How to Audit EOL Hardware

Find it before an auditor or an attacker does.

Last reviewed 2026-05-22

Step 1: Extract your inventory

Pull model numbers from your devices. On Cisco, show inventory and show version. On Juniper, show chassis hardware. On Palo Alto, show system info. If you have an NMS or CMDB, export the hardware model field.

What you need is the product ID or SKU — the vendor's part number for the hardware. Not the hostname, not the serial number, not the firmware version. The lifecycle data is keyed to the product SKU.

Step 2: Match against lifecycle data

Each vendor publishes end-of-life bulletins listing affected SKUs and their milestone dates. Checking them manually works for a handful of devices. For anything larger, you need a lookup tool.

This site's bulk lookup accepts a list of product IDs (or raw CLI output) and matches them against the database using fuzzy matching. Paste in your show inventory output and it will identify the SKUs, pull their lifecycle status, and flag anything that's expired or expiring.

Step 3: Prioritize

Not all EOL hardware carries the same risk. Prioritize by:

• Internet-facing devices first. Edge routers, firewalls, VPN concentrators. These are the attack surface.
• Devices with active KEV entries. If CISA has flagged a CVE against the platform as actively exploited, it's not hypothetical risk.
• Compliance-scoped devices. Anything in a PCI CDE, a HIPAA environment, or a CISA BOD 26-02 inventory.
• Devices past security-support but not yet past last-date-of-support. The vendor will still RMA the hardware, but won't patch it. This is the deceptive window — "supported" in name but exposed in practice.

Step 4: Build the replacement plan

See the replacement planning guide for how to sequence a refresh. The short version: start with what's expiring soonest and what's most exposed, group by vendor for volume pricing, and budget 12–18 months lead time for procurement and deployment.