If you are responsible for the security of a network of hosts, your first goal should be to understand the content and structure of your network. In a small network it may be easy to physically visit all of the hosts in your network. Larger networks may be physically dispersed enough to make it infeasible to make frequent "house calls" and fully map your network.
Network scanning tools like nmap can allow you to use your own network facilities to inventory the hosts that are attached to it. nmap has a number of capabilities for not just detecting the presence of hosts on a network, but also scanning individual hosts for the presence of TCP/IP services and even, in some cases, detecting the OS of a host by looking for characteristic quirks in its network behavior. Consequently, careful use of nmap can detect the presence of hosts on your network, the services they run that might be potential security problems, and even give you a rough idea of the operating system mix in use.
Of course, your attackers are probably also using nmap too for exactly the same reasons. This is partly why unannounced network scanning from unknown sources is so likely to draw suspicion; a scanning target often has no way to distinguish a "friendly" scan from a hostile scan -- and in any case the hostile scans are far more frequent (the UO network gets scanned many, many times each day). The most effective attackers have automated the process to the point where they can designate a target network that will be inventoried for hosts containing potentially-vulnerable services, and exploits for those services automatically attempted.