation rules are applied to determine whether the observation matches an existing asset identity.
  • Identity assignment—if a valid match is found, the observation is linked to the corresponding asset identity.
  • Identity creation—if no match exists, a new asset identity is created, and the observation is associated with it.
Jcp 06 00067 g003
Figure 3. Identity resolution workflow.
Figure 3. Identity resolution workflow.
Jcp 06 00067 g003
Input and output semantics of the three principal layers of the proposed architecture are elucidated to elucidate the interaction among architectural components.
Observation Stratum—Discovery mechanisms including network scans, agent-based collectors, passive monitoring, or platform APIs. Output: organised observation records detailing identified infrastructure components. Every observation has a time-stamp, a discovery method identifier, and a collection of observed properties.
Identity resolution layer—Observation records generated by the observation layer.
Output: asset identifiers denoting associated observations pertaining to the same infrastructure entity. Each identity consolidates numerous data points based on deterministic correlation principles.
Layer for inventory analysis—Identified asset identities and their corresponding observations. Inventory representations generated from asset identifiers in accordance with interpretation policies. These representations may encompass operational inventories, governance perspectives, or compliance-focused asset reports.
Table 2 delineates the input and output semantics of the three architectural levels, demonstrating the transformation of discovery observations into asset identifiers and subsequently into inventory representations. This organized perspective strengthens the distinct differentiation among evidence collection, identification resolution, and inventory analysis:
This clear description of layer semantics guarantees that discovery evidence, identification correlation, and inventory interpretation are conceptually distinct, facilitating the traceability and auditability of asset-related claims.

4.3. Principles of Architectural Design

The proposed architecture is informed by five design principles that directly stem from the limitations identified in current asset discovery solutions.

4.3.1. Observation as Primary Evidence

All discovery outputs are regarded as immutable, temporally-bound observations rather than definitive assertions of asset existence. Each observation is linked to specific metadata, including the discovery method, execution context, and time-stamp. Observations are neither overwritten nor discarded during standard operations.
This principle preserves evidentiary integrity and permits subsequent reinterpretation of discovery outcomes as correlation logic, asset definitions, or governance requirements evolve.

4.3.2. Clear and Deterministic Identity Resolution

Asset identity is not presumed to be intrinsic to discovery data; rather, it is determined through deliberate identity-resolution procedures that connect observations over time. Identity resolution rules are deterministic, verifiable, and reversible, allowing auditors and analysts to comprehend the construction of asset identities.
The architecture decouples identity resolution from data collection, thereby preventing ambiguous heuristic merging and ensuring consistent asset continuity during network reconfigurations, virtualisation, and redeployment events.

4.3.3. Inventory as a Derived and Interpretable Abstraction

The asset inventory is regarded as a derived representation, generated by analysing resolved identities and related observations in accordance with established policies. The inventory status is thus dependent on interpretative logic rather than on discovery mechanisms.
This separation enables the coexistence of multiple inventory perspectives, facilitates retrospective analysis, and safeguards contextual integrity during changes in asset state or reevaluations of observations.

4.3.4. Temporal Traceability and Historical Integrity

All architectural elements maintain historical integrity, facilitating the reconstruction of the asset’s existence, arrangement, and interrelations over time. Modifications to identity resolution logic or inventory policy do not invalidate prior observations; rather, they yield different interpretations.
Temporal traceability facilitates forensic analysis, compliance verification, and longitudinal security assessment, which are unattainable in state-centric discovery models.

4.3.5. Transparency in Governance

The architecture is structured to meet governance requirements by facilitating explicit attribution of discovery assertions, regulating access to interpretation logic, and separating data collection from the authority to assert inventory veracity.
This transparency is crucial in regulated settings where asset claims must be verifiable, subject to dispute, and auditable.

4.4. Architectural Elements and Data Transmission

The proposed architecture consists of three main layers, aligned with the separation of concerns.

4.4.1. Observation Layer

The observation layer executes discovery mechanisms and captures raw discovery outputs. It integrates diverse discovery sources, encompassing active network scans, agent-based collectors, passive monitoring, and platform APIs.
Each observation is documented as an unalterable event, with corresponding metadata, and stored independently of any assumptions about asset identity. The observation layer does not execute correlation, normalisation, or inventory allocation.

4.4.2. Identity Resolution Layer

The identity resolution layer associates observations with asset identities through defined correlation rules. These regulations may consider various attributes, including network identifiers, hardware fingerprints, cryptographic elements, or platform-assigned identifiers. To make the identity resolution process explicit, Figure 4 depicts the underlying data model used to associate time-scoped observations with persistent asset identities:
The model highlights how time-scoped observations are associated with persistent asset identities through interface and addressing relationships. Crucially, identity resolution is treated as a logical process rather than a destructive transformation. Observations remain constant, and identity assignments may be amended or reassessed as new evidence emerges.

4.4.3. Inventory Analysis Layer

The inventory layer derives asset representations by interpreting resolved identities in accordance with defined policies. These policies establish criteria for authoritative observations, conflict resolution, and the representation of asset lifecycles.
Because inventory state is derived rather than asserted, multiple interpretations can coexist, supporting distinct operational, analytical, or compliance-oriented views of the same underlying evidence.

4.5. Architectural Attributes and Advantages

The evidence-based architecture exhibits several properties that directly address the shortcomings of state-centric discovery systems.
Auditability is enhanced by preserving discovery evidence and explicitly correlating logic. Asset claims can be traced back to specific observations and resolution rules.
Secondly, resilience to change is enhanced by dissociating asset identity from ephemeral network or platform identifiers. Assets remain identifiable despite reconfiguration, migration, or redeployment.
Third, interpretive flexibility enables organisations to adapt asset definitions and policies without re-collecting data or invalidating historical records.
Finally, governance and audit support are strengthened by separating data generation from authority, thereby ensuring data integrity, supporting accountability, and enhancing regulatory compliance.
The suggested architecture presumes a semi-trusted operational environment, wherein discovery processes yield observations that are not deliberately antagonistic. This premise imposes significant constraints. The design does not inherently mitigate or detect identity spoofing attacks, including MAC address spoofing, IP address reassignment, or alteration of discovery responses. In hostile situations, such activities may result in erroneous data correlation and, thus, flawed asset identification. The architecture indirectly mitigates these risks by maintaining all observations as traceable data, facilitating retrospective analysis and the identification of inconsistencies. Nonetheless, it lacks inherent means for authenticating observed IDs or safeguarding against malicious data injection.
Consequently, the suggested paradigm should be seen as evidence-preserving rather than trust-establishing, and its secure implementation in hostile contexts necessitates supplementary measures, such as cryptographic identity verification, secure discovery channels, or anomaly detection.

4.6. Identity Resolution Methodology

The identity resolution layer connects time-bound observations with enduring asset IDs using a deterministic rule-based correlation mechanism. The suggested design emphasises clear, verifiable identity resolution logic rather than relying on obscure heuristic merging or probabilistic models.
Each observation comprises a collection of attributes characterising an observed infrastructure element. Common features encompass network identifiers (IP address, MAC address), host identifiers (hostname), interface identifiers, service characteristics, and platform-specific identifiers acquired via discovery procedures.
Identity resolution involves assessing correlation rules to ascertain whether a new observation aligns with an existing asset identity or signifies a previously unrecognised asset. These rules are implemented hierarchically according to attribute dependability.
Correlation may prioritise enduring hardware identifiers, such as MAC addresses or platform instance identifiers, succeeded by network-level features, such as IP addresses in conjunction with hostnames or interface characteristics. The overarching identity resolving procedure can be articulated as follows:
  • Collect a new observation O from the observation layer.
  • Extract identifying attributes from O.
  • Search the identity registry for candidate assets with matching attributes.
  • Evaluate correlation rules according to predefined priority.
  • If a deterministic match is found, associate O with the corresponding asset identity.
  • If no valid match exists, create a new asset identity and associate O with it.
This rule-based methodology ensures that identity resolution is deterministic, verifiable, and reversible. Because observations are preserved as immutable evidence, identity assignments may be recalculated when correlation policies change or new observations are introduced.

4.7. Scope and Exclusions

To avoid ambiguity, it is important to clarify what the proposed architecture does not attempt to address. The architecture does not prescribe specific discovery tools, scanning techniques, or correlation algorithms. Nor does it claim to eliminate uncertainty in asset discovery.
Instead, the contribution lies in making uncertainty explicit and manageable by preserving evidence, formalising identity resolution, and treating inventory state as an interpretable construct. Implementation choices, performance optimisation, and scalability considerations are addressed in the proof-of-concept evaluation presented in Section 5.

4.8. Summary

This section has presented an evidence-based architectural model for asset discovery that addresses persistent limitations in existing approaches. By separating observation, identity resolution, and inventory interpretation, the architecture enables traceable, auditable, and adaptable asset visibility in dynamic environments. The following section evaluates the practical feasibility of this architecture through a proof-of-concept implementation in real-world network settings.

5. Proof-of-Concept Implementation and Evaluation

This section provides a proof-of-concept (PoC) implementation intended to assess the practical viability of the evidence-based asset discovery architecture outlined in Section 4. The objective of the implementation is not to establish a production-level discovery platform, but to demonstrate that the proposed architectural division of observation, identity resolution, and inventory interpretation can be effectively implemented using modern technologies in practical network settings.
The assessment prioritises architectural behaviour over performance enhancement, highlighting traceability, identity continuity, and the interpretability of asset states over time.

5.1. Overview of Implementation

The proof-of-concept implementation follows the layered structure defined in Section 4, with distinct components corresponding to the observation layer, identity-resolution layer, and inventory-interpretation layer. Each component is executed as a standalone module with distinctly defined interfaces, facilitating examination, replacement, and iterative enhancement via a custom asset discovery platform, as shown in Figure 5:
The system integrates multiple discovery sources, including active network scanning and host-level interrogation, to generate heterogeneous observations. These observations are maintained as immutable, time-bound records and are neither overwritten nor condensed into stateful representations during ingestion.
Identity resolution logic is executed independently, utilising aggregated observations to determine asset identities via explicit correlation rules. Inventory representations are subsequently generated from established identities through policy-driven interpretative logic.
This modular design ensures the separation of architectural concerns during implementation, thereby directly mirroring the principles delineated in Section 4.

5.2. Experimental Environment

The proof-of-concept implementation was assessed in a controlled network environment that mimics the operational settings of mid-sized IT systems. The environment consisted of physical hosts, virtual machines, and network devices interconnected via a segmented network. Dynamic IP allocation was used to replicate infrastructure modifications commonly seen in virtualised and cloud-integrated environments. Discovery observations were obtained by regular network scans and host-level enquiries when credentials were accessible. Discovery cycles were conducted at regular intervals to replicate ongoing asset discovery operations. Table 3 outlines the configuration of the experimental environment:
The environment deliberately incorporated partial-visibility scenarios, including devices without agent deployment and dynamically reassigned network identifiers, to assess the architecture’s capacity to preserve identity continuity across discovery cycles.

5.3. Collection of Observations and Preservation of Evidence

The observation layer executes discovery mechanisms and documents their outputs as primary evidence. Periodic active network scans identify accessible hosts, exposed services, and network interfaces, whereas host-level interrogation yields additional configuration and platform-specific information when credentials are available.
Each observation is archived alongside metadata detailing the discovery method, execution context, time-stamp, and pertinent parameters. Observations are added to the evidence repository unaltered, preserving historical data for future analysis.
This design enables the system to maintain partial, contradictory, or transient observations without requiring immediate reconciliation, thereby preserving uncertainty rather than suppressing it.

5.4. Identity Resolution Mechanisms in the Proposed Architecture

Identity resolution is performed deterministically, mapping observations to asset identities using configurable correlation rules. These regulations may consider various attributes, including network identifiers, hardware specifications, platform-assigned identifiers, or persistent cryptographic materials, contingent upon availability.
Identity resolution fundamentally relies on evidence rather than substituting for it. Observations remain constant, and identity assignments may be adjusted as new data emerge or as the correlation logic evolves. That facilitates uniform asset continuity during network reconfigurations, address reallocations, and system redeployment.
The implementation illustrates that explicit identity resolution enhances traceability and mitigates prevalent failure modes identified in state-centric discovery systems, including asset duplication, silent replacement, and loss of historical context.

5.5. Inventory Analysis and Asset Condition Assessment

The inventory layer generates asset representations by analysing resolved identities in accordance with established policies. These policies delineate the criteria for authoritative observations, conflict resolution, and the representation of asset lifecycles. The inventory state is derived rather than asserted, allowing the system to accommodate multiple concurrent interpretations of the same foundational evidence. Operational inventories may prioritise recent data, whereas governance-oriented perspectives may stress conservative inclusion and historical comprehensiveness.
This distinction facilitates retrospective analysis and policy development without the need to reinitiate discovery processes or to undermine prior evidence.

5.6. Assessment Outcomes

The proof-of-concept was evaluated in real-world network environments with diverse devices, dynamic addressing, and incomplete credential coverage. The assessment indicates that the proposed architecture can be implemented using open-source components and operate continuously without imposing premature assumptions about asset identity or status.
Principal insights derived from the assessment encompass:
  • Enhanced traceability, as asset claims can be linked to specific discovery observations and correlation rules;
  • Improved identity consistency, especially in settings with fluctuating network configurations;
  • Preservation of historical context facilitates the reconstruction of asset appearance, transformation, and obsolescence over time;
  • Interpretive flexibility enables asset inventories to be tailored to various operational and governance needs.
The results demonstrate that the architectural principles proposed in this study are both theoretically sound and feasible for practical application. To illustrate how preserved discovery evidence enables temporal reasoning about asset state, Figure 6 presents a change log derived from successive observations of a single asset over time:
This change-log example demonstrates that asset state can be inferred retrospectively from retained discovery evidence rather than being claimed as a single authoritative snapshot. This functionality facilitates temporal reasoning and auditability while maintaining operational practicality. The findings confirm the architectural distinction among observation, identity resolution, and inventory interpretation previously presented in this paper.

5.7. Experimental Evaluation

An experimental evaluation was done to analyse certain architectural aspects of the proposed system, complementing the descriptive proof-of-concept research, and comparing it with a conventional state-centric asset inventory approach. The assessment centres on three indicators closely associated with the architectural objectives of the proposed model:
  • Identity stability—the capacity to preserve uniform asset IDs during several observations;
  • Discovery traceability—the ratio of inventory claims that can be linked to specific discovery observations;
  • Observation preservation—the capacity to rebuild previous asset conditions utilising preserved discovery evidence.
The experiment was conducted in a regulated network environment comprising approximately 80 infrastructure assets, including physical hosts, virtual machines, and network devices. The environment featured dynamic IP allocation, virtualisation-based host redeployment, and partial credential coverage for agent-based discovery. Two discovery pathways were assessed:
  • A conventional inventory method in which discovery outcomes supersede prior asset-state records.
  • The suggested evidence-based framework in which observations are retained, and identity resolution is executed via deterministic correlation rules.
Each pipeline executed many discovery cycles across numerous iterations, emulating standard operational conditions such as address reassignment and host redeployment. Identity stability was quantified as the proportion of observations that were accurately linked to the same logical asset across discovery cycles. Traceability was quantified as the ratio of inventory claims that could be associated with a particular discovery observation. The preservation of observation was assessed by determining whether the historical configuration of an asset could be reconstructed from archived discovery evidence.
The findings demonstrate that evidence-based design enhances identity stability in dynamic situations by mitigating erroneous asset duplication or replacement caused by fluctuating network identifiers. Moreover, because observations are preserved as immutable records, the system enables complete traceability of inventory claims to their original discovery events. This functionality is absent in conventional state-centric inventory systems, where discovery outcomes supersede prior data. Table 4 compares the two approaches across key architectural metrics:
The retention of discovery observations facilitates the reconstruction of past asset configurations, aiding forensic investigation and compliance verification. The findings indicate that the suggested architecture enhances traceability and identity continuity, which are critical for cybersecurity governance and regulatory compliance.

5.8. Quantitative Evaluation

A quantitative analysis was conducted to compare a traditional state-centric asset inventory approach with the proposed evidence-based architecture, assessing the impact of architectural design decisions on the reliability of asset discovery. The assessment emphasises three criteria that explicitly represent the fundamental architectural goals of the proposed model: identity continuity, evidentiary traceability, and temporal reconstructability, rather than generic performance measures like speed or coverage.
The experiment was conducted in a controlled network environment with 80 infrastructure assets, including physical hosts, virtual machines, and network devices. The environment employed dynamic IP allocation and periodic discovery cycles to replicate authentic operational settings. Two discovery pathways were assessed:
  • Conventional state-centric inventory framework
  • Empirical asset discovery framework
Each pipeline underwent several discovery cycles during which network identifiers, such as IP addresses, were intermittently reallocated to emulate dynamic infrastructure behaviour. Three measures were employed to assess the system’s behaviour:
  • Identity Stability (IS)—defined as the ratio of observations reliably linked to the same logical asset identity over consecutive discovery cycles: IS = appropriately correlated observations/total observations
  • Traceability ratio (TR)—defined as the ratio of inventory entries that can be definitively associated with at least one underlying discovery observation: TR = traceable inventory entries/total inventory entries
  • Historical reconstruction capability (HR)—a binary metric evaluating the ability to recreate previous asset states using retained observations, independent of overwritten inventory values.
The evaluation results are summarised in Table 5.
The findings in Table 5 indicate a clear enhancement of the evidence-based architecture over the state-centric approach across all assessed aspects. Identity stability rose from 0.74 to 0.93 (+25.7%), indicating a more consistent correlation of data under dynamic network conditions. The traceability ratio reached 1.00, validating that all inventory assertions can be unequivocally linked to foundational discovery evidence, whereas the traditional method provides only partial traceability (0.42). The suggested architecture completely supports historical reconstruction capabilities, which are fundamentally absent in state-centric systems due to state overwriting.
The findings validate that the architectural distinction among observation, identification, resolution, and inventory interpretation directly enhances traceability, identity continuity, and auditability. It is important to acknowledge that the assessment was performed in a controlled setting with simulated dynamics; thus, the findings should be regarded as indicators of architectural efficacy rather than universally applicable performance standards.

5.9. Constraints and Exclusions

To prevent overinterpretation of the proof-of-concept results, it is essential to delineate several limitations and non-claims clearly. The proposed implementation is not designed to serve as a production-ready asset discovery platform, nor does it aim to surpass existing commercial solutions in terms of scan coverage, performance, or feature completeness. The assessment lacks quantitative benchmarks for discovery accuracy, scalability, or runtime efficiency, and does not assert comprehensive asset visibility in highly dynamic or adversarial contexts.
The proof-of-concept aims to demonstrate the architectural viability of separating observation, identity resolution, and inventory interpretation, and to show that this separation can be achieved using modern open-source technologies in practical network environments. Thus, the findings should be regarded as proof that the suggested architectural principles are feasible and operationally significant, rather than as a conclusive evaluation of asset discovery efficacy in all circumstances.

5.10. Summary of Evaluation Results

The proof-of-concept mitigates significant limitations of state-centric discovery systems previously identified by preserving discovery outputs as evidence, implementing explicit identity resolution, and deriving inventory state through interpretable policies. By validating the architectural separation of evidence, identity resolution, and inventory interpretation, it establishes a solid foundation for the broader governance and security implications discussed in the subsequent section.

6. Cybersecurity Governance Ramifications and Constraints

This evidence-based asset discovery architecture has direct implications for cybersecurity governance, accountability, and regulatory compliance. Unlike state-centric discovery models that regard asset inventories as definitive truths, the proposed architecture grounds governance processes in verifiable evidence, clear identity resolution, and auditable interpretive logic. This transition modifies the validation, contestation, and justification of asset-related claims within organisational and regulatory frameworks.

6.1. Governance Transparency and Accountability

In governance-oriented cybersecurity frameworks, asset inventories serve as essential control artefacts that guide risk assessments, compliance reporting, and security oversight. The proposed architecture enhances these functions by delineating data collection from the authority responsible for declaring inventory status, enabling governance stakeholders to scrutinise both asset assertions and the supporting evidence and rationale.
The architecture facilitates accountability at various levels by maintaining discovery outputs as immutable observations and implementing explicit identity resolution. Security teams can link inventory assertions to discovery events and correlation rules, while auditors and regulators can evaluate whether asset claims are substantiated by adequate and appropriate evidence. This transparency reduces reliance on implicit trust in tools and mitigates risks associated with undocumented normalisation or heuristic correlation methods.

6.2. Regulatory Adherence and Audit Capability

The experimental assessment in Section 5.6 illustrates that maintaining discovery evidence facilitates retrospective validation of asset conditions, which is especially pertinent for regulatory audits and compliance verification procedures. Regulatory frameworks such as NIS2, ISO/IEC 27001 [25], and industry-specific cybersecurity directives increasingly emphasise the need for demonstrable control over assets, including visibility, ownership, and lifecycle management. Adherence to these requirements relies not only on maintaining asset inventories but also on validating the methods used to create and maintain them.
The evidence-based architecture meets these expectations by enabling retrospective validation of asset assertions. Historical observations and identity resolution logic enable organisations to reconstruct asset states at specific time intervals, facilitating audits, incident investigations, and compliance evaluations. This capability mitigates a prevalent limitation of state-centric systems: frequent overwriting of previous data and the obscuring of the provenance of asset records.

6.3. Organisational and Operational Limitations

The proposed architecture improves transparency in governance but also presents organisational and operational challenges. Preserving discovery evidence and upholding clear identity-resolution logic increases data volume, system complexity, and governance burdens. Organisations must consequently weigh the advantages of evidentiary rigour against the costs of storage, processing, and operations.
Architecture necessitates explicit ownership of identity resolution policies and inventory interpretation logic. In decentralised or multi-stakeholder contexts, establishing and maintaining governance structures may pose organisational challenges. These constraints do not diminish the architectural approach; rather, they underscore the necessity for intentional governance design in conjunction with technical execution.

6.4. Governance Applicability Scope

The architecture fails to eradicate uncertainty in asset discovery and does not ensure comprehensive or uninterrupted asset visibility. Rather, it offers a structure for rendering uncertainty explicit and manageable. Governance processes must consequently adapt to regard asset inventories as informed assertions rather than definitive truths.
This viewpoint signifies a cultural transformation in cybersecurity governance, necessitating that stakeholders engage with evidence, confidence metrics, and interpretive policies. Although this may initially complicate governance processes, it ultimately fosters more robust, justifiable security decision-making in complex environments.

7. Limitations

Considering the architectural contributions and proof-of-concept validation demonstrated in this study, several limitations must be recognised.
  • The experimental assessment was performed in a controlled setting comprising roughly 80 infrastructure assets exhibiting simulated dynamic behaviour (e.g., IP reassignment). This configuration embodies typical traits of contemporary IT settings, but it fails to capture the scale, diversity, and operational complexity of large enterprises or highly distributed systems. Thus, the results ought to be regarded as suggestive rather than entirely generalisable.
  • The assessment utilises targeted metrics—identity stability, traceability ratio, and historical reconstruction capability—that are directly associated with the architectural goals of the proposed model. Nonetheless, these indicators remain unstandardised within the extensive cybersecurity and asset management literature, and there are currently no universally recognised benchmarking datasets or baselines for direct comparison. The evaluation indicates relative improvement over a state-centric baseline rather than absolute performance guarantees.
  • The experimental configuration depends on regulated and partially simulated infrastructural dynamics. While this facilitates repeatability and targeted architectural evaluation, it may not entirely capture erratic real-world behaviours, including network abnormalities, incomplete data sources, or operational misconfigurations.
  • The suggested design presumes that discovery methods function inside a semi-trusted environment and does not inherently safeguard against malicious manipulation of observations. Attacks such as IP or MAC address spoofing, fabricated discovery responses, or data poisoning can lead to erroneous identity resolution if not countered by external safeguards. The architecture retains all observations as traceable evidence for retrospective analysis, although it lacks inherent ways to validate the legitimacy of observed identifiers.
  • The architecture explicitly maintains ambiguity; nonetheless, the accuracy of identification resolution relies on the availability and reliability of observed attributes. In settings with restricted visibility, insufficient telemetry, or erratic discovery coverage, the accuracy of correlation may diminish despite architectural protections.
  • The proposed system serves as a proof-of-concept implementation intended to validate architectural viability rather than as a production-ready platform. This study did not primarily focus on performance optimisation, scalability considerations, or integration with enterprise-grade security ecosystems.
The identified restrictions indicate that the proposed methodology should be regarded as an architectural innovation with demonstrated practicality; however, additional research is necessary to address large-scale implementation, adversarial resilience, and standardised assessment methods.

8. Conclusions and Future Works

This study investigated asset discovery in contemporary IT environments characterised by diversity, scale, and constant evolution. The study conducted a systematic analysis of current discovery methods and tools, revealing enduring structural limitations stemming from treating discovery outputs as definitive inventory states rather than as contextual, temporal observations. These constraints impact both operational precision and the assurance of security and governance accountability.
The paper proposes an evidence-based architectural model for asset discovery that distinguishes observation, identity resolution, and inventory interpretation as interconnected yet distinct concerns to address these challenges. This division redefines asset discovery as an evidentiary procedure, facilitating traceability, auditability, and interpretive adaptability in contexts where asset identity and configuration are intrinsically fluid.
The architectural principles were substantiated through a Python 3.13.11-based proof-of-concept implementation, which was evaluated in realistic network environments. The assessment revealed that the proposed separation can be achieved using modern open-source technologies and helps mitigate common failure modes in state-centric discovery systems, such as asset duplication, loss of historical context, and opaque normalisation logic. The implementation demonstrates the practical feasibility and operational relevance of the proposed architectural approach, rather than asserting comprehensive coverage or superior performance. The comparison with existing architectural paradigms reveals that the suggested approach essentially distinguishes itself by regarding discovery outputs as evidence rather than as an authoritative system state.
This work underscores significant implications for cybersecurity governance beyond its technical contributions. The architecture facilitates verifiable asset claims and accountable decision-making by preserving discovery outputs as evidence and clarifying identity resolution. In regulatory and compliance contexts, this evidentiary foundation allows organisations to substantiate asset-related claims retrospectively and to address uncertainty rather than conceal it.
This work reveals multiple prospects for future research. The quantitative assessment of evidence-based discovery pipelines, encompassing scalability, performance, and coverage across varying operational conditions, remains a significant area for further investigation. Further research may investigate automated reasoning for conflicting or incomplete observations, probabilistic identity-resolution methods, and policy-driven inventory analyses tailored to specific regulatory frameworks.
Future research may explore integrating passive discovery techniques, cloud-native telemetry, and comprehensive asset and configuration management systems to enhance the architecture for environments characterised by significant ephemerality and decentralisation. Ultimately, empirical investigations into the effects of evidence-based asset discovery on governance processes, audit methodologies, and organisational trust in security data would yield significant insights regarding its enduring impact.
This work illustrates that numerous enduring challenges in asset discovery are fundamentally architectural rather than solely tool-specific. The design is applicable across several operational settings, including enterprise networks, critical infrastructure environments, and hybrid cloud systems that necessitate dependable infrastructure asset identification. The proposed approach treats discovery as an evidence-based process rather than a state-assertion problem, providing a principled foundation for enhanced asset visibility, improved security decision-making, and governance-aligned IT operations in increasingly complex digital environments.

Author Contributions

Conceptualisation, I.O.B., M.B. and I.B.; Data curation, I.O.B. and M.B.; Formal Analysis, I.O.B. and I.B.; Investigation, I.O.B., M.B. and I.B.; Methodology, I.O.B. and M.B.; Resources, I.O.B. and M.B.; Supervision, I.O.B.; Validation, I.O.B. and I.B.; Visualization, I.O.B., M.B. and I.B.; Writing—original draft, I.O.B., M.B. and I.B.; Writing—review & editing, I.O.B. and M.B. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

Data available in a publicly accessible repository at URL https://github.com/ibencaralg/assetly (accessed on 31 March 2026) and https://github.com/ibencaralg/assetly-scanner (accessed on 31 March 2026).

Conflicts of Interest

The authors declare no conflicts of interest.

Nomenclature

The following nomenclature is used in this manuscript:
ObservationA time-scoped record describing a property of an infrastructure element obtained through a discovery mechanism.
Asset identityA persistent logical representation that aggregates multiple observations referring to the same infrastructure asset.
Inventory representationA derived interpretation of asset identities used for operational or governance purposes.
Discovery methodA mechanism used to obtain observations, such as network scanning, agent-based interrogation, or platform APIs.
Correlation ruleA deterministic rule used to determine whether multiple observations refer to the same asset identity.
EvidenceThe preserved set of discovery observations used to support asset-related assertions.
Identity resolutionThe process of associating observations with asset identities using correlation rules.
Asset discovery pipelineThe architectural process that transforms discovery observations into inventory representations through identity resolution.

References

  1. Rossi, M.C.; Gallouj, F.; Perez, G. Cyberspace as Asset Specificity. RIAE 2025, 24, e25866. [Google Scholar] [CrossRef]
  2. Milaat, F.A.; Lubell, J. Layered Security Guidance for Data Asset Management in Additive Manufacturing. arXiv 2023, arXiv:2309.16842. [Google Scholar] [CrossRef]
  3. Reyes-Acosta, R.E.; Mendoza-González, R.; Oswaldo Diaz, E.; Vargas Martin, M.; Luna Rosas, F.J.; Martínez Romo, J.C.; Mendoza-González, A. Cybersecurity Conceptual Framework Applied to Edge Computing and Internet of Things Environments. Electronics 2025, 14, 2109. [Google Scholar] [CrossRef]
  4. Hossain, S.T.; Yigitcanlar, T.; Nguyen, K.; Xu, Y. Understanding Local Government Cybersecurity Policy: A Concept Map and Framework. Information 2024, 15, 342. [Google Scholar] [CrossRef]
  5. Progoulakis, I.; Nikitakos, N.; Rohmeyer, P.; Bunin, B.; Dalaklis, D.; Karamperidis, S. Perspectives on Cyber Security for Offshore Oil and Gas Assets. J. Mar. Sci. Eng. 2021, 9, 112. [Google Scholar] [CrossRef]
  6. Oyeniyi, L.D.; Ugochukwu, C.E.; Mhlongo, N.Z. IoT Applications in Asset Management: A Review of Accounting and Tracking Techniques. Int. J. Sci. Res. Arch. 2024, 11, 1510–1525. [Google Scholar] [CrossRef]
  7. Amro, A.; Gkioulos, V. Cyber Risk Management for Autonomous Passenger Ships Using Threat-Informed Defense-in-Depth. Int. J. Inf. Secur. 2022, 22, 249–288. [Google Scholar] [CrossRef]
  8. Clavijo Mesa, M.V.; Patino-Rodriguez, C.E.; Guevara Carazas, F.J. Cybersecurity at Sea: A Literature Review of Cyber-Attack Impacts and Defenses in Maritime Supply Chains. Information 2024, 15, 710. [Google Scholar] [CrossRef]
  9. Khosla, A.; Dubey, R. Cybersecurity Challenges in Modern Railway Signaling—A Comprehensive Review. IJFMR 2025, 7, 1–20. [Google Scholar] [CrossRef]
  10. Temara, S. Harnessing the Power of Artificial Intelligence to Enhance Next-Generation Cybersecurity. World J. Adv. Res. Rev. 2024, 23, 797–811. [Google Scholar] [CrossRef]
  11. Faruq, M.O. A meta-analysis of cybersecurity framework integration in GRC platforms: Evidence from US enterprise audits. J. Sustain. Dev. Policy 2025, 1, 224–249. [Google Scholar] [CrossRef]
  12. Vala, J.B.; Vekariya, V.M. The Role and Importance of Digital Forensics and Digital Evidence in Cyber Crime Detection. Int. J. Life Sci. Biotechnol. Pharma Res. 2024, 13, 413–420. [Google Scholar] [CrossRef]
  13. Rajamäki, J.; Savolainen, J.; Pirinen, R.; Medina, E. Gaps in Asset Management Systems to Integrate Railway Companies’ Resilience. ICCWS 2023, 18, 318–326. [Google Scholar] [CrossRef]
  14. Cheimonidis, P.; Rantos, K. Dynamic Risk Assessment in Cybersecurity: A Systematic Literature Review. Future Internet 2023, 15, 324. [Google Scholar] [CrossRef]
  15. Sardi, A.; Rizzi, A.; Sorano, E.; Guerrieri, A. Cyber Risk in Health Facilities: A Systematic Literature Review. Sustainability 2020, 12, 7002. [Google Scholar] [CrossRef]
  16. Soin, A.; Putnins, T.; Staples, M. Digital Assets: Vulnerabilities and Their Classification. Digit. Financ. 2025, 7, 373–428. [Google Scholar] [CrossRef]
  17. Ulven, J.B.; Wangen, G. A Systematic Review of Cybersecurity Risks in Higher Education. Future Internet 2021, 13, 39. [Google Scholar] [CrossRef]
  18. Eichelberg, M.; Kleber, K.; Kämmerer, M. Cybersecurity in PACS and Medical Imaging: An Overview. J. Digit. Imaging 2020, 33, 1527–1542. [Google Scholar] [CrossRef] [PubMed]
  19. Liubchenko, V.V.; Volkov, D.V. Cyber-Aware Threats and Management Strategies in Cloud Environments. Her. Adv. Inf. Technol. 2024, 7, 158–170. [Google Scholar] [CrossRef]
  20. Le, T.D.; Le-Dinh, T.; Uwizeyemungu, S. Cybersecurity Analytics for the Enterprise Environment: A Systematic Literature Review. Electronics 2025, 14, 2252. [Google Scholar] [CrossRef]
  21. Rahman, M.H.; Wuest, T.; Shafae, M. Manufacturing Cybersecurity Threat Attributes and Countermeasures: Review, Meta-Taxonomy, and Use Cases of Cyberattack Taxonomies. J. Manuf. Syst. 2023, 68, 196–208. [Google Scholar] [CrossRef]
  22. Kopal, R.; Alikavazović, B.; Morić, Z. From Context to Action: Establishing a Pre-Chain Phase Within the Cyber Kill Chain. J. Cybersecur. Priv. 2025, 6, 5. [Google Scholar] [CrossRef]
  23. Kayan, H.; Nunes, M.; Rana, O.; Burnap, P.; Perera, C. Cybersecurity of Industrial Cyber-Physical Systems: A Review. ACM Comput. Surv. 2022, 54, 1–35. [Google Scholar] [CrossRef]
  24. Pirta-Dreimane, R.; Brilingaitė, A.; Roponena, E.; Parish, K.; Grabis, J.; Lugo, R.G.; Bonders, M. Try to esCAPE from Cybersecurity Incidents! A Technology-Enhanced Educational Approach. Technol. Knowl. Learn. 2024, 30, 1577–1606. [Google Scholar] [CrossRef]
  25. ISO/IEC 27001:2022; Information Security, Cybersecurity and Privacy Protection—Information Security Management Systems—Requirements. ISO Copyright Office: Geneva, Switzerland, 2022.
Jcp 06 00067 g001
Figure 1. Conceptual asset discovery pipeline.
Figure 1. Conceptual asset discovery pipeline.
Jcp 06 00067 g001
Jcp 06 00067 g002
Figure 2. Proposed system architecture.
Figure 2. Proposed system architecture.
Jcp 06 00067 g002
Jcp 06 00067 g004
Figure 4. Entity-Relationship Diagram for Asset, AssetInterface, and AssetInterfaceIP.
Figure 4. Entity-Relationship Diagram for Asset, AssetInterface, and AssetInterfaceIP.
Jcp 06 00067 g004
Jcp 06 00067 g005
Figure 5. A custom asset discovery platform is a part of the architecture described in this paper.
Figure 5. A custom asset discovery platform is a part of the architecture described in this paper.
Jcp 06 00067 g005
Jcp 06 00067 g006
Figure 6. Change log from a single-asset observation over time.
Figure 6. Change log from a single-asset observation over time.
Jcp 06 00067 g006
Table 1. Comparison of asset discovery architectural paradigms.
Table 1. Comparison of asset discovery architectural paradigms.
Architectural AspectState-Centric InventoryModel-Driven Source-of-TruthEnterprise Discovery PlatformsEvidence-Based Architecture (Proposed)
Observation handlingConverted directly to asset stateFiltered through the model schemaNormalised and aggregatedPreserved as immutable observations
Identity resolutionImplicit or heuristicModel-driven correlationProprietary correlation logicDeterministic rule-based correlation
Historical traceabilityLimitedPartialLimitedFull traceability
AuditabilityLowModerateLimited (opaque logic)High
Inventory interpretationSingle authoritative stateModel-defined statePlatform-defined stateDerived interpretation of evidence
Table 2. Input and output semantics of architectural layers.
Table 2. Input and output semantics of architectural layers.
LayerInputOutput
Observation layerDiscovery mechanisms (scans, agents, APIs)Time-scoped observation records
Identity resolution layerObservation recordsCorrelated asset identities
Inventory analysis layerAsset identities and observationsDerived inventory representations
Table 3. Experimental environment characteristics.
Table 3. Experimental environment characteristics.
ParameterValue
Network size~80 infrastructure assets
Physical hosts22
Virtual machines41
Network devices17
IP allocationDynamic (DHCP)
Discovery methodsNetwork scanning + host interrogation
Discovery cycle interval30 min
Observation sourcesActive scans, platform metadata
Experiment duration: 72 h.
Table 4. Evaluation metrics comparison.
Table 4. Evaluation metrics comparison.
MetricTraditional InventoryEvidence-Based Architecture
Identity stabilityModerateHigh
Traceability of asset claimsLimitedFull traceability
Historical reconstructionNot supportedSupported
Table 5. Quantitative evaluation results.
Table 5. Quantitative evaluation results.
MetricState-Centric InventoryEvidence-Based Architecture
Identity stability0.740.93
Traceability ratio0.421.00
Historical reconstruction0 (not achievable due to state overwriting)1 (fully supported through preserved observations)
Identity stability improvement: +25.7%.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Biškupić, I.O.; Balković, M.; Bencarić, I. An Evidence-Based Architecture for Trustworthy Asset Discovery in Cybersecurity-Critical IT Environments. J. Cybersecur. Priv. 2026, 6, 67. https://doi.org/10.3390/jcp6020067

AMA Style

Biškupić IO, Balković M, Bencarić I. An Evidence-Based Architecture for Trustworthy Asset Discovery in Cybersecurity-Critical IT Environments. Journal of Cybersecurity and Privacy. 2026; 6(2):67. https://doi.org/10.3390/jcp6020067

Chicago/Turabian Style

Biškupić, Ivana Ogrizek, Mislav Balković, and Ivan Bencarić. 2026. "An Evidence-Based Architecture for Trustworthy Asset Discovery in Cybersecurity-Critical IT Environments" Journal of Cybersecurity and Privacy 6, no. 2: 67. https://doi.org/10.3390/jcp6020067

APA Style

Biškupić, I. O., Balković, M., & Bencarić, I. (2026). An Evidence-Based Architecture for Trustworthy Asset Discovery in Cybersecurity-Critical IT Environments. Journal of Cybersecurity and Privacy, 6(2), 67. https://doi.org/10.3390/jcp6020067

Article Metrics

Back to TopTop