# Introduction to DISCOVER

GuardWare DISCOVER is a cross-platform system designed to identify, classify, and manage sensitive data across enterprise environments. It operates across endpoints, file servers, email systems, and cloud services, helping organisations detect and reduce exposure of regulated and sensitive information such as PCI, PII, PHI, and custom-defined data types.

At its core, DISCOVER is built around a centralised model of control and distributed execution. This allows it to scale across diverse infrastructures while maintaining a single point of visibility and administration.

## System Architecture

The system is composed of three primary components that work together to perform discovery operations: the Management Console, the Scanning Agent, and the Targets being scanned.

{% columns fullWidth="false" %}
{% column width="33.33333333333333%" %}
{% hint style="info" icon="1" %}
**Management Console**\
\
The central web application. Stores configuration and results. Schedules scan jobs. Displays scan status, reports, investigations, and remediation options.
{% endhint %}
{% endcolumn %}

{% column width="33.33333333333333%" %}
{% hint style="info" icon="2" %}
**Scanning Agent**\
\
A Windows service that executes tasks received from the Management Console. Scans the target and returns results and status to the Management Console.
{% endhint %}
{% endcolumn %}

{% column %}
{% hint style="info" icon="3" %}
**Targets**\
\
The systems being scanned. Can include endpoints, SMB file shares, Exchange Online, and SharePoint Online.
{% endhint %}
{% endcolumn %}
{% endcolumns %}

## Scanning Agent Deployment Models

Because enterprise environments vary significantly in structure, DISCOVER supports two distinct deployment models for the Scanning Agent: local deployment and host-based deployment.

### Local Deployment

In a **local deployment**, the Agent is installed directly on the target device. This means the device is responsible for scanning its own local data. Once the scan is complete, the results are sent back to the Management Console.

<figure><img src="/files/dMYy0U35w2Yh1ek2rpG5" alt=""><figcaption></figcaption></figure>

### Scanning Server Deployment

The **Scanning Server deployment** introduces a centralised scanning model. In this setup, the Scanning Agent is installed on a dedicated server or virtual machine. This host is then responsible for scanning multiple systems across the network remotely (agentless scanning). By removing the need for endpoint-level installation, this approach simplifies deployment in larger or more distributed environments.

<figure><img src="/files/AyV0yZ3npC83MtEQiyk7" alt="" width="543"><figcaption></figcaption></figure>

{% hint style="info" %}
A scanning server can also scan its own local files. When it does, that scan is local. Its primary role in this deployment is to scan targets remotely.
{% endhint %}

## Deployment and Setup Flow

Deploying GuardWare DISCOVER for scanning involves setting up the Management Console and then choosing how the Scanning Agent will be installed.&#x20;

{% stepper %}
{% step %}

### Install the Management Console

The first step is installing the **Management Console** on a dedicated Windows system. This system becomes the central control point for all scanning activity, including configuration, scheduling, and reporting.
{% endstep %}

{% step %}

### Deploy the Scanning Agent

After the Management Console is operational, the next step is deploying the **Scanning Agent**. Depending on the chosen architecture, this may involve installing the service directly on endpoints for local scanning or deploying it on a dedicated host for remote (agentless) scanning.

In both cases, the Scanning Agent acts as the execution layer that carries out scan tasks assigned by the Management Console.\
[**Scanning Agent Deployment Guide→**](/setup-and-deploy/install-agent/install-discover-agent.md)
{% endstep %}

{% step %}

### Configure and Run Scans

This includes adding scan targets, configuring Microsoft 365 credentials where necessary, and assigning data ownership where applicable. These configurations define what will be scanned and under what context.

Scan jobs can then be created and executed from the Management Console. Results are returned and displayed within the interface, allowing you to review findings, investigate files for sensitive data, and initiate remediation actions.\
[**DISCOVER Quick Start Guide →**](/discover/getting-started/discover-quick-start-guide.md)
{% endstep %}
{% endstepper %}

## Console Access and Operation

Familiarising yourself with the Management Console is essential, as all administrative and operational tasks are performed there. Functions are organised neatly, and related tools are grouped in the navigation menu for easy access.

![](/files/bf70f8b080885d4bbb5f412471b81d740eebfedb)

Access to the console requires Super Admin credentials. After authentication, users must complete a second layer of verification using a time-based authenticator application. This ensures that access to sensitive scan data and system controls is properly secured.

Once logged in, the console provides a centralised view of all scan activity, including status, results, and historical reporting. From here, administrators can manage the full lifecycle of data discovery operations.

## Terminology

Within DISCOVER, several key terms define system behaviour and structure:

<table><thead><tr><th width="204">Term</th><th>Definition</th></tr></thead><tbody><tr><td>Agentless scan</td><td>A scan executed by the Scanning Server against a remote target over WinRM, SSH, or SMB. The scan target does not run any DISCOVER component.</td></tr><tr><td>Data classification</td><td>The process by which DISCOVER groups identified files or content into sensitive data categories.</td></tr><tr><td>Data owner</td><td>The individual accountable for a data type who receives notifications when DISCOVER detects that type of sensitive data.</td></tr><tr><td>Data types</td><td>Categories of sensitive information, predefined (e.g., PCI-DSS, PII, PHI) or user-defined, that DISCOVER scans for.</td></tr><tr><td>Device owner</td><td>The user or administrator responsible for a device that is being scanned or where sensitive data resides.</td></tr><tr><td> Management console</td><td>The central web platform for DISCOVER. Manages scan scheduling, configuration, reporting, and remediation. Runs on the Management Console host.</td></tr><tr><td>DISCOVER Scanning Agent</td><td>The Windows service that executes scan jobs assigned by the Management Console. Can be installed on each device for local scanning, or on a dedicated host or VM for agentless scanning.</td></tr><tr><td>File servers</td><td>File shares accessible over SMB, scanned by DISCOVER to detect sensitive data.</td></tr><tr><td>GuardWare DISCOVER</td><td>A GuardWare solution for discovering, classifying, and remediating sensitive data across endpoints, file servers, email systems, and cloud services.</td></tr><tr><td>GuardWare PROTECT</td><td>A GuardWare solution that applies encryption and persistent protection to files. Optionally integrated with DISCOVER to encrypt sensitive data found during scanning.</td></tr><tr><td>Internet Information Services (IIS)</td><td>Microsoft's web server platform, used to host the Management Console and its associated services.</td></tr><tr><td>Investigation</td><td>The process of reviewing files flagged during a scan to determine their sensitivity and decide on appropriate action.</td></tr><tr><td>Local scan</td><td>A scan executed by the Scanning Server on the same device it is installed on.</td></tr><tr><td>Management Console host</td><td>The Windows machine on which the DISCOVER Management Console is installed and runs. Can be distinct from the Scanning Server host.</td></tr><tr><td>Microsoft Azure</td><td>Microsoft's cloud platform. DISCOVER uses it to scan Azure-based services such as Exchange Online and SharePoint Online.</td></tr><tr><td>Microsoft Entra ID</td><td>Microsoft's cloud-based identity and access management service (previously Azure AD). Used to authenticate DISCOVER's access to Microsoft 365 services.</td></tr><tr><td>Microsoft Exchange</td><td>Microsoft's email and calendaring platform, available on-premises or as Exchange Online.</td></tr><tr><td>Microsoft Graph API</td><td>A unified RESTful API used by DISCOVER to access and scan Microsoft 365 data sources, including Exchange Online and SharePoint Online, using OAuth 2.0.</td></tr><tr><td>Microsoft Intune</td><td>Microsoft's endpoint and mobile device management service. Can be used to deploy the remote access configuration scripts to target devices.</td></tr><tr><td>Microsoft SharePoint</td><td>Microsoft's collaboration and content management platform. SharePoint Online can be scanned by DISCOVER via the Microsoft Graph API.</td></tr><tr><td>OAuth 2.0 authentication</td><td>The authorisation framework used by DISCOVER to securely access Microsoft 365 cloud services via the Microsoft Graph API.</td></tr><tr><td>Organisation</td><td>An entity within the DISCOVER Management Console representing a company or customer environment.</td></tr><tr><td>PCI-DSS data</td><td>Payment Card Industry-regulated data, such as credit card numbers. A predefined sensitive data type in DISCOVER.</td></tr><tr><td>Remediation</td><td>The structured process of resolving sensitive data findings, such as deleting, moving, or encrypting files, facilitated by DISCOVER.</td></tr><tr><td>Scan</td><td>The process by which DISCOVER inspects files, emails, or services against defined policies to identify and classify sensitive data.</td></tr><tr><td>Scanning Server Deployment</td><td>A Scanning Server deployment where a dedicated Windows host or VM scans other devices and services remotely. The primary deployment model for agentless scanning.</td></tr><tr><td>Scanning Agent host</td><td>The Windows machine on which the Scanning Agent is installed. In local scanning, this is the endpoint itself. In agentless scanning, this is the dedicated host or VM.</td></tr><tr><td>Sensitive data</td><td>Confidential or regulated information, such as PCI, PII, or intellectual property, that DISCOVER scans for and helps protect.</td></tr><tr><td>SSH</td><td>Secure Shell protocol used by DISCOVER to connect to non-Windows target devices during agentless scanning.</td></tr><tr><td>Target</td><td>Any endpoint, server, or service designated in DISCOVER as a location to be scanned. In agentless scanning, targets do not run any DISCOVER component.</td></tr><tr><td>Virtual machine (VM)</td><td>A virtualised Windows environment that can host the Scanning Server for agentless scanning.</td></tr><tr><td>WinRM</td><td>Windows Remote Management protocol, used by DISCOVER to connect to Windows target devices during agentless scanning.</td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.guardware.com/discover/about/introduction-to-discover.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
Term	Definition
Agentless scan	A scan executed by the Scanning Server against a remote target over WinRM, SSH, or SMB. The scan target does not run any DISCOVER component.
Data classification	The process by which DISCOVER groups identified files or content into sensitive data categories.
Data owner	The individual accountable for a data type who receives notifications when DISCOVER detects that type of sensitive data.
Data types	Categories of sensitive information, predefined (e.g., PCI-DSS, PII, PHI) or user-defined, that DISCOVER scans for.
Device owner	The user or administrator responsible for a device that is being scanned or where sensitive data resides.
Management console	The central web platform for DISCOVER. Manages scan scheduling, configuration, reporting, and remediation. Runs on the Management Console host.
DISCOVER Scanning Agent	The Windows service that executes scan jobs assigned by the Management Console. Can be installed on each device for local scanning, or on a dedicated host or VM for agentless scanning.
File servers	File shares accessible over SMB, scanned by DISCOVER to detect sensitive data.
GuardWare DISCOVER	A GuardWare solution for discovering, classifying, and remediating sensitive data across endpoints, file servers, email systems, and cloud services.
GuardWare PROTECT	A GuardWare solution that applies encryption and persistent protection to files. Optionally integrated with DISCOVER to encrypt sensitive data found during scanning.
Internet Information Services (IIS)	Microsoft's web server platform, used to host the Management Console and its associated services.
Investigation	The process of reviewing files flagged during a scan to determine their sensitivity and decide on appropriate action.
Local scan	A scan executed by the Scanning Server on the same device it is installed on.
Management Console host	The Windows machine on which the DISCOVER Management Console is installed and runs. Can be distinct from the Scanning Server host.
Microsoft Azure	Microsoft's cloud platform. DISCOVER uses it to scan Azure-based services such as Exchange Online and SharePoint Online.
Microsoft Entra ID	Microsoft's cloud-based identity and access management service (previously Azure AD). Used to authenticate DISCOVER's access to Microsoft 365 services.
Microsoft Exchange	Microsoft's email and calendaring platform, available on-premises or as Exchange Online.
Microsoft Graph API	A unified RESTful API used by DISCOVER to access and scan Microsoft 365 data sources, including Exchange Online and SharePoint Online, using OAuth 2.0.
Microsoft Intune	Microsoft's endpoint and mobile device management service. Can be used to deploy the remote access configuration scripts to target devices.
Microsoft SharePoint	Microsoft's collaboration and content management platform. SharePoint Online can be scanned by DISCOVER via the Microsoft Graph API.
OAuth 2.0 authentication	The authorisation framework used by DISCOVER to securely access Microsoft 365 cloud services via the Microsoft Graph API.
Organisation	An entity within the DISCOVER Management Console representing a company or customer environment.
PCI-DSS data	Payment Card Industry-regulated data, such as credit card numbers. A predefined sensitive data type in DISCOVER.
Remediation	The structured process of resolving sensitive data findings, such as deleting, moving, or encrypting files, facilitated by DISCOVER.
Scan	The process by which DISCOVER inspects files, emails, or services against defined policies to identify and classify sensitive data.
Scanning Server Deployment	A Scanning Server deployment where a dedicated Windows host or VM scans other devices and services remotely. The primary deployment model for agentless scanning.
Scanning Agent host	The Windows machine on which the Scanning Agent is installed. In local scanning, this is the endpoint itself. In agentless scanning, this is the dedicated host or VM.
Sensitive data	Confidential or regulated information, such as PCI, PII, or intellectual property, that DISCOVER scans for and helps protect.
SSH	Secure Shell protocol used by DISCOVER to connect to non-Windows target devices during agentless scanning.
Target	Any endpoint, server, or service designated in DISCOVER as a location to be scanned. In agentless scanning, targets do not run any DISCOVER component.
Virtual machine (VM)	A virtualised Windows environment that can host the Scanning Server for agentless scanning.
WinRM	Windows Remote Management protocol, used by DISCOVER to connect to Windows target devices during agentless scanning.