---
title: Use case library
---

## Appendix

- [Total attack surface visibility](#use-case-library-visibility)
  - [Active discovery on all internal assets](#use-case-library-active-discovery)
  - [Active discovery on all externally facing assets](#use-case-library-active-external)
  - [Passive discovery and enrichment in key network segments](#use-case-library-passive-discovery)
  - [Integrate with all cloud providers and other relevant data sources](#use-case-library-cloud-integration)
- [Full-spectrum exposure detection](#use-case-library-full-spectrum)
  - [Rapid Response findings and asset-level pivoting](#use-case-library-rapid-response-pivot)
  - [Network misconfiguration findings and control coverage gaps](#use-case-library-network-gaps)
  - [Vulnerability enrichment and inside-out findings](#use-case-library-enriched-findings)
- [Risk prioritization and insights](#use-case-library-risk-insights)
  - [Custom dashboards](#use-case-library-custom-dashboards)
  - [Rules and alerts](#use-case-library-rules-alerts)
  - [Setting asset criticality and ownership](#use-case-library-asset-context)
- [Compliance, Reporting, and KPIs](#use-case-library-compliance)
  - [Comply with asset inventory and discovery requirements of relevant frameworks](#use-case-library-asset-inventory)
  - [Comply with secure configuration requirements of relevant frameworks](#use-case-library-secure-config)
  - [Comply with malware protection requirements of relevant frameworks](#use-case-library-malware-protection)
  - [Comply with vulnerability management requirements of relevant frameworks](#use-case-library-vuln-management)
  
## Total attack surface visibility {#use-case-library-visibility}

Achieving complete visibility is essential for understanding and managing your organization's attack surface. This encompasses internal and external assets, cloud amd security tooling integrations, and passive discovery methods to ensure comprehensive oversight and proactive threat mitigation.

<iframe src="https://demo.arcade.software/czGWFyefBp0ITyrNh00S?embed" loading="lazy" allowfullscreen title="Total attack surface visibility"></iframe>

### Active discovery on all internal assets {#use-case-library-active-discovery}

This use case focuses on identifying all internal assets within defined network boundaries. It ensures organizations can actively monitor their managed networks to maintain up-to-date inventory.

<iframe src="https://demo.arcade.software/BwiVHAbuMhMEaFS3wcZB?embed" loading="lazy" allowfullscreen title="Active discovery on all internal assets"></iframe>

#### Steps:
1. Define networks of interest/managed networks/known subnets.
2. Configure Organization(s) and Site(s).
3. Install Explorer(s).
4. Configure scan(s).
5. Review inventory to verify connectivity and fingerprinting looks good.

### Active discovery on all externally facing assets {#use-case-library-active-external}

Gain visibility into external assets, such as domains and IP ranges, that represent your public-facing footprint. This approach ensures you can proactively address vulnerabilities in your external attack surface.

By monitoring external-facing assets, organizations can identify vulnerabilities and misconfigurations before they are exploited. Continuous scanning and updates keep your external inventory current and secure.

<iframe src="https://demo.arcade.software/Hr5bkmju8l05bXpJVzUK?embed" loading="lazy" allowfullscreen title="Active discovery on all externally facing assets"></iframe>

#### Steps:
1. Define external ranges, domains, and subdomains.
2. Set external ranges, domains, subdomains, and ASN4 numbers within scan scope.
3. Run scan using runZero hosted zones.
4. Review inventory to verify findings.

### Passive discovery and enrichment in key network segments {#use-case-library-passive-discovery}

Identify assets and gain insights without active scanning by leveraging network TAPs or SPAN ports. This ensures continuous monitoring with minimal disruption to network operations.

Passive discovery complements active methods by observing traffic patterns and enriching data without interrupting critical operations. This approach is ideal for sensitive network segments.

<iframe src="https://demo.arcade.software/FY5yr0WhhBMHEm8JpUGP?embed" loading="lazy" allowfullscreen title="Passive discovery and enrichment in key network segments"></iframe>

#### Steps:
1. Set up a network TAP or a SPAN port/leverage already existing network TAP or SPAN.
2. Put explorer on network TAP or host sitting on the SPAN port.
3. Configure the explorer to listen over relevant interfaces, set scan scope, set and forget.

### Integrate with all cloud providers and other relevant data sources {#use-case-library-cloud-integration}

Seamlessly connect with cloud providers and other data sources to ensure complete visibility across hybrid environments. Simplify asset management by unifying data under one platform.

Cloud integration enables real-time visibility into assets spread across various platforms. It reduces manual effort and enhances data consistency by leveraging automated updates from connected sources.

<iframe src="https://demo.arcade.software/cKpli6rfzzpEKUkTYhUB?embed" loading="lazy" allowfullscreen title="Integrate with all cloud providers and other relevant data sources"></iframe>

#### Steps:
1. Configure integrations with EDR, MDM, directory services, cloud solutions, and vulnerability management platforms.
2. Ensure on-prem solutions have an explorer to run successfully, whereas cloud solutions do not require an explorer.

## Full-spectrum exposure detection {#use-case-library-full-spectrum}

Gain comprehensive visibility across your environment by correlating Rapid Response insights, asset-level context, control coverage gaps, and enriched vulnerability data. This layered approach enables faster detection, better prioritization, and more targeted response efforts.

<iframe src="https://demo.arcade.software/7AWCZMXiYH2PHV55TJK8?embed" loading="lazy" allowfullscreen title="Full-spectrum exposure detection"></iframe>

### Rapid Response findings and asset-level pivoting {#use-case-library-rapid-response-pivot}

Quickly investigate Rapid Response findings by moving from high-level dashboards to individual assets. This seamless workflow brings together threat intelligence, exposure history, and asset impact for fast and actionable insights.

<iframe src="https://demo.arcade.software/JX33RvIV67QjgSrr8uFk?embed" loading="lazy" allowfullscreen title="Rapid Response findings and asset-level pivoting"></iframe>

#### Steps:
1. Review the [Risk Dashboard](https://console.runzero.com/dashboards/6151aaec-d99b-45f4-8279-8333f1dfaff1). 
2. Review the [Rapid Response](https://www.runzero.com/blog/rapid-response/) blog to see past examples.
3. Open [Rapid Response queries](https://console.runzero.com/queries?search=category%3A%22Rapid%20Response%22) to examine historical trends.

### Network misconfiguration findings and control coverage gaps {#use-case-library-network-gaps}

Identify network misconfigurations and highlight security control gaps—like missing EDR or VM coverage—by using targeted queries and contextual inventory views. This helps prioritize risk reduction efforts based on actual gaps in defense.

<iframe src="https://demo.arcade.software/ydEQUoHryTnMQwmxeEbE?embed" loading="lazy" allowfullscreen title="Network misconfiguration findings and control coverage gaps"></iframe>

#### Steps:
1. Review [sample network misconfiguration](https://console.runzero.com/findings?search=name%3Aauth) findings.
2. View [all assets with an associated finding](https://console.runzero.com/inventory?search=finding%3At).
3. View [assets missing EDR coverage](https://console.runzero.com/inventory?search=finding%3At%20not%20%28source%3Acrowdstrike%20or%20source%3Asentinelone%20or%20source%3Ams365defender%29%20%28type%3Aserver%20or%20type%3Adesktop%20or%20type%3Alaptop%29).

### Vulnerability enrichment and inside-out findings {#use-case-library-enriched-findings}

Enhance your vulnerability management process with enriched context such as KEV status, exposure points, and related asset attributes. Combine these filters with reports like network bridges to identify exploitable attack paths.

<iframe src="https://demo.arcade.software/ysVrSHgyyYaXVgNm0n6L?embed" loading="lazy" allowfullscreen title="Vulnerability enrichment and inside-out findings"></iframe>

#### Steps:
1. Review [KEV (Known Exploited Vulnerabilities)](https://console.runzero.com/findings?search=name%3Aknown) findings.
2. View [assets with a finding and vulnerability on the KEV](https://console.runzero.com/inventory?search=finding%3At%20kev%3At%20has_public_v4%3At).
3. View [network bridges report](https://console.runzero.com/reports/analysis/bridges?mask=24&filter=finding:t) filtered to only assets with an associated finding.

## Risk prioritization and insights {#use-case-library-risk-insights}

Prioritize what matters most by aligning dashboards, alerts, and asset context to risk. Use customizable workflows and real-time metrics to drive better decision-making and reduce noise.

### Custom dashboards for dynamic visibility {#use-case-library-custom-dashboards}

Build dashboards tailored to your environment and objectives. Combine stock widgets, saved queries, and custom metrics to track what matters and highlight key trends.

<iframe src="https://demo.arcade.software/qFM29cKcpxQ7EvoGql7s?embed" loading="lazy" allowfullscreen title="Custom dashboards for dynamic visibility"></iframe>

#### Steps:
1. Go [the runZero home page](https://console.runzero.com/) to create a new dashboard.
2. Click Widgets to add your selection.

### Rules and alerts for automated monitoring {#use-case-library-rules-alerts}

Turn searches into alerts by creating rules that notify your team of meaningful changes. Use templates and channels to streamline alert creation and delivery.

<iframe src="https://demo.arcade.software/9KdZtQ8f8YC7i0EmKyPo?embed" loading="lazy" allowfullscreen title="Rules and alerts for automated monitoring"></iframe>

#### Steps:
1. Create [channel](https://console.runzero.com/alerts/channels/create) or destination for your notifications.
2. Create [template](https://console.runzero.com/alerts/templates/create) for you payload. 
  - See samples [alert templates](docs/creating-alert-templates.md).
3. Go to [create rule](https://console.runzero.com/alerts/rules). 
4. Finalize logic, review, and save. 

### Asset criticality, ownership, and search filters {#use-case-library-asset-context}

Improve search relevance and response precision by tagging assets with criticality and ownership metadata. These values also drive automated rule actions.

<iframe src="https://demo.arcade.software/FzO9JVNhu6r4WHAA1ZZE?embed" loading="lazy" allowfullscreen title="Asset criticality, ownership, and search filters"></iframe>

#### Steps:
1. Search for specific assets in the inventory view.
2. Update asset criticality or ownership directly from the inventory.
3. Use rule with _Modify assets_ Action to update the desired values.


## Compliance, Reporting, and KPIs {#use-case-library-compliance}

Adhering to compliance standards requires accurate asset tracking, secure configurations, and effective vulnerability management. runZero simplifies these processes to help organizations meet regulatory demands.

<iframe src="https://demo.arcade.software/vISBYqPvDL3lQSiJm8hW?embed" loading="lazy" allowfullscreen title="Compliance, Reporting, and KPIs"></iframe>

### Comply with asset inventory and discovery requirements of relevant frameworks {#use-case-library-asset-inventory}

Maintain compliance with industry standards by ensuring accurate and comprehensive asset discovery. Demonstrate adherence through detailed inventory and reporting.

Comprehensive inventory management helps organizations satisfy regulatory audits. Combining active, passive, and integration-based discovery methods ensures no assets are overlooked.

<iframe src="https://demo.arcade.software/UU0StIbiDN4sYEHHCLmx?embed" loading="lazy" allowfullscreen title="Comply with asset inventory and discovery requirements of relevant frameworks"></iframe>

#### Steps:
1. Review documentation mapping runZero to compliance frameworks.
2. Review active, passive, and integrations options.
3. Use the task history to see when scans or integrations ran.
4. Display inventory for real-time compliance visibility.

### Comply with secure configuration requirements of relevant frameworks {#use-case-library-secure-config}

Meet secure configuration standards by identifying and addressing insecure protocols or configurations. Ensure alignment with regulatory requirements.

Secure configurations are critical for mitigating risks associated with legacy protocols and insecure settings. Automation tools enhance efficiency in identifying and remediating issues.

<iframe src="https://demo.arcade.software/kAQW0zPT2Qwc502ZWypM?embed" loading="lazy" allowfullscreen title="Comply with secure configuration requirements of relevant frameworks"></iframe>

#### Steps:
1. Review documentation mapping runZero to compliance frameworks.
2. Use search for insecure protocols like FTP, TFTP, Telnet, and HTTP.
3. Save searches for tracking and add to the dashboard for reporting.

### Comply with malware protection requirements of relevant frameworks {#use-case-library-malware-protection}

Integrate with Endpoint Detection and Response (EDR) solutions to ensure compliance with malware protection standards. Identify and address gaps in protection.

Effective malware protection depends on real-time monitoring and quick response. Comprehensive integration options streamline the detection and resolution of gaps.

<iframe src="https://demo.arcade.software/jxnDeBkhBkqJcITVMFSs?embed" loading="lazy" allowfullscreen title="Comply with malware protection requirements of relevant frameworks"></iframe>

#### Steps:
1. Review documentation mapping runZero to compliance frameworks.
2. Review EDR integrations and options for custom integration.
3. Search for gaps in EDR and alert on newly found gaps.

### Comply with vulnerability management requirements of relevant frameworks {#use-case-library-vuln-management}

Leverage integrations and inventory tools to meet vulnerability management requirements. Track and address vulnerabilities effectively.

Meeting vulnerability management requirements involves continuous monitoring, prioritization, and remediation. Automated tools provide actionable insights to streamline this process.

<iframe src="https://demo.arcade.software/QWQm0uRdyjSRX6XucHkc?embed" loading="lazy" allowfullscreen title="Comply with vulnerability management requirements of relevant frameworks"></iframe>

#### Steps:
1. Review documentation mapping runZero to compliance frameworks.
2. Search for gaps in vulnerability scanning.
3. Use vulnerability inventory with KEV/EPSS enrichments for enhanced insights.
()