Skip to main content

Agentless Discovery

Discover cloud and on-premises infrastructure without deploying agents.

Overview​

Agentless Discovery provides comprehensive visibility into your infrastructure using native cloud APIs and standard protocols. No agents to install, manage, or updateβ€”just configure credentials and start discovering.

Supported Providers​

Amazon Web Services (AWS)​

Discover EC2 instances, VPCs, security groups, IAM, S3, RDS, Lambda, and more using IAM role assumption.

Setup:

  1. Create an IAM role with read-only permissions
  2. Configure a trust policy allowing Infracast to assume the role
  3. Add an External ID for security
  4. Enter the Role ARN in Infracast

Multi-Region: Automatically scans all enabled regions concurrently.

Microsoft Azure​

Discover virtual machines, virtual networks, NSGs, storage accounts, Entra ID, and more using service principal authentication.

Setup:

  1. Create a Service Principal in Entra ID
  2. Grant Reader role on target subscriptions
  3. Enter Tenant ID, Client ID, and Client Secret in Infracast

Google Cloud Platform (GCP)​

Discover Compute instances, VPC networks, firewall rules, IAM, Cloud Storage, and more.

Setup:

  1. Create a Service Account with Viewer role
  2. Configure Workload Identity Federation (recommended) or export a key file
  3. Enter Project ID and credentials in Infracast

Microsoft 365​

Discover Entra ID users, groups, apps, Conditional Access policies, Exchange mailboxes, SharePoint sites, and Teams.

Setup:

  1. Create an App Registration in Entra ID
  2. Add required Microsoft Graph API permissions
  3. Grant admin consent
  4. Enter Tenant ID, Client ID, and Client Secret in Infracast

Compliance: Includes 23 CIS Microsoft 365 Benchmark rules for automated security assessment.

On-Premises​

Discover Linux/Unix hosts via SSH and Windows hosts via WinRM.

Resources discovered:

  • Operating system and version
  • Installed packages
  • Running services
  • Open ports
  • Network interfaces
  • Storage configuration

Authentication options:

  • SSH: Password, key-based, or key with passphrase
  • WinRM: Basic, domain, or certificate-based

Target specification:

  • Single IP address
  • Comma-separated IP list
  • CIDR range (up to /24)

Using Agentless Discovery​

Start a Scan​

  1. Navigate to Operations β†’ Agentless Discovery
  2. Select your provider (AWS, Azure, GCP, M365, On-Prem)
  3. Follow the setup wizard to configure credentials
  4. Click Test Connection to validate
  5. Click Start Scan

View Results​

  • Discovered resources appear in the Asset Graph
  • Relationships are automatically mapped
  • Compliance rules run against discovered resources

Schedule Scans​

Configure recurring scans to maintain up-to-date visibility:

  • Daily, weekly, or custom schedules
  • Automatic drift detection
  • Alert on new resources or changes

Security Model​

Agentless Discovery is designed with security in mind:

  • Read-only access β€” All providers use read-only permissions
  • No stored credentials β€” Credentials are used once to obtain session tokens
  • External ID (AWS) β€” Prevents confused deputy attacks
  • Connection testing β€” Validate credentials before running full scans

Agent vs Agentless​

AspectAgentlessAgent-Based
Setup timeMinutesHours
DepthAPI-visible resourcesDeep (processes, files, connections)
CoverageAll API-discoverableHosts with agents installed
Runtime dataPoint-in-time snapshotReal-time monitoring
MaintenanceNoneAgent updates required

Recommendation: Start with Agentless for quick visibility. Add agents to critical systems for deeper runtime insights.

On-Prem Relay​

For on-premises infrastructure that isn't directly accessible from Vulcan SaaS, deploy a Relay Connector:

  • No VPN required β€” Relay connects outbound to Vulcan
  • No inbound firewall rules β€” Only port 443 outbound
  • Credentials stay secure β€” Stored in Vulcan, sent per-task over TLS
docker run -d --name vulcan-relay \
  -e RELAY_TOKEN="your-token" \
  -e RELAY_ID="your-relay-id" \
  ghcr.io/azgardtek/vulcan-relay:latest

See On-Prem Relay Connector for complete setup instructions.

Troubleshooting​

AWS: Access Denied​

  • Verify the IAM role trust policy includes the correct External ID
  • Ensure the role has SecurityAudit or equivalent read permissions

Azure: Authentication Failed​

  • Verify the Service Principal has Reader role on the subscription
  • Check that the Client Secret hasn't expired

On-Prem: Connection Timeout​

  • Verify network connectivity to target hosts
  • Check firewall rules allow SSH (22) or WinRM (5985/5986)
  • Verify credentials are correct