“Asset” in Cyvex is anything scans can run against: an external domain, a cloud account (AWS, Azure, GCP), a code repository, an internal host range, or a SaaS tenant. The fastest way to demonstrate value on day one is to connect whatever your org is most exposed on.

What to connect first, by org type

B2B SaaS: your primary production domain + your main cloud account (usually AWS). This gives you external attack surface + posture in one shot.
Managed services / consultancy: a GitHub org and a representative client's external surface.
E-commerce: public domains + payment-processing sub-domains. Consider an authenticated scan of the admin console once you're comfortable.
Manufacturing / operations-heavy: internal host range (requires a scanner appliance) + email domain for phishing-adjacent checks.

Minimum permissions

For cloud accounts, Cyvex uses read-only IAM roles. Don't grant write permissions — a read-only role is enough to evaluate configuration and generate findings. See the AWS integration guide for the exact policy.