Cyber Defense Matrix 2.0 · Function · ID
IDENTIFY(ID)
Asset inventory, risk assessment, vulnerability management. The column where every other control gets its scope.
IDENTIFY is the NIST CSF 2.0 function that establishes what you have and what could go wrong with it. Asset inventory (ID.AM), risk assessment (ID.RA), and improvement activities (ID.IM) live here. Every other function depends on IDENTIFY being correct — a detection rule for a server you do not know about cannot fire, and a protection policy for a system outside your inventory does not apply.
What IDENTIFY covers in practice
IDENTIFY is less glamorous than DETECT or RESPOND and more load-bearing than either. The two big buckets are asset management (knowing what exists) and risk assessment (knowing what could happen). In NIST CSF 2.0 these are split into categories ID.AM (Asset Management) and ID.RA (Risk Assessment), with a smaller ID.IM (Improvement) category that tracks feedback loops.
Asset management covers hardware inventory, software inventory, data inventory, external system mapping, and the processes that keep those inventories fresh. Risk assessment covers vulnerability management, threat-informed risk analysis, impact analysis, and the prioritization logic that decides which findings get fixed first. A program with strong IDENTIFY has boring answers to 'how many servers do we have' and 'which of our systems are most likely to be the breach vector.' Both answers come out in seconds, not weeks.
Tools that live in IDENTIFY
Asset inventory: CAASM platforms (Axonius, JupiterOne, Lansweeper, Sevco Security, Runecast), CMDBs (ServiceNow, Atlassian JSM), SaaS management platforms (Zylo, Productiv, Torii), cloud-asset inventory (AWS Config, Azure Resource Graph, GCP Cloud Asset Inventory, Wiz, Orca). For SMB/mid-market the pragmatic default is one CAASM plus a SaaS discovery tool; a formal CMDB is overkill below ~500 employees.
Vulnerability management: Tenable Nessus/Tenable.io, Qualys VMDR, Rapid7 InsightVM, Greenbone (open source), Orca/Wiz for cloud-native, Snyk for code. Modern practice is shifting away from scheduled scans toward continuous discovery + continuous scanning + continuous prioritization. The tool choice matters less than whether findings reach the right owners with the right context.
Risk assessment tooling overlaps with GOVERN: RiskLens, Axio, Safe Security for quantification; the risk module of whichever GRC the team uses for qualitative work. Some programs also deploy attack-path analysis (XM Cyber, Randori, Picus) in IDENTIFY — valid placement because it informs where risk concentrates, not because it detects anything.
The hidden cost of a weak IDENTIFY
Every other cell in the matrix inherits IDENTIFY's accuracy. If asset inventory is 80% complete, detection coverage is by definition capped at 80% — the 20% of systems the SOC does not know about cannot have detections written for them. Protection is capped the same way. Response is worse: during an incident, an unmapped asset consumes analyst time before the team can work the actual investigation.
The failure pattern is consistent across organization size: inventory tools deployed, inventory dashboards published, nobody accountable for accuracy. A CMDB with 15,000 records and no one who owns reconciliation is not asset management, it is data entry. The most valuable single intervention in a tool-rationalization exercise is usually assigning a named owner to asset inventory accuracy with a monthly accuracy metric.
Crossover with ANTICIPATE
IDENTIFY and ANTICIPATE work from opposite ends toward the same goal. ASM (AN.ASM) scans from the outside in and tells you what the internet thinks you own. CAASM reads from your internal sources and tells you what your records say you own. When the two disagree — and they always do — the delta is the interesting signal. Mature programs operationalize this as a recurring reconciliation, treating ASM findings as authoritative for 'exists' and internal records as authoritative for 'who owns it.'
In the CDM 2.0 matrix this shows up as complementary columns: ASM tools in ANTICIPATE × Supply Chain / Cloud, CMDB/CAASM in IDENTIFY × every row. The common failure is to have only one side — either only internal records (so you miss shadow assets) or only external discovery (so the findings have no internal owner to route to).
Frequently asked
Is a CMDB the same as a CAASM?
No. A CMDB is a system of record — humans enter data, the CMDB stores it. A CAASM is a system of consolidation — it pulls from dozens of authoritative sources (EDR, cloud, IDP, vuln scanner, HRIS) and reconciles them into a unified view. CMDBs tell you what you meant to own; CAASMs tell you what you actually own.
How complete does asset inventory need to be?
No inventory is 100% complete; the question is whether the gap is shrinking. A useful target: 95% of production workloads reconciled across at least two sources, with a monthly review that closes new deltas. Below that threshold, detection and response coverage will be capped by inventory gaps regardless of tool investment.
Where does vulnerability management fit — IDENTIFY or PROTECT?
IDENTIFY covers discovery and prioritization of vulnerabilities. PROTECT covers the patching, mitigation, and configuration hardening that closes them. In practice the two functions share tooling (a single scanner informs both) but the work and the metrics are different: 'what did we find' vs. 'what did we fix.' Treat them as separate cells even if one product spans both.
Does IDENTIFY include SaaS applications?
Yes. In CDM 2.0, SaaS sits on the Applications row. A modern IDENTIFY program must cover SaaS discovery (sanctioned and shadow), not just endpoint and on-prem server inventory. SaaS management tools (Zylo, Productiv) and SSP-based discovery via IdP logs are the standard approaches.