runZero 101 training

This training introduces the core components of the runZero platform. It provides the foundational concepts that help you understand how runZero gathers and structures asset data, how to explore the environment, and how to begin identifying risks and trends.

Each section includes an accompanying walkthrough and links to deeper documentation. runZero 201 covers advanced workflows, automation, and deployment planning.

Platform overview

Before using inventories, findings, reporting views, or dashboards, it’s important to understand the core concepts that shape how runZero organizes and processes data. This section provides short, conceptual introductions to:

• How runZero structures data using Organizations and Sites
• How runZero collects and updates data using Tasks
• How runZero builds unified asset records using Sources and merging behavior

These concepts provide the mental model for everything else in the console.

Organizations and Sites

runZero uses two levels of structure to organize data and control visibility.

Organizations

Organizations define data segmentation and RBAC boundaries. Each Organization maintains its own:

• Assets
• Findings
• Dashboards
• Queries
• Integrations
• Tasks

Use Organizations when you need clear separation between environments (e.g., subsidiaries, departments, or multi-tenant structures).

Sites

Sites represent network structure. A Site corresponds to one or more IP ranges and is used for:

• Assigning assets to a network location
• Generating scan scopes
• Structuring reporting
• Improving segmentation in queries and dashboards

Sites do not define access control. They provide context for how assets are grouped and discovered.

Learn more:

• Organizations
• Sites

Tasks

Tasks are how data enters runZero. Every collection action in the platform is performed by a Task.

Types of Tasks

• Scan tasks (active discovery)
• Integration tasks (data pulled from external systems)
• Monitor tasks (passive discovery)

Each Task includes:

• Status (success, partial, failure)
• Start and end timestamps
• Asset and service counts
• Link to the associated Explorer (if applicable)

Task results drive inventory freshness, dashboard updates, findings, and search counts. If data appears out of date, the Task history is the first place to check.

Learn more:

• Managing tasks
• Discovering assets

Sources and merging

runZero unifies asset data from multiple origins—scans, integrations, and passive monitoring. Each asset may contain attributes from multiple sources, and runZero automatically merges them into a single asset record.

Key concepts

• Source indicators show where an attribute came from
• Conflicting values are resolved using a deterministic merge strategy
• Merging reduces duplicates and consolidates metadata
• source:<source-name> filters allow quick pivoting by origin system
• Asset details show a breakdown of attributes by source

This merging process enables runZero to act as a single source of truth across your IT, OT, cloud, and security stack.

Learn more:

• Understanding assets
• Fingerprinting and merging

Inventory views

This section introduces the primary inventory views in runZero and explains how to navigate and interpret them. These views provide the foundation for exploring your environment.

Asset Inventory

The Asset Inventory shows every asset known to runZero across all sources.

Common tasks include:

• Filtering by IP, hostname, OS, software, or exposure
• Identifying device types across IT, OT, IoT, and cloud
• Reviewing asset context such as criticality, ownership, tags, and findings
• Exporting subsets of data for analysis or reporting

Learn more:

• Using the inventory

Asset detail

The Asset detail page provides a complete, merged view of all metadata for an asset

Key values found on the details page include:

• Attributes from each source
• Services
• Vulnerabilities and findings
• Certificates
• Ownership and criticality
• Historical changes

This is the primary investigative view when troubleshooting or reviewing an asset.

Learn more:

• Understanding assets
• Managing ownership
• Asset risk and criticality

Service Inventory

The Service Inventory provides visibility into every network service discovered through scanning or imported through integrations.

It helps identify:

• Exposed services
• Protocol-level misconfigurations
• Public-facing services
• Administrative or remote access interfaces

Learn more:

• Service search examples

Vulnerability & Software Inventories

These views consolidate vulnerability and software metadata across all sources.

Vulnerability Inventory

Shows vulnerabilities identified through:

• Native findings
• Enriched vulnerability data from integrations
• KEV correlation (CISA KEV and VulnCheck)

Software Inventory

Shows discovered software packages and versions, enabling:

• License tracking
• Version drift analysis
• Identifying outdated or insecure software

Learn more:

• Understanding findings
• Vulnerability search examples

Findings

Findings identify exposures, misconfigurations, vulnerabilities, and security control gaps. This section introduces how Findings work and how to explore them.

Findings overview

Findings combine multiple signals—including scan data, integration data, KEV enrichment, and novel runZero detections—to provide a high-level view of environmental risk.

Common categories include:

• Vulnerabilities
• Administrative access exposures
• Network misconfigurations
• Missing security controls (e.g., EDR, MDM, VM)
• runZero novel findings (e.g., Widely Shared Private Keys)

Learn more:

• Understanding findings

Findings detail

The Findings Detail view shows:

• Description and severity
• Evidence from affected assets
• Remediation guidance
• Links to pivot into Asset Inventory, Service Inventory, or Vulnerabilities

Vulnerability detail

The Vulnerability Detail page merges CVE data from all sources and includes:

• CVSS scores and vectors
• CISA KEV and VulnCheck KEV metadata
• Affected assets and services
• Consolidated descriptions and references

Reporting

Reporting views help visualize your network layout, segment boundaries, subnet coverage, and topology.

Switch Topology & Unmapped MACs reports

Switch Topology shows:

• Switches and physical connections
• Link relationships
• Interface details

Unmapped MACs highlight assets communicating on the network but not mapped to switch ports.

Learn more:

• Switch topology report

Subnet Utilization & RFC1918 Coverage reports

These reports help validate scanning completeness and asset density across subnets:

• Percentage of IP space scanned
• Allocated vs. active subnets
• Hinted assets discovered through passive observations

Learn more:

• Coverage reports

Network Bridges & Asset Route Pathing reports

These views help understand blast radius and segmentation:

• Network Bridges: Visualize internal and external network connections
• Route Pathing: Understand traversal paths between assets

Learn more:

• Understanding network segmentation
• Asset route pathing report

Custom Asset & Service Attribute reports

These reports allow analysis of:

• Common OS families
• Hardware vendor distribution
• Service protocols
• Certificate attributes
• Custom attributes from integrations

Search, Goals, and Custom Dashboards

Search powers nearly every workflow in runZero. Goals and dashboards allow you to track trends over time and visualize key results.

Query Library

The Query Library stores saved searches for:

• Rapid Response
• Gaps in controls
• Common exposure profiles
• Custom organization searches

Saved searches power:

• Dashboards
• Goals
• Alerts
• Automation via rules

Learn more:

• Querying your data
• Search syntax

Baseline Goals

Goals measure progress toward internal or external requirements. Examples include:

• Reducing assets missing EDR
• Lowering the count of public-facing services
• Tracking vulnerability remediation progress

Learn more:

• Goal tracking

Custom Dashboards

Dashboards consolidate searches and metrics. You can:

• Build dashboards per team or use case
• Add widgets from stock or custom searches
• Share dashboards across Organizations
• Recalculate on demand

Learn more:

• Dashboard documentation

Custom Dashboard Widgets

Widgets allow visualization through:

• Counts
• Trend lines
• Goal overviews

Widgets can be created from any saved search.

Next Steps

Once you’ve completed this 101 training, continue with:

• runZero 201 Training
  Builds on the foundations covered here with deeper dives into deployment planning, Explorer strategies, advanced search techniques, automation, and workflow optimization. Ideal for admins or operators responsible for maintaining runZero at scale.

• Use Case Library
  A collection of short, outcome-focused guides showing how to solve specific problems using runZero. Each use case includes example searches, Arcades, and recommended workflows to apply the platform to real scenarios.

• Playbooks
  Step-by-step procedures for executing repeatable security and IT tasks, such as achieving full RFC1918 coverage, identifying gaps in endpoint protection, or preparing for compliance audits. Designed to turn best practices into actionable workflows.

This training provides the foundation needed to operate runZero effectively, investigate assets, interpret findings, and begin measuring and improving your security posture.