Establish a live inventory baseline
Export known-good assets from your configuration management database, endpoint agent consoles, and directory services. The gap between “managed inventory” and “what actually responds on the wire” is where unknown devices hide.
Use ARP-aware discovery on internal segments
Address Resolution Protocol tables reveal which IPs are actively communicating on a subnet. Continuous ARP-based discovery is well suited to internal LANs where passive observation catches devices that never authenticate to domain controllers or VPNs.
Correlate IP, MAC, and hostname evidence
A single field is rarely enough. Correlate DHCP leases, DNS reverse records, and switch CAM tables when available. Stable MAC addresses plus inconsistent hostnames often indicate cloned images, VMs, or spoofing attempts worth investigating.
Enrich with directory and firewall context
Cross-reference Active Directory computer objects and firewall user or device inventory to label corporate-owned assets automatically. Devices without a directory match but with consumer OUI prefixes may be personal hardware or shadow IoT.
Operationalize alerts for MSP and SMB IT
Tune alerts for first-seen devices, classification changes, and “unknown for more than N hours” states. Feed notifications into email, Slack, or Microsoft Teams so responders act while forensic context still exists. GalScan’s workflow is outlined on the product page and homepage.