Inventory: A Persistent Record of Every Host You Audit

April 28, 2026 · InfraScout Team

Inventory is now live. Every agent connected to your InfraScout server keeps a persistent record of what it is and what it's running — system facts, installed software, services, and certificates — refreshed on a schedule and on demand. The dashboard reads from it. Claude reads from it. Your assessment playbooks no longer have to spawn a PowerShell session every time they want to know what version of OpenSSL is on a host.

This is the biggest change to InfraScout since launch, and it landed in phases over the last few weeks. Here's what's in it and what it changes for you.

What Inventory collects

Inventory runs lightweight collectors on each agent and sends a snapshot back to the server. Today it covers four categories:

  • System — hostname, OS and version, architecture, domain, CPU and RAM totals, boot time, and uptime.
  • Software — installed packages and applications, with publisher, version, and install date where the platform exposes them.
  • Services — service name, display name, status, startup type, and the account each service runs as.
  • Certificates — certificates from the host's trust stores, with subject and issuer, validity window, signature algorithm, key size, and a SHA-256 thumbprint.

Every collection is compared against the previous one so you get an accurate change feed: what was added, what was removed, what changed and when. Asking "which hosts had Java 8 last week but don't anymore?" is a single question now, not a forensics exercise.

Bot Ask Claude what's on your fleet

The biggest day-one change is for the people who run assessments through Claude. Instead of crafting a script and waiting for it to fan out across hundreds of hosts, you ask a question and get an answer:

  • "Which hosts are running OpenSSL versions older than 3.0?"
  • "Show me services configured to auto-start that aren't running right now."
  • "What changed on web-prod-04 in the last week?"
  • "Give me the OS and architecture breakdown across the fleet."

Claude picks the right inventory tool, scopes the query, and returns a clean answer with timestamps so you know how fresh the data is. Filters use a small, predictable grammar — there's no raw regex, no surprises, and no half-formed query that takes an hour to time out.

The practical effect: assessments that used to start with "let me run a script on each box and stitch the output together" now start with a single question. A vulnerability hunt for a specific package across hundreds of hosts is a conversation, not a project.

Live state still belongs to PowerShell

Inventory is built for fleet-wide and historical questions. When an assessment needs the live state of one host right now — a registry value, a running process, a config file — the existing PowerShell tool is still the right call. The two complement each other.

Cross-platform, with native Windows collectors

Inventory runs on Windows, Linux, and macOS agents. Linux walks the system trust paths and parses certificates directly. macOS reads the system keychain. Windows uses native Windows APIs for system information, services, and certificates — no PowerShell child processes for the hot paths anymore.

Two practical wins from going native on Windows:

  • Boot time and uptime are now correct, including across time zones. The previous PowerShell path silently mangled the format Windows reports for last-boot time, leaving every Windows agent stuck reporting zero. Native APIs return the value untouched and the parser honors the offset.
  • Certificate collection is faster and quieter. The Windows certificate collector skips the PowerShell round-trip entirely, saving roughly 300–800 ms per collection on a typical host and avoiding the CPU spike that domain-joined hosts used to show during the old script's enumeration. It also walks the third-party root store, so certificates from DigiCert, GlobalSign, Sectigo, and others now show up in the inventory.

The signature algorithm parser also got a fix that benefits every platform: certificates with unusual or legacy algorithm OIDs no longer surface as the literal string 0 in audit output.

Scheduled collection, with a "Collect Now" button

Inventory collects on a schedule defined by an inventory policy. Each agent group has a policy attached, and a default policy ships with every tenant covering all hosts. Schedules are debounced across reboots — an agent that just collected and then restarts won't immediately collect again, but an agent that's been offline through several scheduled windows will catch up on reconnect.

For assessment authors and operators who don't want to wait, the dashboard now has explicit triggers:

  • Per-agent — a Collect Inventory Now button on the agent management view.
  • Per-group — a Collect Inventory Now button on each agent group card, fanning out to every connected agent in the group.

When you click either trigger, the next snapshot is on its way within seconds. This is the same pattern as the existing Update Now button, so it should feel familiar.

Bootstrap behavior

On first install, an agent collects right away. On subsequent reconnects, the server pushes the active policy and the agent decides whether a new collection is due. If the policy hasn't changed and the last collection is still fresh, the agent waits for the next scheduled tick. If the policy changed, collection runs immediately.

LineChart Why this matters for assessments

Three concrete shifts come out of having a persistent inventory available to the AI:

Faster assessments. Most playbook steps that used to begin with "collect this from every host" now begin with "query the inventory." Reviews that used to take a long evening of script-running and stitching now run in minutes.

No repeated data collection. When two playbooks both want to know what's installed on a host, they no longer each spawn a collector. They both read the same record. Multiply that across a fleet and the savings add up.

Accurate before-and-after diffs. Because every snapshot is reconciled and the change feed is queryable, you can ask the model "what changed between these two assessments?" and get an answer grounded in real data — not a side-by-side of two log captures.

The dashboard exposes the same record, so when the AI cites a fact during an assessment, an operator can verify it in the UI without needing to re-run anything.

What you don't have to do

You don't have to enable inventory. The Default policy is on for all hosts in every tenant, including existing tenants on upgrade. You don't have to migrate anything. Existing playbooks keep working exactly as before — inventory is additive.

If you want to scope or tune collection, the admin UI now has an Inventory Policies section. You can create a policy, choose categories and an interval, and assign it to one or more agent groups.

Try it

The fastest way to see Inventory in action is to ask Claude something fleet-wide that used to be hard. A few prompts to get started:

  • "Across the fleet, which hosts have certificates expiring in the next 30 days?"
  • "Show me hosts running OpenSSL versions older than 3.0."
  • "Summarize what's installed on web-prod-04 and what's changed in the last week."
  • "Which services are configured to auto-start but currently aren't running?"

Open Claude Desktop, point it at your InfraScout MCP server, and ask. If you see a result you don't expect, click Collect Inventory Now on the agent or group in the dashboard, wait a few seconds, and ask again.

Tell us what's next

Inventory is the foundation, not the destination. We have ideas for what comes after — broader collection, deeper queries, indexed sort fields, time-bounded historical aggregations — but the priorities should come from the assessments you're actually running.

If a question you'd like to ask Claude isn't answerable yet, tell us. Reach us at info@infrascout.cloud.