Cloud security as attack-path analysis — not a CSPM scan repackaged.
Manual cloud-security assessment of AWS, Azure, and GCP estates. IAM-driven attack-path analysis, cross-account misconfiguration, identity-federation abuse, custom infrastructure-as-code review. We are not selling you a Cloud Security Posture Management dashboard.
Misconfigurations are not the interesting attacks.
Cloud security posture management tools find S3 buckets that are public, security groups that allow 0.0.0.0/0, and IAM roles that have admin privileges. Useful — and largely solvable with policy-as-code.
The interesting attacks against modern cloud estates are not single-misconfiguration findings. They are attack paths: a chain of three or four legitimate-looking permissions, across two or three accounts, that adds up to an undetected privilege escalation. CSPM tools do not see those, because each individual step is allowed.
We model the customer's IAM graph manually, against the customer's real workloads, and find paths an attacker would walk that the customer's tooling does not register as findings.
The shape of the work.
Manual review of IAM roles, policies, trust relationships, and permission boundaries. Multi-step privilege escalation, cross-account abuse, identity-federation walks.
Pivot analysis across organizational boundaries, tenant-isolation review, shared-resource abuse, payer-account exposure, control-tower drift.
SSO and SCIM-pipeline abuse, OIDC and SAML protocol-level attacks, AssumeRoleWithWebIdentity misuse, GitHub-Actions OIDC misconfiguration.
KMS / Key Vault / Cloud KMS audit, secret-store boundary review, access-pattern analysis, IMDS abuse, container-runtime credential leakage.
Terraform, CloudFormation, ARM, Pulumi review. Custom analyzers for the customer's modules and patterns where commercial IaC scanners do not have context.
EKS / AKS / GKE node-isolation review, RBAC analysis, admission-controller bypass, service-mesh policy review, supply-chain integrity.
Lambda / Functions trust-boundary review, EventBridge and Pub/Sub policy review, S3-event chain abuse, workflow-orchestration misuse.
Database access-pattern review, data-lake permission analysis, encryption-at-rest evaluation, customer-managed-key model audit.
CloudTrail / Audit Logs / Activity Logs coverage analysis, log-pipeline integrity, detection-rule design review, blue-team validation.
The shape we don't ship.
- No reselling CSPM
Wiz, Orca, Prisma Cloud, Lacework — useful tools, owned by the customer, not by us. We do not bill for re-formatting their dashboards.
- No CIS-benchmark deliverable
The CIS benchmarks are a useful baseline. Customers run them. We do not bill expert hours to read them back.
- Local LLMs as tooling support
Cloud-attack-path analysis depends on graph reasoning over the customer's specific IAM topology. Current models hallucinate paths and miss context — manual remains the right default. We do use local LLMs we run in-house to summarise large policy documents, accelerate IaC analyzer development, and pattern-match across our customer-anonymised corpus. Customer IAM material never goes to a commercial SaaS model.
Scoped to the estate, not to a calendar.
Single-account / single-cloud assessment. One AWS account or Azure subscription, full IAM and resource review, attack-path analysis.
Multi-account / multi-cloud. AWS Organizations, Azure tenancy hierarchies, GCP folder structures. Cross-account pivot analysis.
IaC-pipeline review. Standalone or paired. Terraform / CloudFormation modules, custom-policy analyzers, drift detection, deployment-pipeline integrity.
Continuing engagement. Quarterly review as the cloud estate evolves — new service, new region, new account, new attack surface.
Duration depends on the estate's size and the depth of coverage. We scope against the actual footprint.