About Credentials

Credentials are the secrets that an Audit Service uses to authenticate against the systems it audits — Windows hosts, Linux and macOS machines, hypervisors, SNMP devices, and the AWS / Azure / Google cloud APIs. Without credentials a scan can still discover that a host exists, but a follow-up audit cannot collect detailed inventory.

Scope and storage

Credentials are stored per Audit Service as a credential pool. They are bound to the service that uses them, not to a Site or to individual segments — every segment that the service audits draws from the same pool.

Credentials are encrypted at rest in the AlloyScan database and never leave the customer network. The Admin Center surfaces credentials in a grid that shows only Title, Type, and a Has password indicator (a lock icon when a secret is stored). Stored secrets cannot be revealed back through the UI; rotation means replacing the credential, not viewing it.

Why credentials are typed

Each credential is created with one of seven explicit types — Windows, Linux and macOS, Hypervisor, SNMP, AWS, Azure, Google. The type determines:

• Which fields the form asks for (for example, SNMP has Community for v1/v2c and User + Security Level + Auth protocol + Priv protocol for v3, while AWS has Access key ID + Secret access key).
• How the Audit Service interprets the secret when it negotiates with the target system.
• Which audit method can use it (a Windows credential cannot be used to audit a Linux endpoint, and vice versa).

If a target system uses more than one authentication path — for example, a Windows server you also reach over SSH for a script — you create one credential of each type.

Relationship to scans and audits

A scan does not use credentials; it discovers hosts on the network using ICMP, TCP probes, and SNMP banner queries that need at most a Community string.

An audit uses credentials to log in to the target and pull inventory. When an audit fails with an authentication error, the cause is almost always a stale or wrong credential in the pool, or a credential of the wrong type for the target.

Important: Rotating a credential at the source system (changing a Windows password, regenerating an AWS key) without updating the corresponding entry in AlloyScan will silently break audits on the next run. Treat credential pool maintenance as part of your secret-rotation runbook.

Limitations

• The form does not currently expose a per-credential Test or Validate button. The first signal that a credential is wrong is an audit failure; verify by triggering an ad-hoc audit against a small target set after rotation.
• Whether a Segment can bind a specific credential beyond what is available in the Audit Service pool is not documented at this build level. Details may vary by deployment.

Related

• How to add credentials — step-by-step for each of the seven types.
• Credentials Reference — full field schema, enum values, and constraints.
• About Audit Services — credentials live inside the Audit Service that uses them.