The SAMURAI Blog
Architecture2026-04-2210 min read

Correlating 13,000 endpoints without a CMDB

BA
Beyrak A.
Founder & Security/System Engineer

The CMDB problem

Most organizations maintain a CMDB — a spreadsheet, a ServiceNow instance, or a custom database — that is supposed to contain every device and endpoint on the network. In practice, these are perpetually stale. A new VM spins up, a contractor plugs in a laptop, a printer gets moved to a different VLAN, and the CMDB does not know about any of it until someone manually updates it. By then, three more changes have happened.

SAMURAI replaces the CMDB with a live, automatically correlated endpoint table built from the actual data on your devices. No manual entry. No reconciliation scripts. The network tells you what is on it, not the other way around.

The aggregation pipeline

Endpoint aggregation runs with 10 concurrent workers, each pulling data from a different source and merging results into a single table. The order of sources is deliberate and load-bearing — later sources can enrich earlier records but not overwrite higher-priority data.

Source priority (in order)

1. MAC tables — the foundation. Every switch port has a MAC address learned on it. This is the most reliable link between a physical port and a device.

2. ARP/IP — maps MAC addresses to IP addresses. Combined with MAC tables, this gives you “device X with MAC Y has IP Z on port Gi1/0/3.”

3. DHCP snooping — provides the same MAC-to-IP mapping but from the DHCP server’s perspective. Useful when ARP entries have aged out.

4. CDP/LLDP neighbors — tells you what is connected to each port. A Cisco phone advertising itself via CDP enriches the endpoint with device name, model, and capabilities.

5. 802.1X sessions — adds authentication state, username, and authorization policy to the endpoint record.

6. OUI vendor lookup — the first three octets of the MAC address identify the manufacturer. SAMURAI ships with a 39,000-entry IEEE OUI database, embedded offline. No external API calls.

7. Gateway interfaces — router interfaces acting as gateways are tagged with Vendor: "Gateway". Loopback, Tunnel, LISP, and NVE interfaces are skipped — they are infrastructure, not endpoints.

8. Router ARP + neighbors — extends the ARP view beyond switches into the routing layer.

9. Palo Alto routing + IPSec — firewalls see endpoints that switches do not, especially across VPN tunnels.

10. APIC fvCEp hosts — in ACI fabrics, the APIC tracks every endpoint learned on the fabric. This is the final enrichment layer, adding fabric-specific data like EPG membership and encapsulation.

Field-scoped search with CIDR awareness

Once endpoints are correlated, the search engine supports field-scoped queries with CIDR awareness. Searching ip:10.240.0.0/16 returns every endpoint in that subnet. Searching vendor:cisco filters by OUI-resolved manufacturer. The search parser supports AND/OR/NOT operators, quoted phrases, and negation (-ip:10.240). All of this runs against the correlated table — one query, 13,000+ endpoints, sub-second response.

Your network deserves discipline

See SAMURAI run against your real environment. Most demos are scheduled within 24 hours.

Book your demoLive tour