runZero Community Edition: the asset inventory that finds the printer running Tomcat

There is a printer in your office quietly running Apache Tomcat. There is a lab box someone stood up in 2019 for a project that shipped, got renamed, got forgotten, and is now answering on port 8080. There is an IoT controller with a hardcoded vendor certificate that nobody has thought about since the day it was installed. None of them are in your CMDB. None of them are in your patch tool. When the next critical CVE drops against embedded Tomcat, or against that exact firmware family, you will not know you are exposed until someone else tells you.

This is the gap runZero is built for. You cannot patch what you do not know you have, and most environments have more than their inventory admits.

What it is

runZero is an agentless network discovery and asset inventory platform. You point a scanner at your network ranges, it walks the subnets, fingerprints what answers, and gives you a queryable inventory. No agent rollout, no MDM fight, no endpoints quietly missing because they never got the install. If something is on the wire and responds, runZero sees it.

The fingerprinting is where it earns its keep. Most commercial scanners can identify the obvious stuff: Windows servers, switches with familiar SNMP signatures, printers from the big three vendors. runZero identifies the long tail, the OT controller, the off-brand camera, the embedded Linux device with a stripped HTTP banner. That coverage is the same on the free tier as on the paid one, because it is the same engine and the same fingerprint database.

The Community Edition cap

Free, no expiration, no card required at signup. The limit is 100 recent assets, where “recent” means seen in the last 30 days. Assets that go quiet drop off the count automatically, so the cap is a working ceiling on what you are actively tracking, not a lifetime quota.

For a one-person shop, a home lab, a small office, or a single critical subnet you want to keep honest, 100 assets is enough to matter. For anything bigger, you will hit the cap fast, and that is when the upsell conversation starts. Paid tier pricing is not on the homepage; it starts at real money, sized for environments where 100 assets was never going to be the answer.

How it pairs with patch decisions

The first question after “is this CVE exploited” is “do we have it.” runZero is the cheapest credible way to answer that without paying enterprise CMDB pricing. When a CVE lands on a specific vendor and firmware version, you query the inventory, you get a yes or a no, and you stop guessing. Half of the CVEs that show up in any given week land on something that was not on the original asset list. An inventory that finds the long tail is the difference between a five-minute triage and a Friday night.

It also pairs cleanly with a network scanner like Nuclei. runZero tells you what is there. Nuclei tells you whether what is there is actually vulnerable. Two free tools, one workflow, and the gap between “we read about it” and “we verified it” closes to about an hour.

The honest limits

The 100-asset cap is real, not a soft suggestion. If you have 400 assets and a budget of zero, runZero will tell you about the 100 it saw most recently and stop. That is still useful, but it is not “free asset inventory for any environment.”

The default console is cloud-hosted. A self-hosted runner is supported, but the management plane lives at runZero. For shops where that is a hard no, plan accordingly.

Segmented environments need scanner placement, not just a download. A scanner on one VLAN sees one VLAN. If your network is sliced into ten segments and you put the scanner on the management VLAN only, you will get a confident inventory of the management VLAN and a blind spot everywhere else. This is true of every network discovery tool ever shipped, but it is worth saying out loud because the marketing copy never does.

Get it

https://www.runzero.com/platform/community-edition/

The version of asset inventory that matters is the one that finds the box you forgot about. Most tools will tell you what you already know. The useful ones tell you what your CMDB is wrong about.