Pencheff
PricingDocs ↗Sign inOpen an account

Infrastructure and assets

Continuous ASM

Asset discovery, exposed services, retest cadence, and drift monitoring.

Start freeSign in
ScopeProgram Workflows

Use the same platform for sprint gates, release assurance, audit prep, AI product validation, executive risk, and continuous attack-surface monitoring.

OutputUnified evidence

Findings, reports, dashboards, exports, integrations, and retests all read from the same normalized record.

MethodDeterministic first

Pencheff favors repeatable checks, then uses AI for triage, enrichment, orchestration, and remediation where it adds signal.

Coverage

What does Continuous ASM test?

  • Asset discovery, exposed services, retest cadence, and drift monitoring.
  • This page is part of Solutions under Program Workflows.
  • It links back into the broader security programs without fragmented tooling experience.
  • Terraform, Kubernetes YAML, Helm, Dockerfiles, CloudFormation, Trivy config, Checkov, tfsec, Kubesec, and Hadolint-style checks.
  • Container image vulnerability and misconfiguration scanning with registry and admission-control workflows.
  • Attack surface management for subdomains, exposed hosts, cloud edges, certificates, services, and drift.
  • Network VA for host CVEs, service misconfiguration, TLS, headers, and authenticated host checks.
  • Active Directory, internal network, Android/iOS static analysis, exported component checks, and mobile secret sweeps.

Execution

How does Pencheff run this?

  • Register assets directly or discover them through ASM, repository manifests, or infrastructure files.
  • Run IaC and container checks before deployment, then pair results with runtime surface discovery.
  • Use network and internal checks to identify exposed services, certificate issues, AD paths, or host CVEs.
  • Normalize infra findings with source, asset, environment, severity, remediation, and compliance mappings.
  • Gate releases, schedule recurring checks, or produce audit bundles for platform and cloud teams.

Evidence

What evidence does this produce?

  • Affected resource, manifest path, image reference, package, host, service, port, certificate, or mobile artifact.
  • Rule id, scanner provenance, misconfiguration description, exploitability notes, and remediation.
  • Cloud, Kubernetes, container, or network context needed by platform owners.
  • Compliance mapping for configuration management, technical vulnerability, and supplier controls.

Controls

How is this kept safe to run?

  • Registry and admission policies can prevent risky images or manifests from progressing.
  • ASM and network checks are scoped to authorized assets and known workspace boundaries.
  • Infrastructure findings can be tied back to repos and deployment pipelines for ownership.
  • Mobile and internal findings remain in the same evidence and reporting workflow as web findings.

Documentation

Read the full reference.

Related

Keep exploring Solutions.

For teams and workflowsSolutions overviewFeatured actionTalk to PencheffFeaturedSecurity teamsFeaturedEngineersFeaturedAuditorsFeaturedExecutivesProgram WorkflowsCI/CD gatesProgram WorkflowsAuthenticated app pentest