Discovery

Scheduled Discovery is our internal team’s proactive system for automatically hunting for threats related to your organization across the web. Think of it as an “automated search party” that we manage on your behalf. You don’t use this tool yourself, but you see the results: a steady stream of verified, relevant threats delivered directly to your dashboard.\n

• The Process from Web to Your Dashboard:\n

  1. The Starting Point: Your Assets: The hunt begins with your organization’s digital assets, such as your domains, brand names, and IP addresses. These act as the keywords for our search.\nFind more details in @Asset Management
  2. The Hunt: Automated Scanning: Our team schedules specialized scripts to run at regular intervals (e.g., daily or weekly). These scripts automatically scan the web, searching for potential risks connected to your assets.
  3. The Human Touch: Verification & Classification: Every potential threat found by the automated scans is manually reviewed by our security analysts. They first confirm the threat is real and relevant to you, filtering out all false positives. They then categorize the verified threat (e.g., ‘Phishing Website,’ ‘Data Leak,’ ‘Malicious Mobile App’).
  4. The Result: Actionable Intelligence: Once verified and classified, the detection is sent to your dashboard. You receive a clean, contextualized alert that you can trust, saving you the time and effort of investigating raw findings.

\

Process

1. What It Does

Discovery runs automatically at set times. Each time it runs, it looks at a starting list of items (called assets), performs steps on them (called flows), and records anything it finds (called detections). Sometimes those findings create new things to look at next. It keeps doing this in layers until it reaches a limit.

2. Core Pieces (Short List)

Word	Plain Meaning
Schedule	When it should run (repeat plan)
Run	One execution of the process
Worker	The part that does the work
Flow	One defined step the system performs
Pipeline	The ordered list of flows
Asset	A starting item
Target	An item being processed right now
Detection	A result produced by a flow
Depth	Layer number (first pass, second pass, etc.)
Checkpoint	Saved progress so it can resume
Audit Log	History record of what happened

3. Basic Step-by-Step

1. Run starts when the schedule time arrives.

2. Loads starting assets and which flows to apply.

3. Turns assets into targets to process.

4. Runs each flow over the targets in order.

5. Stores detections (findings) as they appear.

6. May create new targets for the next depth (next layer).

7. Repeats until depth limit or a stop condition.

8. Marks final status (done, paused, failed, timeout, etc.).

   \

4.Entire Process in one line.

Start → Load → Build targets → Run flows → Record detections → Generate next targets → Increase depth → Repeat or stop → Finalize.

5. Saved Progress (Checkpoints)

During the run it saves:

• Current depth
• Which target it is on
• Which flow it is in
• What has been found so far

If interrupted, it can continue later without redoing finished work. Currently these saved snapshots are internal only (not shown live in the user interface).

6. Status Words

Schedule (overall plan)

• ACTIVE = Will keep starting runs.
• INACTIVE = Temporarily off.
• ONGOING = A run is happening now.
• ENDED = Stopped permanently.
• PAUSED = Manually paused.
• FAILED / TIMEOUT_FAILED / TIMEOUT_TERMINATED / STUCK = Stopped because of a problem or time limit.

A Single Run (job)

SCHEDULED = Waiting to start. RUNNING = In progress. COMPLETED = Finished normally. FAILED = Ended with an error. TIMEOUT = Took too long and was stopped.

A Flow (task) inside a run

• PENDING = Not started.
• INPROGRESS = Working now.
• SUCCESS = Finished okay.
• ERROR = Failed.
• PAUSED = Manually paused.

7. Why It Might Stop

Reason	What Happens
Manual pause	Stops and can be resumed
Flow error	Stops or marks failure
Time limit reached	Force stop
System issue	Later resume from checkpoint

8. Resume

On resume it reads the last checkpoint and continues from there. Already completed parts are not repeated.

9. Extra Progress Signals

Flows can send small internal updates (percent, counts, notes). These help internal tracking. They are not currently displayed live in the interface.

10. What You Can See Right Now

You can see new detections as they are produced. You cannot currently see: live percent, which target is running, depth progress, or internal checkpoints.

11. End Results

Success = All planned layers done. Paused = Stopped on purpose and can continue. Failed / Timeout = Stopped early; may restart using last checkpoint.

12. Strengths and Gaps

Area	Current State
Can resume	Yes, via checkpoints
See live progress	Not yet
See detections	Yes, as they appear
Control depth	Yes
Recover from stop	Yes
Full transparency	Partial (some internal data hidden)

13. Short Word List

Discovery, Run, Worker, Flow, Pipeline, Asset, Target, Detection, Depth, Checkpoint, Audit Log.

14. If It Seems Stuck

Internally it watches for long inactivity. If limits are exceeded it may mark STUCK or TIMEOUT. To investigate now you must look at logs (UI does not show live internal steps yet).

16. Planned Future Improvements (Not Live Yet)

• Live depth and target counters
• Real-time percent progress
• Visible checkpoint timeline
• Per-flow timing display
• Clear resume reason display

18. Real-Life Applications and Examples

These short examples show when and why you might change settings or take action.

1. Improve data quality by increasing depth

• Situation: Results at the current depth feel incomplete or lack context.
• Action: Increase depth by 1 or 2. This lets Discovery follow additional leads and produce more related findings.
• Result: More detections and richer context for each original item.

2. Save time and resources by lowering depth

• Situation: Runs take too long or produce many irrelevant items.
• Action: Lower the depth to limit how far Discovery expands.
• Result: Faster runs and fewer findings to review.

3. Narrow results by changing flows

• Situation: You see many unrelated detections.
• Action: Turn off flows that produce noisy results, or enable only flows that match your needs.
• Result: Cleaner, more relevant findings.

4. Handle interruptions safely

• Situation: A run stops unexpectedly (system issue, manual stop).
• Action: Ensure checkpoints and resume are enabled. Restart the run from the last checkpoint.
• Result: You continue from the same place without redoing completed work.

5. Investigate a single item more deeply

• Situation: One important asset needs extra investigation.
• Action: Run a one-off job for that asset with a higher depth and specific flows.
• Result: Focused, deeper data for the item of interest.

6. Tune for performance during busy times

• Situation: System or network heavy during business hours.
• Action: Schedule runs during off-peak hours and reduce depth temporarily.
• Result: Lower impact on regular operations.

7. Iterative approach to discovery

• Situation: New to a dataset and unsure what depth or flows are best.
• Action: Start with depth 0 or 1 and a small set of flows. Review results, then incrementally increase depth or add flows.
• Result: Controlled exploration and quicker learning about what yields useful findings.

8. Reduce noise after a broad run

• Situation: A broad run produced many detections, some irrelevant.
• Action: Narrow flows and run targeted lower-depth jobs on specific subsets of assets.
• Result: Cleaner results and less review work.

9. Quick checks versus deep scans

• Situation: You need a fast health check or a deep analysis.
• Action: Use low depth and few flows for fast checks; use higher depth and more flows for deep scans.
• Result: Flexible balance between speed and detail.