Two Ways to Find What Exists
Active discovery finds identities and access by directly querying systems: connecting to a directory, calling an API, or running a scan that asks a system to report what accounts and permissions it holds. It tends to be fast and thorough for the systems it can reach, but it depends on having credentials and network access to every system in scope, and on those systems tolerating being queried.
Passive discovery finds identities and access by observing activity and existing data, logs, traffic, configuration exports, without directly querying the target system. It’s slower to build a complete picture and depends on the quality of what’s already being logged, but it doesn’t require direct, credentialed access to a system that may be sensitive, fragile, or off-limits to scan.
Some environments genuinely can’t tolerate active scanning: legacy infrastructure that’s fragile enough that a scan risks disruption, safety-critical or isolated systems where intrusive connections raise operational concerns, or third-party systems where the organization simply doesn’t have standing to run a scan. In those cases, passive methods, or a hybrid approach, are the only realistic path to any visibility at all.