You Cannot Secure What You Do Not Know You Have. Garrison Discovers Everything.

Garrison does not wait for manual inventory. Sentinel populates it. When you connect an AWS account, Sentinel triggers a full enumeration: EC2 instances, RDS databases, S3 buckets, Lambda functions, IAM roles, security groups, VPCs, subnets, load balancers, CloudFront distributions, and every other resource the AWS APIs expose. Configuration is captured at the attribute level. Tags are recorded. Relationships between resources are traced: which security group attaches to which instance, which IAM role grants access to which bucket, which VPC contains which subnet.

The initial scan is comprehensive. Every subsequent scan is incremental. Sentinel compares the current state against the last known state and records only the delta. New resources appear in Garrison immediately. Removed resources are marked terminated with a timestamp. Modified resources carry a change history. The discovery engine runs on a configurable schedule (default: every 6 hours for full reconciliation, with event-driven updates for real-time changes via AWS Config). You never wonder whether your inventory is current. It is current because Sentinel never stops watching.

Every resource in Garrison carries a structured record: resource type, ARN, region, first discovery timestamp, last seen timestamp, current status (active, stopped, terminated), configuration summary, applied tags, and compliance control mapping. The inventory is not a flat list. It is a relational model. Resources belong to environments. Environments belong to systems. Systems belong to your organization. Filter by any dimension. Search by any attribute. Export at any scope.

The "What's Changed" view shows the delta between any two points in time. Select a date range and Garrison surfaces every resource that was created, modified, or removed. Configuration diffs are rendered inline: what the security group rules were before, what they are now. This is not a log file. It is a structured, queryable change history with full attribution. Who changed it. When. What the previous state was. What the current state is. Whether the change was made through IaC or manually. Whether it triggered a compliance impact.

Systems are logical boundaries that map to authorization boundaries in your compliance program. A system might be "Customer Portal" or "Data Analytics Platform" or "Corporate IT." Each system contains one or more environments: production, staging, development, disaster recovery. Environments are the operational stages where resources live. Resources are grouped by environment. The hierarchy is explicit: Organization > System > Environment > Resource.

Different environments carry different compliance requirements. Your production environment requires full CMMC Level 2 coverage. Your development environment might require a subset. Garrison tracks these distinctions. Rampart uses them to scope assessments accurately. The posture delta view compares environments side by side: production has 97 controls implemented, staging has 84, development has 61. You see immediately where environments diverge and whether that divergence is intentional or a gap. Teams own systems. Environments within those systems inherit team ownership. Resource-level permissions follow the same hierarchy. No ambiguity about who is responsible for what.

Deploy packs are hardened Terraform modules sourced from Armory and deployed directly into your infrastructure repository. Select a pack. Garrison creates a pull request against your connected repo with the full Terraform source. STIG parameters are hardcoded into the module defaults. Provider versions are locked. Variable definitions include compliance annotations that map each parameter to the controls it satisfies. Evidence output configurations are included: the module emits structured outputs that Sentinel collects as compliance evidence automatically.

Every deploy pack is versioned. When Armory publishes an update (new STIG revision, updated CIS Benchmark parameters, security patch), Garrison notifies you. The notification includes a changelog: what changed, which controls are affected, whether the update is breaking. You review the diff, merge the PR, and your infrastructure updates through your existing CI/CD pipeline. No manual configuration. No drift between what the pack defines and what runs in production. The pack is the source of truth. Your pipeline enforces it. Sentinel verifies the deployed state matches the declared state.

AWS Config Rules evaluate resource compliance on every API call. When a resource changes, Config evaluates it against your declared rules and reports the result to Sentinel. Sentinel forwards the evaluation to Garrison. Terraform-managed resources are flagged when modified outside of IaC. The platform compares the current live state against the last known Terraform state file. Any delta is a drift event. Drift events create findings in Rampart with full context: what changed, when, the previous configuration, the current configuration, and which compliance controls are potentially affected.

Manual resources (those not managed by Terraform) create findings of a different class: unmanaged infrastructure. These findings surface in the action queue with a recommendation to bring the resource under IaC management or document the exception. Auto-remediation is configurable per resource type. For security groups, you might enable automatic rollback to the last known good configuration. For IAM policies, you might prefer detect-and-escalate. The default posture is conservative: detect the drift, create the finding, notify the responsible team, and wait for human decision. No silent auto-remediation unless you explicitly enable it.

NIST 800-53 CM-8 requires organizations to maintain an accurate, current, and complete inventory of information system components. Garrison is the source of truth for CM-8. Every resource discovered by Sentinel is recorded with the attributes CM-8 requires: component name, type, manufacturer/provider, model/version, serial number or unique identifier, physical location or network address, and responsible individual. These attributes are populated automatically from discovery data. No manual spreadsheet entry. No quarterly reconciliation exercises.

CM-8(1) requires updates during installation, removal, and configuration changes. Garrison satisfies this through event-driven discovery: when Sentinel detects a resource creation, modification, or termination, the inventory updates within minutes. CM-8(3) requires automated detection of unauthorized or undocumented components. Garrison flags any resource that appears in your environment but does not belong to an approved deploy pack or an explicitly registered manual resource. Unauthorized components generate findings automatically. Evidence for all three CM-8 enhancements is generated continuously, timestamped, and linked to the control record in Rampart. Your assessor gets a live inventory with provenance, not a PDF from six months ago.

Outposts are saved scan targets in Vanguard that exist outside of a formal system assignment. They are useful for evaluation: scan a repository before deciding whether to onboard it, assess a third-party dependency before integrating it, run SAST against a proof-of-concept before it enters your estate. Outposts have scan history, findings, and severity trends. But they are not connected to your compliance program. They live in Vanguard, not Garrison.

Graduation promotes an Outpost into Garrison. You select the target system and environment. The Outpost becomes a formal resource in your connected estate. Sentinel begins continuous monitoring. ScanFindings from Vanguard become ComplianceFindings in Rampart, mapped to the controls they affect. The full scan history transfers intact. No data loss. No re-scanning required. The resource now participates in posture scoring, drift detection, evidence collection, and CM-8 inventory. One click. The transition from "we are evaluating this" to "this is part of our estate" is immediate and auditable. The graduation event itself is recorded as evidence of a controlled onboarding process.