AI-Driven Asset Discovery and Intelligent Inventory Management

Quick Summary 

We delivered a centralised asset inventory solution that forms the foundation of a comprehensive cybersecurity compliance platform. The solution enabled the organisation to manage assets across physical, information, human, technological, and intangible categories, with structured ownership, status tracking, and AI-assisted network discovery built in from the outset. 

• Centralised cybersecurity governance and improved operational visibility achieved through a unified asset registry, structured criticality scoring, and real-time AI-assisted network discovery. 
• Stronger compliance readiness and better decision-making enabled through a defensible 1-to-5 impact scoring model and automated asset detection, giving security teams an accurate, audit-ready foundation to act from. 
   

Industry

Cybersecurity/SaaS
  

Geography

UK
 

Core Technologies Used

Frontend & Backend 

• React 
• Python 

LLM Model

-OpenAI models GPT-4 class / GPT 4o, GPT-5 class [for reasoning]

embedding model

-OpenAI - Text Embedding 3 Small [for RAG & semantic search ]

NLP Preprocessing

-spaCy - en_core_web_lg  [for Entity extraction]

Agentic Framework

-LangGraph

Client Profile 

The client is a cybersecurity product company building a compliance platform for SMEs and enterprises operating across regulated environments. The platform is designed to consolidate the core pillars of a security programme, covering asset management, risk assessment, policy compliance, staff awareness, and incident response, into a single governed product experience. Cubet was engaged as the product engineering partner responsible for designing, building, and delivering the platform from the ground up, beginning with the Asset Inventory Module as its structural foundation. 

Challenges 

1. Incomplete and unreliable registers: Most organisations maintained asset records in spreadsheets or shared documents that fell out of date within weeks of being created, leaving security teams working from data they could not trust. 
2. Shadow IT and ungoverned endpoints: Devices joined networks without ever being formally registered. Without automated discovery, these blind spots persisted indefinitely and were invisible to risk assessments. 
3. No consistent criticality framework: Asset importance was assessed informally or not at all, making it impossible to prioritise security controls or justify resource allocation decisions to leadership or auditors. 
4. Compliance evidence gaps: Frameworks such as ISO 27001 require organisations to demonstrate a current, attributed, and criticality-scored asset inventory. Manual records rarely met that standard without significant remediation effort ahead of audits. 
5. Ownership ambiguity: Assets without clearly assigned owners created accountability gaps that complicated incident response, access reviews, and vendor management processes. 
6. No path to automation: Existing tools were either too complex for organisations earlier in their security maturity or too limited to support the scale and structure that compliance programmes demand. 

Solution 

We designed and built the Asset Inventory Module as the data foundation on which the entire compliance platform operates. The module combines a rigorously structured asset registry with an AI-driven discovery layer, giving organisations the ability to establish a complete and current inventory without relying on manual effort alone. 

The solution addresses both the immediate compliance requirement and the longer-term operational need: a register that stays accurate as environments change, and that produces records auditors can rely on without additional reconstruction. 

1. Multi-category asset classification covering physical, information, human, technology, supplier, and intangible asset types within a single unified registry 
2. Structured required fields covering unique ID, name, type, description, owner, location, status, and impact score, embedded in the asset creation workflow from the outset 
3. Full lifecycle status tracking from active deployment through maintenance, retirement, and disposal 
4. Owner assignment mapped to user profiles for clear, auditable accountability at the asset and asset-group level 
5. Structured 1-to-5 criticality scoring anchored to four evaluation criteria: operational importance, data sensitivity, regulatory relevance, and potential impact if the asset were compromised 
6. AI-assisted network scanning via NMAP integration, surfacing discovered devices as categorised and provisionally scored asset candidates for human review and confirmation 
7. Secure API integration layer managing communication between scanning tools and the asset registry, with automated registration linking discovered assets directly into the risk scoring framework 
8. Real-time discovery dashboard providing scan progress visibility and actionable review prompts for discovered assets 

Technical Highlights 

1. AI classification model: Analyses device metadata including IP address, open services, and device type signals from network scans to suggest appropriate asset categories and provisional criticality ratings without requiring manual input for each discovered endpoint. 
2. NMAP integration: Network scanning is initiated directly from within the module interface and returns discovered devices in real time, reducing the time required to establish an initial asset baseline from weeks to hours. 
3. Human-in-the-loop design: AI-generated suggestions are presented as review prompts, not automated decisions. Organisational context that cannot be inferred from a network scan, covering business function, data classification, and team ownership, is preserved as a human judgment. 
4. Defensible criticality methodology: The 1-to-5 impact scoring model uses a consistent multi-criteria framework across all asset types, enabling comparable prioritisation and providing auditors with the evidence trail they need to understand rating decisions. 
5. Compliance-aligned data structure: Required fields and ownership attribution are built into the asset creation workflow rather than added retrospectively, ensuring that records meet audit requirements from the point of creation. 
6. Platform integration: Asset criticality scores feed directly into risk scoring and control assignment elsewhere in the platform, meaning the quality of inventory data has compounding value across the entire compliance programme. 
7. Scalable architecture: The module is designed to accommodate asset environments ranging from small single-site organisations to multi-entity enterprises with distributed infrastructure across cloud and on-premise environments. 

Impact 

1. Baseline established from day one: AI-assisted discovery means organisations can produce a near-complete initial asset inventory in hours rather than weeks, removing the blank-page problem that historically delayed security programme launches. 
2. Ungoverned assets surfaced automatically: Network scanning identifies devices and endpoints that were never formally registered, eliminating the blind spots that manual processes consistently miss and that persist undetected for months in unmanaged environments. 
3. Audit-ready records without rework: Because required fields, ownership attribution, and criticality ratings are embedded in the creation workflow, organisations facing ISO 27001 assessments or Cyber Essentials certifications can produce evidence directly from the system. 
4. Consistent, defensible prioritisation: The structured criticality scoring model gives security teams a shared methodology for deciding where to focus controls and resource, and a documented basis for those decisions that stands up to auditor scrutiny. 
5. Clearer security ownership: Owner assignment at the asset and asset-group level resolves the accountability ambiguity that complicates incident response, access reviews, and vendor management in organisations without formal attribution processes. 
6. Downstream platform accuracy: Because asset criticality feeds into risk scoring and compliance workflows across the platform, an accurate inventory produces more reliable outputs at every subsequent stage of the security programme. 
7. Reduced dependency on individual knowledge: Structured, system-held asset records reduce reliance on the institutional memory of individual team members, making the security programme more resilient to staff transitions.