Tomas Kracmar
763da003d3
Complete repository of frameworks, playbooks, and assessment resources for cybersecurity consultations focused on antifragile enterprise design. Includes: - Core philosophy and manifest (5 pillars) - 12 modular engagement packages - AI sovereignty and operations frameworks - Zero-budget vulnerability discovery and hardening playbooks - M365 E3 hardening and antifragile project plans - Osquery sovereign discovery platform blueprint - Perimeter scanning capability guide - AI-assisted TVM blueprint for AI-powered adversaries - Vertical specializations: banking, telco, power/utilities - CIS Controls v8 and NIST CSF 2.0 mappings - Risk registers and assessment templates - C-suite conversation guide and business case templates
26 KiB
Zero-Budget Vulnerability Discovery
"Most organizations do not know what vulnerabilities they have because they have never looked. Not because Tenable is too expensive. Because nobody wrote a PowerShell script and ran it."
This playbook provides practical, script-based methods for discovering vulnerabilities across Windows servers, Linux servers, containers, and network devices without purchasing commercial vulnerability scanners like Tenable, Qualys, or Rapid7. It is designed for the first sweep—the baseline discovery that proves value before any procurement discussion.
The approach is agentless and authentication-based where possible: we use existing administrative access (SSH, WinRM, RDP, Azure/AWS APIs) to collect inventory and correlate it with vulnerability data. No agents. No new licenses. Just scripts, open-source tools, and expertise.
The Philosophy: Discovery Before Procurement
Before recommending Tenable, Qualys, or any commercial scanner, we prove that:
- The client does not know their inventory
- There are critical vulnerabilities that can be found with free tools
- The commercial scanner will be worth the money—once we know what gaps it needs to fill
The rule: If a script run from a laptop finds 50 critical missing patches in 2 hours, the business case for a commercial scanner becomes trivial. The scanner is no longer a gamble. It is an operationalization of proven need.
Method 1: Windows Server Enumeration (PowerShell)
Most Windows environments have at least partial administrative access. A PowerShell script run with domain admin or local admin credentials can enumerate the entire estate in hours.
The Basic Script: What to Collect
# Save as Get-ServerVulnBaseline.ps1
# Run from a management workstation with domain admin or appropriate privileges
$Computers = Get-ADComputer -Filter {OperatingSystem -like "*Server*"} | Select-Object -ExpandProperty Name
$Results = @()
foreach ($Computer in $Computers) {
try {
$Session = New-CimSession -ComputerName $Computer -OperationTimeoutSec 30
# OS Version and Build
$OS = Get-CimInstance -CimSession $Session -ClassName Win32_OperatingSystem
# Installed Hotfixes
$Hotfixes = Get-CimInstance -CimSession $Session -ClassName Win32_QuickFixEngineering |
Select-Object -ExpandProperty HotFixID
# Installed Software (Add/Remove Programs)
$Software = Get-CimInstance -CimSession $Session -ClassName Win32_Product |
Select-Object Name, Version, Vendor
# Windows Features / Roles
$Features = Get-WindowsFeature -ComputerName $Computer | Where-Object {$_.Installed} |
Select-Object -ExpandProperty Name
# Antivirus Status (Windows Defender or third-party)
$AV = Get-CimInstance -CimSession $Session -Namespace "root\SecurityCenter2" -ClassName AntiVirusProduct -ErrorAction SilentlyContinue
# Firewall Status
$Firewall = Get-NetFirewallProfile -CimSession $Session | Select-Object Name, Enabled
# Local Administrators
$Admins = Get-LocalGroupMember -Group "Administrators" -ErrorAction SilentlyContinue
$Results += [PSCustomObject]@{
ComputerName = $Computer
OSVersion = $OS.Caption
OSBuild = $OS.BuildNumber
LastBoot = $OS.LastBootUpTime
Hotfixes = ($Hotfixes -join ";")
SoftwareCount = $Software.Count
KeySoftware = ($Software | Where-Object {$_.Name -match "SQL|IIS|Exchange|SharePoint|Remote Desktop|Citrix"} | ForEach-Object {"$($_.Name)=$($_.Version)"} -join ";")
Features = ($Features -join ";")
AVProduct = if ($AV) { $AV.displayName } else { "None detected" }
FirewallEnabled = ($Firewall | Where-Object {$_.Enabled -eq $true}).Count
LocalAdmins = ($Admins | Measure-Object).Count
Reachable = $true
}
Remove-CimSession -CimSession $Session
}
catch {
$Results += [PSCustomObject]@{
ComputerName = $Computer
OSVersion = "Unreachable"
Reachable = $false
Error = $_.Exception.Message
}
}
}
$Results | Export-Csv -Path "ServerBaseline.csv" -NoTypeInformation
What this produces in 30 minutes:
- A CSV of every Windows Server with OS build, patches, software, roles, AV status, firewall status
- Immediate red flags: servers with no AV, no firewall, ancient OS builds, excessive local admins
- A hotfix list you can correlate against Microsoft Security Response Center bulletins
The OS Build Risk Filter
Once you have the CSV, filter for end-of-life or near-end-of-life OS builds:
| OS / Build | Status | Risk |
|---|---|---|
| Windows Server 2008 R2 / 2012 R2 | End of life | Critical |
| Windows Server 2016 (Build 14393) | Extended support | High |
| Windows Server 2019 (Build 17763) | Active, but check patch level | Medium |
| Windows Server 2022 (Build 20348) | Current | Low |
The conversation:
"We ran a script for 30 minutes and found 12 servers running operating systems that no longer receive security patches. Three of them are internet-facing. We do not need a €50,000 scanner to tell us that is a kill chain. We need it to track the remediation. But first, we fix these 12."
Method 2: Linux Server Enumeration (Bash / SSH)
For Linux estates, SSH-based enumeration is fast and requires no agents.
The Basic Script
#!/bin/bash
# Save as linux-vuln-baseline.sh
# Run from a jump host with SSH key access to target servers
SERVERS=$(cat server-list.txt)
OUTPUT_DIR="./linux-baseline-$(date +%Y%m%d)"
mkdir -p $OUTPUT_DIR
for SERVER in $SERVERS; do
echo "Scanning $SERVER..."
ssh -o ConnectTimeout=10 -o StrictHostKeyChecking=no $SERVER "
echo '=== OS ==='
cat /etc/os-release
echo '=== KERNEL ==='
uname -r
echo '=== PACKAGES ==='
if command -v rpm >/dev/null; then rpm -qa --last; fi
if command -v dpkg >/dev/null; then dpkg -l; fi
if command -v apt >/dev/null; then apt list --installed 2>/dev/null; fi
echo '=== SERVICES ==='
systemctl list-units --type=service --state=running
echo '=== LISTENING PORTS ==='
ss -tlnp
echo '=== USERS WITH SHELL ==='
grep -E 'bash|sh|zsh' /etc/passwd
echo '=== SUDOERS ==='
cat /etc/sudoers 2>/dev/null | grep -v '^#' | grep -v '^$'
echo '=== SSH CONFIG ==='
grep -E 'PermitRootLogin|PasswordAuthentication|Port' /etc/ssh/sshd_config
" > "$OUTPUT_DIR/$SERVER.txt" 2>&1
done
echo "Results in $OUTPUT_DIR"
What this produces:
- Per-server files with OS, kernel, all installed packages, running services, listening ports, user accounts, SSH hardening
- Immediate red flags: password authentication enabled, root login permitted, ancient kernels, unnecessary services exposed
The Package-to-CVE Correlation
For the first sweep, you do not need a commercial correlator. Use open-source tools:
Option A: Grype (recommended)
# Install grype (single binary, no dependencies)
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
# On each server, generate SBOM and scan
syft packages dir:/ -o json > /tmp/sbom.json
grype sbom:/tmp/sbom.json -o table > /tmp/vulns.txt
Option B: Vulners (for Linux package managers)
# For Ubuntu/Debian with apt
apt-get install -y apt-vulns-severity
apt-get --just-print upgrade | apt-vulns-severity
# For RHEL/CentOS with yum
yum install -y yum-plugin-security
yum --security check-update
What this produces:
- A list of installed packages with known CVEs
- Severity ratings
- Whether fixes are available in the distribution repositories
Method 3: Container and Application SBOM
Modern environments run containers. Containers bundle vulnerabilities. SBOM + CVE correlation is the fastest way to find them.
SBOM Generation
# Install Syft
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
# Generate SBOM from running containers
docker ps --format "{{.Names}}" | while read container; do
syft $container -o spdx-json > "sboms/${container}.json"
done
# Generate SBOM from container images in registry
# (Requires registry access; adapt for ACR, ECR, GCR, Harbor, etc.)
CVE Scanning the SBOMs
# Install Grype
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
# Scan all SBOMs
for sbom in sboms/*.json; do
grype sbom:$sbom -o json > "vulns/$(basename $sbom .json)-vulns.json"
done
# Aggregate critical findings
jq -r '.matches[] | select(.vulnerability.severity == "Critical") | [.artifact.name, .artifact.version, .vulnerability.id, .vulnerability.severity] | @tsv' vulns/*.json | sort | uniq -c | sort -rn > critical-vulns.txt
What this produces in 1 hour:
- A complete inventory of every container's software components
- Every known CVE in those components
- Critical vulnerabilities ranked by frequency (if 15 containers have the same vulnerable log4j version, that is your top fix)
The conversation:
"We generated software bills of materials for your 40 running containers and found 340 known vulnerabilities. 12 are critical. Five of those critical vulnerabilities are in your customer-facing API container. We have the updated base image ready. No scanner purchase required."
Method 4: Network-Based Unauthenticated Scanning
When you cannot authenticate to every system, network scanning fills gaps.
OpenVAS / Greenbone (Free)
Greenbone Community Edition is a full vulnerability scanner that requires only network access:
# Deploy via Docker (fastest way to test)
docker run -d -p 443:443 --name openvas greenbone/community-edition:latest
# Log in, create a target list, run scan
# Produces: full vulnerability report with CVSS, CVE references, and remediation guidance
Limitations: Community edition is not licensed for commercial use in some jurisdictions. For client engagements, use Greenbone Cloud Service (pay-per-scan) or deploy OpenVAS from source.
Nmap Vulnerability Scripts
# Fast service discovery
nmap -sV -sC -O --top-ports 1000 -oA network-sweep $TARGET_NETWORK
# Vulnerability detection with NSE scripts
nmap --script vuln -p 21,22,23,25,53,80,110,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 $TARGET_IP
# SMB vulnerability check (ETERNALBLUE, etc.)
nmap --script smb-vuln* -p 445 $TARGET_IP
# SSL/TLS weakness check
nmap --script ssl-enum-ciphers,ssl-heartbleed,ssl-poodle -p 443 $TARGET_IP
What this produces:
- Unauthenticated vulnerability findings
- Service versions that can be correlated with CVEs
- Network topology and unexpected exposed services
ProjectDiscovery Stack (Modern, Fast, Free)
# Install
GO111MODULE=on go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest
GO111MODULE=on go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
GO111MODULE=on go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
GO111MODULE=on go install -v github.com/owasp-amass/amass/v4/...@master
# Reconnaissance pipeline
# 1. Find live hosts
naabu -list targets.txt -o live-hosts.txt
# 2. Identify web services
httpx -list live-hosts.txt -o web-services.txt
# 3. Run vulnerability templates (10,000+ community templates)
nuclei -list web-services.txt -severity critical,high -o findings.txt
# 4. DNS enumeration
amass enum -d example.com -o dns-findings.txt
What Nuclei produces:
- Specific CVE detections (CVE-2024-XXXX)
- Misconfiguration findings (exposed .git, default credentials, open redirects)
- Technology fingerprinting
- All findings mapped to specific CVEs with remediation links
Method 5: Osquery Cross-Platform Discovery (The Sovereign Method)
"Tenable is a rented microscope. osquery is a laboratory."
For clients who want owned visibility rather than rented scanner reports, osquery is the most powerful zero-budget discovery method available. It is an open-source agent that exposes the operating system as a SQL database—Windows, Linux, and macOS.
Why osquery Belongs Here
| Script-Based Discovery | osquery-Based Discovery |
|---|---|
| Point-in-time (run once, get a snapshot) | Continuous or scheduled (run every hour, every day) |
| Per-platform scripts (PowerShell for Windows, bash for Linux) | Single SQL query language across all platforms |
| Static output (CSV, text files) | Structured, queryable data you can ask follow-up questions of |
| Requires admin access every time | Agent enrolls once; queries run remotely via FleetDM |
| Hard to scale past 100 systems | Scales to 10,000+ endpoints with FleetDM control plane |
| Cannot detect runtime state (running processes, open ports in real time) | Real-time process, network, and configuration visibility |
The 2-Hour osquery Proof of Concept
# Install osquery on a management workstation
# Windows: choco install osquery
# macOS: brew install osquery
# Ubuntu: apt install osquery
# Run interactive discovery queries against the local system
# (For remote systems, copy the binary or use FleetDM enrollment)
# 1. Windows software inventory with vulnerability flagging
osqueryi "SELECT si.computer_name, p.name, p.version,
CASE WHEN p.name LIKE '%Adobe%' AND CAST(REPLACE(p.version, '.', '') AS INTEGER) < 2023000 THEN 'POTENTIALLY VULNERABLE' ELSE 'REVIEW' END AS status
FROM programs p CROSS JOIN system_info si;"
# 2. Linux listening ports with process attribution
osqueryi "SELECT si.hostname, lp.port, lp.protocol, p.name, p.path
FROM listening_ports lp LEFT JOIN processes p ON lp.pid = p.pid
CROSS JOIN system_info si WHERE lp.address NOT IN ('127.0.0.1', '::1');"
# 3. SSH hardening check (Linux)
osqueryi "SELECT si.hostname, c.key, c.value,
CASE WHEN c.key = 'PermitRootLogin' AND c.value = 'yes' THEN 'CRITICAL' ELSE 'OK' END AS risk
FROM ssh_configs c CROSS JOIN system_info si
WHERE c.key IN ('PermitRootLogin', 'PasswordAuthentication', 'Port');"
# 4. End-of-life OS detection (all platforms)
osqueryi "SELECT si.hostname, os.name, os.version, os.build,
CASE
WHEN os.platform = 'windows' AND os.version LIKE '6.1%' THEN 'Windows 7/2008 R2 - EOL'
WHEN os.platform = 'windows' AND os.version LIKE '6.2%' THEN 'Windows 8/2012 - EOL'
WHEN os.platform = 'centos' AND os.version LIKE '7%' THEN 'CentOS 7 - EOL June 2024'
WHEN os.platform = 'ubuntu' AND os.version LIKE '18.04%' THEN 'Ubuntu 18.04 - EOL April 2023'
ELSE 'Check manually'
END AS eol_status
FROM os_version os CROSS JOIN system_info si;"
What this produces in 2 hours:
- Software inventory across all enrolled endpoints with version-based vulnerability flagging
- Real-time network exposure map (every listening port, every process)
- Configuration drift detection (firewall status, SSH hardening, encryption state)
- End-of-life operating system inventory
Scaling to the Estate: FleetDM (Free Tier)
FleetDM is the open-source management platform for osquery. Free for up to 1,000 hosts:
# Deploy FleetDM in Docker (15 minutes)
git clone https://github.com/fleetdm/fleet.git
cd fleet/tools/osquery
docker-compose up -d
# Enroll endpoints with a single command per host
# FleetDM provides live query capability: ask a question, get answers in seconds
For the complete osquery blueprint—including query packs for Windows, Linux, and macOS vulnerability discovery, compliance policies, CVE correlation pipeline, and the consultant's 5-day delivery model—see Osquery: The Sovereign Discovery Platform.
When to Use osquery vs. Scripts
| Scenario | Use Scripts | Use osquery |
|---|---|---|
| One-time sweep of 20-50 servers | ✅ Fast, no installation | Overkill |
| Continuous monitoring of 200+ endpoints | ❌ Unsustainable | ✅ Designed for this |
| Client needs compliance dashboards | ❌ Ad-hoc reports | ✅ Built-in policy engine |
| Cross-platform environment (Windows + Linux + macOS) | ❌ Separate scripts | ✅ Single query language |
| Client wants to own the data and queries | ❌ Vendor-dependent | ✅ Full sovereignty |
Method 6: Cloud-Native Discovery (No Agents)
For Azure / AWS / GCP environments, the cloud provider already has the data. You just need to query it.
Azure
# Azure VM inventory with OS info
Get-AzVM | Select-Object Name, ResourceGroupName, Location,
@{Name="OS";Expression={$_.StorageProfile.OsDisk.OsType}},
@{Name="ImagePublisher";Expression={$_.StorageProfile.ImageReference.Publisher}},
@{Name="ImageOffer";Expression={$_.StorageProfile.ImageReference.Offer}},
@{Name="ImageSKU";Expression={$_.StorageProfile.ImageReference.Sku}},
@{Name="ImageVersion";Expression={$_.StorageProfile.ImageReference.Version}}
# Azure Update Manager: which VMs are missing critical updates?
# (Requires Azure Update Manager enabled; basic is free)
Get-AzSoftwareUpdateConfiguration | Where-Object {$_.ScheduleConfiguration.Frequency -eq "Hourly"}
# Azure Defender for Cloud secure score (free tier)
Get-AzSecuritySecureScore
AWS
# EC2 instance inventory
aws ec2 describe-instances --query 'Reservations[].Instances[].[InstanceId,ImageId,PlatformDetails,InstanceType,LaunchTime,State.Name]' --output table
# Inspector findings (if Inspector v1/v2 is enabled; v2 is free for basic scanning)
aws inspector2 list-findings --severity CRITICAL
# Systems Manager Patch Compliance (if SSM agent is installed)
aws ssm describe-instance-patch-states --filters Key=Compliance,Values=NON_COMPLIANT
GCP
# VM inventory
gcloud compute instances list --format="table(name,zone,status,machineType,disks[0].licenses[0])"
# OS Config vulnerability reports (if OS Config is enabled)
gcloud compute os-config vuln-reports list
The conversation:
"You already own Azure Update Manager and AWS Inspector Basic. They are free. You are not using them. Before we discuss Tenable, let us turn on the vulnerability discovery tools you already pay for as part of your cloud subscription."
Method 7: The SBOM-to-CVE Pipeline (Your Brainstorm, Implemented)
You mentioned SBOM collection and CVE validation. Here is a lightweight, zero-cost pipeline:
Architecture
[Target System] → [Syft SBOM Generator] → [Grype CVE Scanner] → [Local AI Prioritizer] → [Executive Brief]
Step-by-Step
#!/bin/bash
# zero-budget-tvm-pipeline.sh
# Run this from a management host with SSH/WinRM access to the estate
mkdir -p sboms vulns reports
# 1. COLLECT: Generate SBOMs from accessible systems
# Windows (via PowerShell remoting)
pwsh -c "
\$Servers = Get-ADComputer -Filter {OperatingSystem -like '*Server*'}
foreach (\$s in \$Servers) {
# Use Syft Windows binary if available, or fallback to registry enumeration
Invoke-Command -ComputerName \$s.Name -ScriptBlock {
Get-ItemProperty 'HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*' |
Select-Object DisplayName, DisplayVersion, Publisher | Export-Csv C:\\tmp\\software.csv
} -ErrorAction SilentlyContinue
}
"
# Linux (via SSH)
for server in $(cat linux-servers.txt); do
ssh $server "
if command -v syft >/dev/null; then
syft dir:/ -o spdx-json
else
# Fallback: package manager output
if command -v rpm >/dev/null; then rpm -qa; fi
if command -v dpkg >/dev/null; then dpkg -l; fi
fi
" > "sboms/${server}.json" 2>/dev/null &
done
wait
# 2. SCAN: Correlate with CVE database
for sbom in sboms/*.json; do
if command -v grype >/dev/null; then
grype sbom:$sbom -o json > "vulns/$(basename $sbom .json)-vulns.json"
fi
done
# 3. PRIORITIZE: Extract critical/high, aggregate
jq -s '
[.[] | .matches[]? | select(.vulnerability.severity == "Critical" or .vulnerability.severity == "High") |
{cve: .vulnerability.id, severity: .vulnerability.severity, package: .artifact.name, version: .artifact.version}]
| group_by(.cve)
| map({cve: .[0].cve, severity: .[0].severity, package: .[0].package, affected_systems: length})
| sort_by(.affected_systems)
| reverse
' vulns/*.json > reports/aggregated-vulns.json
# 4. REPORT: Generate human-readable summary
cat > reports/executive-summary.md << 'EOF'
# Vulnerability Discovery Report
## Generated: $(date)
### Top Findings
EOF
jq -r '.[:20] | .[] | "- **\(.cve)** (\(.severity)): \(.package) — \(.affected_systems) systems affected"' reports/aggregated-vulns.json >> reports/executive-summary.md
echo "Report complete: reports/executive-summary.md"
What this produces in 2-4 hours:
- SBOMs for all accessible systems
- CVE correlation for every software component
- Aggregation: "CVE-2024-XXXX affects 23 of your servers"
- Executive summary: top 20 findings in Markdown
The First Sweep Protocol
When you walk into a client with no vulnerability management program, run this sequence:
Day 1: Discovery
| Hour | Activity | Tools |
|---|---|---|
| 0-1 | Identify scan targets from AD, Azure, AWS, or network range | Active Directory, cloud consoles |
| 1-3 | Run Windows PowerShell enumeration script | PowerShell, CIM sessions |
| 3-5 | Run Linux SSH enumeration script | Bash, SSH |
| 5-6 | Run network scan (Nmap + Nuclei) on external perimeter | Nmap, Nuclei |
| 6-8 | Generate container SBOMs and scan with Grype | Syft, Grype, Docker |
Day 2: Correlation
| Hour | Activity | Tools |
|---|---|---|
| 0-2 | Correlate OS builds with Microsoft end-of-life list | Manual / spreadsheet |
| 2-4 | Correlate Linux packages with CVE database | Grype, vulners |
| 4-6 | Aggregate findings: top 20 vulnerabilities by frequency and severity | jq, Excel |
| 6-8 | Validate top 5 findings manually (exploitability check) | Nuclei, manual research |
Day 3: Presentation
| Hour | Activity | Output |
|---|---|---|
| 0-2 | Create one-page executive summary | Markdown / PowerPoint |
| 2-4 | Present to steering committee: "Here is what we found in 48 hours with scripts" | Meeting |
| 4-6 | Discuss: what is the remediation path? What tools do we need to sustain this? | Roadmap |
The conversation at Day 3:
"In 48 hours, using only scripts and free tools, we found 340 known vulnerabilities across your estate. 23 are critical. Five of those are on internet-facing systems. Three are on end-of-life operating systems that cannot be patched. We can fix the patchable ones in two weeks. The unpatachable ones require architecture decisions. Here is the evidence. Now we can have an honest conversation about whether Tenable is worth the investment—or whether we build this capability with open-source tooling first."
When to Recommend Commercial Scanners
After the first sweep, you will know whether the client needs a commercial scanner:
| Scenario | Recommendation |
|---|---|
| First sweep found <100 vulns, mostly patchable | Do not buy Tenable yet. Use scripts + cloud-native scanning + Intune/WSUS/SCCM for 6 months. Reassess. |
| First sweep found 100-500 vulns, client wants continuous visibility | Deploy osquery + FleetDM first. Provides owned, continuous monitoring for a fraction of scanner cost. Reassess in 6 months. |
| First sweep found 500+ vulns, heterogeneous estate | Consider Tenable or Qualys for continuous scanning and compliance reporting. Scripts cannot sustain at this scale. osquery can supplement for real-time data. |
| Client needs compliance evidence (PCI, ISO 27001, SOC 2) | Commercial scanner required. Auditors want vendor-validated scan reports, not scripts. |
| Client has OT/IOT/embedded devices | Specialized scanner required. Traditional tools do not speak Modbus, BACnet, or proprietary protocols. |
| Client wants continuous attack surface monitoring | Consider Tenable.asm, Cortex Xpanse, or Mandiant ASM. Script-based discovery is point-in-time. |
Honest Limitations
| What Script-Based Discovery Does Well | What It Cannot Do |
|---|---|
| Finds missing patches and known CVEs | Cannot find zero-days or configuration logic flaws |
| Maps software inventory accurately | Cannot assess business impact without human context |
| Identifies end-of-life systems | Cannot provide the compliance audit trail auditors demand |
| Generates SBOMs for containers | Cannot scan air-gapped or offline systems without physical access |
| Costs zero in licensing | Requires administrative access (SSH/WinRM/domain admin) |
| Produces evidence fast | Requires technical expertise to interpret and act on findings |
Note: osquery addresses several script-based limitations: it enables continuous monitoring, scales to thousands of endpoints via FleetDM, and provides real-time process/network visibility. The trade-off is agent deployment and query maintenance. See Osquery: The Sovereign Discovery Platform.
Integration With AI-Assisted TVM
The output of zero-budget discovery feeds directly into the AI-assisted TVM prioritization engine:
[zero-budget discovery] → Raw vulnerability data + SBOMs + OS inventories
↓
[AI Prioritization] → Exploitability prediction + asset criticality + threat intel correlation
↓
[Remediation Pipeline] → AI-generated scripts → human validation → deployment → validation
↓
[Continuous Monitoring] → Re-scan → drift detection → quarterly purple team exercise
The retained value: Even if the client later buys Tenable, the SBOM pipeline and container scanning remain valuable. Tenable does not generate SBOMs as cleanly as Syft. Tenable does not scan containers as natively as Grype. The open-source stack complements the commercial scanner, it does not replace it.
For the sovereign discovery platform built on osquery, see Osquery: The Sovereign Discovery Platform. For the AI-assisted TVM prioritization layer, see AI-Assisted TVM Blueprint. For the perimeter scanning strategy, see Perimeter Scanning Capability. For the business case including tool costs, see Business Case Template.