Merge, Track, and Automate Your Asset Inventory with Nucleus

All the major vulnerability scanning vendors have strengths, but asset tracking isn’t one of them. Some workarounds exist. However, if you are using one of the most popular vulnerability scanning tools, it’s likely you will struggle with asset tracking. 

Why Asset Merging is Important 

Asset merging is critical to your vulnerability management program’s success because it eliminates the double counting of vulnerabilities. If you’re overstating your vulnerability count, you’re also overstating your risk. And nothing is worse for cross-team collaboration than the perception that one of the parties is overstating the problem they need to solve. 

Nucleus helps you combine and remove duplicates from your assets and their vulnerabilities. This way, you can see the true number of vulnerabilities and their risks over time. 

Our scanning partners find vulnerabilities in your network. However, if the counts are too high, the trends on their dashboards and reports will be incorrect. This creates a belief that the data is wrong. Nothing stops a VM program faster than this belief. 

You can fix this by showing only the authenticated scan results on your dashboard or reports. You should also delete assets that no one has seen after a set time. However, not all vulnerability scanners can do this. 

By removing double counts, you can address the issue and reduce confusion. This way, your remediation teams can work better. They will see that someone measures their efforts fairly and accurately. Auditors like this because the rules are clear and easy to see. They are not hidden away. 

Why Merging Assets is Hard 

Computers move around a lot on the network. Laptops have both wired and wireless network interfaces, so that’s at least two IP addresses. Servers often have multiple network cards, for various reasons, and each network card has its own IP address. Network devices often have a multitude of IP addresses as well. 

For just these two reasons alone, you can get a lot of asset duplication on your network. 

Making matters worse, many organizations run both agent and network scans. They may even do both an authenticated and unauthenticated network scan – to get every possible perspective. Auditors sometimes insist on this. The scanners’ asset tracking depends on authentication. 

The scanner writes a UUID to each system the first time it finds one. It then reads the UUID again on each scan after that. This gets around the multiple IP address problem. But if the scanner doesn’t authenticate, it doesn’t see the UUID. 

And if you rebuild a system, you lose the scanner-assigned UUID, which creates another duplicate asset. Or worse yet, another set of duplicate assets. 

Your infrastructure team can avoid this by saving and restoring the registry key or file. This file holds the UUID for your scanner. 

However, the team must remember to do this. If they rebuild systems every month instead of patching, it’s easy to forget some systems. They only need to make this mistake once. 

The perception problem is huge. The question arises about how many times each vulnerability counts and how many of those duplicates close. No matter who made the mistake that led to the miscount, the VM team must figure it out. 

If you only run authenticated scans and set your scanners to use tracking UUIDs, you can mostly fix this issue. But if you have a contractual or regulatory requirement for both authenticated and unauthenticated scans, it’s virtually impossible to eliminate the duplication in your scanner. 

Even if you don’t intentionally perform unauthenticated scans, sometimes your network-based authentication fails. In that case, you get unauthenticated results even when you don’t want them. That results in unwanted duplicate assets. 

In large enterprises, a 95% authentication success rate is rather good. But that means five percent of your assets could be duplicates. 

The result is that even when things go well, you might end up arguing about math. This can distract from fixing vulnerabilities. 

This is where Nucleus can help. 

Multiple Options for Merging Assets 

Nucleus was by no means the first company to try to solve this problem. But there is no one-size-fits-all solution. 

Nucleus will always use the scanner-assigned asset UUID for matching as its first criteria. This works extremely well. But when there’s no UUID available to use, Nucleus can substitute other options. 

For an easy button, set your Nucleus project to track by hostname. This works well in many environments. 

If that doesn’t completely solve your problem, our asset removal rules can help with this and decommissioned assets. You can set up rules to deactivate assets or remove them completely. We recommend deactivating because it keeps the history if the asset returns. In either case, vulnerabilities from a removed or deactivated asset do not count toward your total or risk score. 

If you still have some stray assets after setting those rules, you can clean them up by hand. This is a feature most vulnerability management tools lack. To merge assets manually, just check the assets you want to merge and pick the merge assets option from the Actions menu. 

In large companies, DNS servers may not always be in sync. This can lead to different asset names during scans. 

This is especially true for unauthenticated scans. In these cases, the scanner depends on DNS instead of asking the host for its name. This is an unusual condition. It may not be possible to create asset processing rules for it, which will require a manual approach. 

Close the Gaps in Your Asset Inventory

Asset tracking problems might start with your scanners, but they don’t have to end there. Nucleus sits on top of your existing tools, bringing order to the chaos by intelligently merging, de-duplicating, and managing your assets—whether they’re authenticated, unauthenticated, or somewhere in between. 

Whether you’re dealing with inconsistent DNS records, UUID conflicts, or missing context across scan types, Nucleus helps you create a single, reliable view of every asset and its associated vulnerabilities. This unified perspective enables faster, clearer remediation decisions and gives security teams, auditors, and stakeholders confidence in the data they’re working with. 

Getting your asset inventory right isn’t easy. With Nucleus, it’s finally manageable.