The unmanaged server no ticket ever touched, until it's the breach's entry point

An IT operations manager reads the CMDB the way a creditor reads a clean statement: nothing flagged, so nothing owed. No ticket ever came in about a missing asset, no alert fired. The conclusion writes itself, and it's wrong. The absence of a ticket is not evidence the asset is accounted for. It's evidence nobody knew to ask.

The trap is treating the CMDB as a census when it's a registration log. It records what someone bothered to enter. Anything that arrived through a side door (a contractor's test box, a VM cloned for a migration and never decommissioned, a vendor appliance racked during a project) was never registered, so it generates no tickets, no patch jobs, no end-of-life reminders. It runs in production and exists nowhere you're looking.

Discovery vs the CMDB: why your inventory is always a subset of reality

Your CMDB is a human-curated list. Discovery is a network-curated one. Run an active scan against your address space, compare it to the CMDB, and the two never match. The delta is the whole point. CIS Control 1 puts hardware inventory first for this reason: even the entry-level safeguards (IG1) require both an actively maintained inventory and an authorized-versus-unauthorized reconciliation, because you cannot manage what you have not enumerated against ground truth.

The records that show up in a discovery sweep but not the CMDB are not noise to suppress. Each is a host with an IP, an open port, and a running service no process in your shop owns. That's not a data-quality problem. That's an asset you operate without knowing it.

Unowned, unpatched, unbudgeted: the lifecycle a ghost asset skips

A managed asset passes through gates: an owner, a patch group, a backup policy, a refresh budget, a decommission date. A ghost asset skips all of them, and the skips compound:

None of these generate a ticket, because a ticket needs a record to attach to. The asset is invisible exactly where invisibility costs the most: in the one inventory your security program trusts.

End-of-life kit still in production: the audit finding and the CVE

Two things find these boxes before you do. An auditor sampling your estate against the CMDB, who flags the host that answers on the network but appears in no record. And an attacker, who doesn't need your CMDB and scans the same address space discovery would have. The 2023 MOVEit Transfer compromise is the cautionary version: part of the damage traced to organizations that could not confidently say how many instances of the vulnerable software they ran, so they could not patch every one in time. You cannot remediate a CVE on a box you don't know exists, and end-of-life software stops receiving patches at all, which turns an unowned asset into a permanent, unpatchable foothold.

Reconciling discovery against the CMDB on a schedule, not after a breach

The fix is unglamorous and it works: run discovery on a cadence, diff it against the CMDB, and treat every unexplained host as a ticket someone has to close. New record, no owner: assign one or decommission it. Known host gone dark: confirm it's retired, not just unplugged from monitoring. The reconciliation has to be a recurring job with a queue and an audit trail, not a heroic spreadsheet that ages out the week after the audit closes.

That cadence needs a place to live. In OpsDesk, each customer workspace holds the asset register, the recurring reconciliation tasks, and the ownership trail in one place, so the gap between what you run and what you manage shows up as a tracked item with an owner and a clock, not as a line in next quarter's incident report. See how the lifecycle view turns that delta into work you can close.