Armis Asset Management Lacks Architectural Fleet-Health Substrate
by Nick Clark | Published April 25, 2026
Armis is the leading IoT, OT, IoMT, and unmanaged-asset visibility platform, with customers across hospitals, manufacturing, federal agencies, and critical infrastructure. The Centrix platform passively discovers devices on enterprise networks, fingerprints them against a crowdsourced device-knowledge graph of more than five billion devices, scores their risk, and integrates with NAC, SIEM, and ITSM to drive containment workflows. Armis solves the visibility-and-risk-scoring problem for a fleet of devices the enterprise did not procure as IT assets. It does not solve the architectural fleet-health property that distinguishes a device whose firmware integrity is cryptographically attested from one merely fingerprinted as healthy by passive traffic analysis. Health-monitoring as an AQ primitive supplies that property: tamper-evident seal monitoring, SBOM attestation, PUF-rooted challenge-response, zero-trust device management, and cryptographically propagated revocation, recorded into a lineage chain that survives device, vendor, and platform turnover.
Vendor and Product Reality
Armis Security, founded in 2015 and acquired-and-spun by Insight Partners, ships the Centrix platform across the Asset Management & Security, Vulnerability Management, OT/IoT Security, and Medical Device Security modules. The platform connects via more than 250 integrations to existing infrastructure — Cisco ISE, Aruba ClearPass, Palo Alto, CrowdStrike, ServiceNow, Splunk, Tenable, Rapid7 — and consumes telemetry from those sources rather than installing endpoint agents. Discovery is passive: span ports, network taps, NetFlow, wireless controllers, switch CAM tables, and integration-pulled inventories feed the device graph, which is then matched against the Armis Asset Intelligence knowledge base to identify make, model, firmware version, and risk profile. Customers include large hospital systems (HCA, Intermountain), federal agencies, automotive manufacturing, and US critical-infrastructure operators.
The risk model is behaviorally and signature driven. Armis assigns a risk score based on device type, observed behavior, known CVEs against the inferred firmware, peer-comparison anomaly, and policy compliance. When risk crosses a threshold, the platform triggers a NAC quarantine, opens a ServiceNow ticket, or feeds a SIEM detection. The product's strength is breadth — it sees the unmanaged device the EDR does not — and its operational value is in compressing mean-time-to-discover for devices that fall outside the IT inventory.
What the platform does not provide — and is architecturally not positioned to provide without a substrate change — is cryptographic attestation that a device is what it claims to be and is running what it claims to be running. Armis fingerprints; it does not attest. A medical infusion pump that matches a known model's traffic pattern is identified as that model irrespective of whether its firmware has been replaced, its configuration tampered, or its supply chain compromised before deployment. The fingerprint is a strong heuristic. It is not a credentialed observation in the architectural sense.
The Architectural Gap
The gap is observation-class. Armis emits health observations — risk scores, anomaly flags, vulnerability matches — that are not credentialed at source by the device itself. A device on the network is observed externally; the observations cannot be cryptographically tied to a hardware root-of-trust on the device, a tamper-evident seal on its firmware, or a verified bill of materials for what is running. This is acceptable in an environment where the threat model is "unknown device on the network." It is not acceptable in an environment where the threat model includes supply-chain compromise (firmware altered before delivery), insider tampering (technician swaps a chip), counterfeit replacement (maintenance vendor substitutes a non-OEM module), and high-confidence revocation (a CVE disclosed today must propagate to disable matching devices in minutes, not weeks).
Healthcare, OT, and federal critical infrastructure are converging on these threat models under FDA premarket cybersecurity guidance, IEC 62443, NIS2, EO 14028 SBOM, and the CMMC framework. Each requires properties Armis does not structurally have: attested device identity rooted in hardware; SBOM attestation that the running firmware matches the disclosed bill of materials; tamper-evident seal monitoring that detects physical and logical compromise; PUF-based challenge-response such that a counterfeit device cannot impersonate the genuine; zero-trust device management in which every operation requires a fresh credential rather than a perimeter; and revocation that propagates cryptographically across the fleet.
The structural property Armis lacks is health observation as credentialed device-self-attestation feeding a governance chain. It cannot be added by integrating one more passive feed; it requires a substrate that originates at the device.
What the AQ Primitive Provides
The health-monitoring primitive specifies that every fleet-health observation be a credentialed self-attestation rooted in hardware, weighted into the governance chain, and recursively closed through revocation propagation. First, every device participates with a hardware root-of-trust — a TPM, a secure element, or a PUF (physical unclonable function) — that signs attestation messages under a credential issued by the device manufacturer or a delegated authority. Tamper-evident seal state, including secure-boot measurements, runtime integrity beacons, and physical-tamper indicators, is published as a signed observation rather than inferred from network behavior.
Second, every device publishes an SBOM attestation: the bill of materials of the firmware actually running, signed by the device, traceable to a manufacturer-signed reference SBOM, so that a divergence between running and reference is detectable and structurally provable rather than heuristically inferred. Third, identity is verified through PUF challenge-response: the device responds to a fresh challenge with a signature that only the genuine hardware can produce, defeating counterfeit and clone devices that pass passive fingerprinting. Fourth, device management is zero-trust: every operation — configuration push, firmware update, credential rotation, command — requires a fresh signed authorization evaluated against the device's current attested state, with no implicit trust derived from network position or prior session.
Fifth, revocation propagates cryptographically across the fleet. When a CVE is disclosed, when a tamper event is observed, when a credential is compromised, the revocation is signed by the issuing authority and distributed through the lineage substrate so that affected devices, dependent services, and orchestration controllers update within minutes. Every attestation, weighting, decision, and revocation is recorded in lineage with cross-authority signatures, and every downstream effect re-enters the chain as a fresh observation. This is health-monitoring as a governance substrate, not as a risk dashboard.
Composition Pathway
Armis's existing platform composes naturally with the primitive rather than competing with it. The Centrix discovery and integration mesh becomes the distribution and weighting layer for credentialed attestations; the Asset Intelligence knowledge base becomes the reference catalog against which SBOM attestations are validated; the integrations to NAC, SIEM, and ITSM become the enforcement and revocation propagation surface. What is added is the credentialed observation source — devices that publish attestations, SBOMs, PUF responses, and tamper-evident state under their manufacturer credentials.
For brownfield devices that cannot self-attest, the primitive supports a delegated attestation pathway: a paired edge node performs PUF-equivalent challenge using observed device characteristics, signs an attestation under its own credential class with explicit weakness disclosure, and the governance chain weights that attestation accordingly (advisory rather than dispositive). This preserves Armis's coverage of unmanaged legacy assets while creating a structural pathway by which next-generation devices contribute stronger evidence. Revocation, similarly, propagates through Armis's existing integration fabric: a signed revocation reaches NAC for quarantine, SIEM for detection, ITSM for ticketing, and the governance lineage for audit, all under the same credential.
The composition leaves Armis's commercial position unchanged in its current customer base while extending it into the regulatory cycle that is converging on attestation-grade health observation across healthcare, critical infrastructure, and federal IT.
Commercial Implication
Armis's customers — hospital systems under FDA premarket cybersecurity, federal agencies under EO 14028 and CMMC, OT operators under IEC 62443 and NIS2 — are facing regulatory cycles that require attestation, SBOM, and revocation properties the current platform does not structurally provide. The same is true for Claroty, Nozomi, Forescout, Phosphorus, Ordr, and the hyperscaler IoT-security stacks. A licensing posture toward Armis is a substrate license to the architectural property the next regulatory cycle will require irrespective of which discovery vendor wins which segment.
The freedom-to-operate disclosure is direct: an Armis or peer deployment that adds tamper-evident seal monitoring, SBOM attestation, PUF challenge-response, zero-trust device management, and revocation propagation under the AQ chain falls within the health-monitoring primitive's claim scope. The licensing model is per-device-monitored or per-fleet, priced as a fraction of the per-device subscription Armis already commands. The commercial implication is that the architectural property required to certify next-cycle compliance is already disclosed, dated, and available to license rather than to litigate.
