Assets
View and manage your discovered and imported infrastructure assets.
The Assets page gives you a central view of all infrastructure assets that CodeWall has discovered or that you've imported.
Asset types
| Type | Description |
|---|---|
| Domain | A registered domain name (e.g., example.com) |
| IP | An IP address (e.g., 203.0.113.1) |
| URL | A specific URL or web page |
| Endpoint | An API endpoint |
| Host | A server or virtual machine |
| Service | A running service on a host |
Asset sources
Assets come from various sources:
| Source | How |
|---|---|
| Recon | Discovered during a Surface Discovery or pentest recon phase |
| Scanner | Identified by CodeWall's automated scanning |
| Manual | Added manually by a team member |
| ServiceNow | Imported via the ServiceNow CMDB integration |
| CrowdStrike | Imported via the CrowdStrike Falcon integration |
| Microsoft Graph | Imported via the Microsoft Graph integration |
| AWS | Imported via the AWS integration (EC2 instances, S3 buckets, Lambda functions, RDS databases, CloudFront distributions, and more) |
| GCP | Imported via the GCP integration (Compute Engine instances, Cloud Storage buckets, Cloud Functions, Cloud SQL, and more) |
| Azure | Imported via the Azure integration (VMs, Storage accounts, App Services, SQL databases, and more) |
| Axonius | Imported via the Axonius integration |
Confidence scores
Every asset has a confidence score between 0.0 and 1.0 indicating how likely it is to belong to your organisation and be in scope for testing.
How scores are calculated
Scores are determined by the asset's source and adjusted by additional signals:
| Source | Base Score |
|---|---|
| Manual | 1.0 (you added it yourself) |
| Integration (ServiceNow, CrowdStrike, Axonius, cloud providers) | 0.9 (authoritative external system) |
| Finding | 0.85 |
| Scanner | 0.8 |
| Recon (varies by method) | 0.25 – 0.7 |
For recon-discovered assets, the following bonuses are applied:
| Signal | Bonus |
|---|---|
| Multi-run corroboration | +0.1 per additional run that discovered the same asset (max +0.2) |
| DNS/HTTP verification | +0.1 if the asset responds to DNS or HTTP requests |
| Seed domain relationship | Floors the score at 0.9 if the asset is on a seed/target domain |
Adjusting confidence manually
You can override the auto-computed confidence for any asset from its detail view. This is useful when you know an asset is legitimate but it was discovered through a low-confidence method.
Filtering by confidence
Use the confidence filter on the assets list to show only assets above a minimum confidence threshold — useful for focusing on high-confidence assets during test scoping.
Managing assets
Viewing assets
- Browse all assets with pagination
- Filter by type, project, source, and minimum confidence
- Search by value, type, project, or source
- Sort by type, value, project, source, number of runs, or first seen date
Adding assets manually
- Click Add Asset
- Enter the value (e.g., a domain or IP)
- Select the type
- Assign to a project
- Click Add
Asset details
Click any asset to open its detail drawer showing:
- Full asset information and confidence score
- Notes (editable text annotations)
- HTTP status code and response details
- Detected service versions and technologies
- Screenshot/preview (where applicable)
- History of test runs involving this asset
- Related findings
Cloud provider imports
Connect your AWS, GCP, or Azure accounts to automatically pull infrastructure assets into CodeWall. Each integration discovers and imports relevant resources:
- AWS — EC2 instances, S3 buckets, Lambda functions, RDS databases, CloudFront distributions, Elastic Load Balancers, and API Gateway endpoints
- GCP — Compute Engine instances, Cloud Storage buckets, Cloud Functions, Cloud SQL instances, App Engine services, and Cloud Run services
- Azure — Virtual Machines, Storage accounts, App Services, SQL databases, Function Apps, and Azure Front Door endpoints
Imported cloud assets are automatically assigned a confidence score of 0.9 and tagged with their provider and region. See Asset Integrations for setup instructions.
Using assets in tests
When creating a new pentest, you can select targets from your asset inventory rather than entering them manually. This is especially useful when combined with asset integrations.