---
title: runZero 101 training
---

This training introduces the core components of the runZero platform. It provides the foundational concepts that help you understand how runZero gathers and structures asset data, how to explore the environment, and how to begin identifying risks and trends. 

Each section includes an accompanying walkthrough and links to deeper documentation. [runZero 201](training-201.md) covers advanced workflows, automation, and deployment planning.

## Platform overview {#platform-overview}

<iframe src="https://demo.arcade.software/C1sifY0IIUZl4QzKVGK0?embed" loading="lazy" allowfullscreen title="Platform Overview"></iframe>

Before using inventories, findings, reporting views, or dashboards, it’s important to understand the core concepts that shape how runZero organizes and processes data. This section provides short, conceptual introductions to:

- How runZero structures data using **Organizations** and **Sites**
- How runZero collects and updates data using **Tasks**
- How runZero builds unified asset records using **Sources** and merging behavior

These concepts provide the mental model for everything else in the console.

### Organizations and Sites {#platform-orgs-sites}

runZero uses two levels of structure to organize data and control visibility.

#### Organizations {#platform-organizations}  
Organizations define data segmentation and RBAC boundaries. Each Organization maintains its own:
- Assets  
- Findings  
- Dashboards  
- Queries  
- Integrations  
- Tasks  

Use Organizations when you need clear separation between environments (e.g., subsidiaries, departments, or multi-tenant structures).

#### Sites {#platform-sites}  
Sites represent network structure. A Site corresponds to one or more IP ranges and is used for:
- Assigning assets to a network location  
- Generating scan scopes  
- Structuring reporting  
- Improving segmentation in queries and dashboards  

Sites do **not** define access control. They provide context for how assets are grouped and discovered.

**Learn more:**  
- [Organizations](organizations.md)  
- [Sites](sites.md)

### Tasks {#platform-tasks}

Tasks are how data enters runZero. Every collection action in the platform is performed by a Task.

#### Types of Tasks {#platform-task-types}
- **Scan tasks** (active discovery)  
- **Integration tasks** (data pulled from external systems)  
- **Monitor tasks** (passive discovery)  

Each Task includes:
- Status (success, partial, failure)  
- Start and end timestamps  
- Asset and service counts  
- Link to the associated Explorer (if applicable)

Task results drive inventory freshness, dashboard updates, findings, and search counts. If data appears out of date, the Task history is the first place to check.

**Learn more:**  
- [Managing tasks](managing-tasks.md)  
- [Discovering assets](discovering-assets.md)

### Sources and merging {#platform-sources-merging}

runZero unifies asset data from multiple origins—scans, integrations, and passive monitoring. Each asset may contain attributes from multiple **sources**, and runZero automatically merges them into a single asset record.

#### Key concepts {#platform-sources-key-concepts}
- Source indicators show where an attribute came from  
- Conflicting values are resolved using a deterministic merge strategy  
- Merging reduces duplicates and consolidates metadata  
- `source:<source-name>` filters allow quick pivoting by origin system  
- Asset details show a breakdown of attributes by source  

This merging process enables runZero to act as a single source of truth across your IT, OT, cloud, and security stack.

**Learn more:**  
- [Understanding assets](understanding-assets.md)  
- [Fingerprinting and merging](fingerprinting.md)

## Inventory views {#inventory-views}

This section introduces the primary inventory views in runZero and explains how to navigate and interpret them. These views provide the foundation for exploring your environment.

<iframe src="https://demo.arcade.software/oGxXX22DBXO1cYjH1SGQ?embed" loading="lazy" allowfullscreen title="Inventory Views"></iframe>

### Asset Inventory {#inventory-asset}

The Asset Inventory shows every asset known to runZero across all sources. 

Common tasks include:
- Filtering by IP, hostname, OS, software, or exposure  
- Identifying device types across IT, OT, IoT, and cloud  
- Reviewing asset context such as criticality, ownership, tags, and findings  
- Exporting subsets of data for analysis or reporting  

**Learn more:**  
- [Using the inventory](using-the-inventory.md)

### Asset detail {#inventory-asset-detail}

The Asset detail page provides a complete, merged view of all metadata for an asset

Key values found on the details page include:
- Attributes from each source  
- Services  
- Vulnerabilities and findings  
- Certificates  
- Ownership and criticality  
- Historical changes  

This is the primary investigative view when troubleshooting or reviewing an asset.

**Learn more:**  
- [Understanding assets](understanding-assets.md)  
- [Managing ownership](managing-ownership.md)  
- [Asset risk and criticality](asset-risk-and-criticality.md)

### Service Inventory {#inventory-service}

The Service Inventory provides visibility into every network service discovered through scanning or imported through integrations. 

It helps identify:
- Exposed services  
- Protocol-level misconfigurations  
- Public-facing services  
- Administrative or remote access interfaces  

**Learn more:**  
- [Service search examples](search-query-services.md)

### Vulnerability & Software Inventories {#inventory-vuln-sw}

These views consolidate vulnerability and software metadata across all sources.

#### Vulnerability Inventory {#inventory-vuln}
Shows vulnerabilities identified through:
- Native findings  
- Enriched vulnerability data from integrations  
- KEV correlation (CISA KEV and VulnCheck)  

#### Software Inventory {#inventory-software}
Shows discovered software packages and versions, enabling:
- License tracking  
- Version drift analysis  
- Identifying outdated or insecure software  

**Learn more:**  
- [Understanding findings](understanding-findings.md)  
- [Vulnerability search examples](search-query-vulnerabilities.md)

## Findings {#findings-overview}

Findings identify exposures, misconfigurations, vulnerabilities, and security control gaps. This section introduces how Findings work and how to explore them.

<iframe src="https://demo.arcade.software/1Et6KEO5pLoQhR8LiTZ9?embed" loading="lazy" allowfullscreen title="101 Training - "></iframe>

### Findings overview {#findings-main}

Findings combine multiple signals—including scan data, integration data, KEV enrichment, and novel runZero detections—to provide a high-level view of environmental risk.

Common categories include:
- Vulnerabilities  
- Administrative access exposures  
- Network misconfigurations  
- Missing security controls (e.g., EDR, MDM, VM)  
- runZero novel findings (e.g., Widely Shared Private Keys)

**Learn more:**  
- [Understanding findings](understanding-findings.md)

### Findings detail {#findings-detail}

The Findings Detail view shows:
- Description and severity  
- Evidence from affected assets  
- Remediation guidance  
- Links to pivot into Asset Inventory, Service Inventory, or Vulnerabilities  

### Vulnerability detail {#findings-vuln-detail}

The Vulnerability Detail page merges CVE data from all sources and includes:
- CVSS scores and vectors  
- CISA KEV and VulnCheck KEV metadata  
- Affected assets and services  
- Consolidated descriptions and references  

## Reporting {#reporting-overview}

Reporting views help visualize your network layout, segment boundaries, subnet coverage, and topology.

<iframe src="https://demo.arcade.software/yJJPkihKdVeTo5lBgcTF?embed" loading="lazy" allowfullscreen title="101 Training - "></iframe>

### Switch Topology & Unmapped MACs reports {#reporting-topology}

Switch Topology shows:
- Switches and physical connections  
- Link relationships  
- Interface details  

Unmapped MACs highlight assets communicating on the network but not mapped to switch ports.

**Learn more:**  
- [Switch topology report](switch-topology-report.md)

### Subnet Utilization & RFC1918 Coverage reports {#reporting-rfc1918}

These reports help validate scanning completeness and asset density across subnets:
- Percentage of IP space scanned  
- Allocated vs. active subnets  
- Hinted assets discovered through passive observations  

**Learn more:**  
- [Coverage reports](coverage-reports.md)

### Network Bridges & Asset Route Pathing reports {#reporting-bridges}

These views help understand blast radius and segmentation:

- **Network Bridges:** Visualize internal and external network connections  
- **Route Pathing:** Understand traversal paths between assets  

**Learn more:**  
- [Understanding network segmentation](understanding-network-segmentation.md)  
- [Asset route pathing report](asset-route-pathing-report.md)

### Custom Asset & Service Attribute reports {#reporting-custom}

These reports allow analysis of:
- Common OS families  
- Hardware vendor distribution  
- Service protocols  
- Certificate attributes  
- Custom attributes from integrations  



## Search, Goals, and Custom Dashboards {#search-goals-dashboards}

Search powers nearly every workflow in runZero. Goals and dashboards allow you to track trends over time and visualize key results.

<iframe src="https://demo.arcade.software/9TraXYI3RA6EkbqNi3D3?embed" loading="lazy" allowfullscreen title="101 Training - "></iframe>

### Query Library {#search-query-library}

The Query Library stores saved searches for:
- Rapid Response  
- Gaps in controls  
- Common exposure profiles  
- Custom organization searches  

Saved searches power:
- Dashboards  
- Goals  
- Alerts  
- Automation via rules  

**Learn more:**  
- [Querying your data](querying-your-data.md)  
- [Search syntax](search-query-syntax.md)

### Baseline Goals {#search-goals}

Goals measure progress toward internal or external requirements. Examples include:
- Reducing assets missing EDR  
- Lowering the count of public-facing services  
- Tracking vulnerability remediation progress  

**Learn more:**  
- [Goal tracking](goal-tracking.md)

### Custom Dashboards {#dashboards}

Dashboards consolidate searches and metrics. You can:
- Build dashboards per team or use case  
- Add widgets from stock or custom searches  
- Share dashboards across Organizations  
- Recalculate on demand  

**Learn more:**  
- [Dashboard documentation](dashboard.md)

### Custom Dashboard Widgets {#dashboard-widgets}

Widgets allow visualization through:
- Counts  
- Trend lines  
- Goal overviews

Widgets can be created from any saved search.

## Next Steps {#training-next-steps}

Once you’ve completed this 101 training, continue with:

- **[runZero 201 Training](training-201.md)**  
  Builds on the foundations covered here with deeper dives into deployment planning, Explorer strategies, advanced search techniques, automation, and workflow optimization. Ideal for admins or operators responsible for maintaining runZero at scale.

- **[Use Case Library](use-case-library.md)**  
  A collection of short, outcome-focused guides showing how to solve specific problems using runZero. Each use case includes example searches, Arcades, and recommended workflows to apply the platform to real scenarios.

- **[Playbooks](playbooks/playbooks.md)**  
  Step-by-step procedures for executing repeatable security and IT tasks, such as achieving full RFC1918 coverage, identifying gaps in endpoint protection, or preparing for compliance audits. Designed to turn best practices into actionable workflows.

This training provides the foundation needed to operate runZero effectively, investigate assets, interpret findings, and begin measuring and improving your security posture.