Cloud Security Posture Management

Cloud Security Posture Management
from Code to Live Cloud, Unified.

AquilaX CSPM extends security from your code repository into live cloud deployments — continuously auditing AWS, Azure, GCP and Kubernetes against CIS, NIST, PCI DSS, ISO 27001 and more, detecting configuration drift, mapping IAM privilege escalation paths, and streaming runtime threats in real time.

Start Free Trial → Book a Demo
4
Cloud Providers
9+
Compliance Frameworks
<15m
First Scan After Connect
Real-time
Runtime Threat Detection
5m
Per Cloud Connection Setup
Foundation

What is Cloud Security
Posture Management?

CSPM closes the gap that pre-deployment scanning leaves open. Once code ships to a cloud account, live configurations drift from IaC intent, identities accumulate excess permissions, and runtime threats emerge that no static scanner can detect. CSPM monitors all of it — continuously, automatically, and across every cloud you run.

☁️

Multi-Cloud Visibility

Unified inventory and compliance view across AWS, Azure, GCP, and Kubernetes. One dashboard replaces four separate security consoles and eliminates gaps between them.

📐

Configuration Drift Detection

Field-level comparison between your IaC definitions and live cloud state. Changes made directly in the console — bypassing GitOps — are caught and flagged immediately.

🔑

IAM Risk Analysis

Maps privilege escalation paths, unused permissions, and over-permissioned roles that accumulated incrementally. Identifies the exact chain from compromised credential to sensitive data.

Runtime Threat Detection

eBPF kernel events via Falco catch active threats like reverse shells, cryptomining, and container escapes in real time — threats that never appear in static configuration audits.

📋

Continuous Compliance

Automated audit against CIS Benchmarks, NIST 800-53, PCI DSS 4.0, ISO 27001, SOC 2, HIPAA, DORA, NIS2, and GDPR. Export audit-ready evidence for any control on demand.

🛠️

AI-Driven Auto-Remediation

Policy-driven, opt-in remediation across AWS, Azure, and GCP. Every action is fully audited with context and exportable to your SIEM. Securitron AI suggests fixes before you enable automation.

Architecture

Code-to-Cloud
Security Correlation

AquilaX CSPM is the only solution that links live cloud findings back to their IaC source — so you see exactly which Terraform module or CloudFormation template created a misconfigured resource, alongside its identity permissions and any runtime events.

CSPM AI CORE Securitron IaC Source Terraform · CloudFormation Drift baseline & lineage ☁ AWS EC2 · S3 · IAM · RDS · Lambda Prowler + Cloudsplaining ☁ Azure VMs · Entra · AKS · Storage Prowler + Steampipe ☁ GCP GCE · GKE · IAM · BigQuery Prowler + Steampipe ⎈ Kubernetes Pods · RBAC · Network · Secrets Kubescape + Falco Runtime Events Falco eBPF kernel events Cloud audit log streams Dashboard · PR Comments · SIEM Webhooks · Slack/Teams · PDF Reports
AWS
Azure
GCP
Kubernetes
Runtime Events
Dashed lines = continuous data ingest
Technical Architecture

Purpose-Built Security Engines,
Unified by Securitron AI.

AquilaX CSPM normalises findings from six specialised security engines into a single resource graph — deduplicating cross-source overlap and applying Securitron's false-positive elimination before any finding reaches your dashboard.

Prowler

Cloud configuration auditing across AWS, Azure, and GCP. Maps resources against CIS Benchmarks, NIST 800-53, PCI DSS, ISO 27001, SOC 2, HIPAA, DORA, and NIS2 with pass/fail per control.

AWS Azure GCP CIS Benchmarks Config Audit

Steampipe

SQL-over-cloud-APIs for full asset inventory and drift queries. Compares live resource configuration against IaC baselines with field-level precision — detects every manual console change.

Asset Inventory Drift Detection SQL Queries Multi-cloud

Cloudsplaining

Deep AWS IAM policy analysis. Identifies resource exposure, privilege escalation paths, data exfiltration risks, and credential exposure from over-permissioned IAM policies and unused roles.

AWS IAM Privilege Escalation Unused Permissions Policy Analysis

Falco Runtime Detection

eBPF kernel-level runtime threat detection. Catches active threats — reverse shells, cryptomining, container escapes, suspicious process spawning — that no static scanner can see. Streams events in real time.

eBPF Runtime Threats Container Security Real-time

Kubescape

Kubernetes posture assessment against NSA/CISA hardening standards with full MITRE ATT&CK mapping. Covers RBAC misconfigurations, insecure network policies, exposed secrets, and pod security violations.

Kubernetes NSA/CISA MITRE ATT&CK RBAC

Cloud Custodian

Policy-driven enforcement and auto-remediation across all three cloud providers. Defines actions (alert, tag, quarantine, delete) triggered by findings — with full audit trail exported to SIEM.

Policy Enforcement Auto-Remediation Audit Trail Multi-cloud
Unified Resource Graph: All findings from every engine merge into a single graph linking IaC definitions, live resources, identities, and runtime events. Duplicates from multiple sources consolidate into one finding with multiple source tags — no alert noise from the same issue being detected twice.
Dashboard

Four Views. Every Cloud
Risk, Always Current.

The CSPM dashboard surfaces the right information at the right layer — from executive compliance scores down to individual runtime syscall events — all within the same AquilaX platform you already use for AppSec.

Compliance Posture by Framework

Compliance scores per cloud account broken down by framework — CIS, ISO 27001, SOC 2, NIST, PCI DSS, DORA, NIS2. Each score shows pass/fail counts and affected resources so auditors have evidence, not summaries.

  • Per-account compliance score across all connected cloud providers
  • Pass/fail breakdown per control with affected resource list
  • Trend lines showing posture improvement over time
  • Export audit-ready PDF evidence for any framework on demand
  • Multi-account aggregated view for organisation-wide reporting
AWS Production — Compliance Overview
🔵CIS AWS Foundations v3.081% · 23 fails
🟢SOC 2 Type II94% · 4 fails
🔴PCI DSS 4.067% · 41 fails
🟣NIST 800-5378% · 31 fails
🟡ISO 27001:202292% · 6 fails
🔵HIPAA Security Rule85% · 18 fails

Full Cloud Asset Inventory

Searchable inventory of every live cloud resource — EC2, S3, RDS, Lambda, VM, storage account, GCE, GKE node — each enriched with its findings, IaC lineage, identity permissions, and recent runtime events.

  • Real-time resource graph refreshed every hour across all providers
  • IaC lineage tracing — see which Terraform module created each resource
  • Identity permissions map for every resource showing attached roles/policies
  • Historical state showing what changed, when, and by whom
  • Custom Steampipe queries for advanced inventory analysis
Resource: s3://prod-customer-data
📦IaC Sourcemodules/storage/main.tf:L42
⚠️Public ACL enabled (drift)Critical
🔑IAM: 3 over-permissioned rolesHigh
📋Encryption at rest: disabledCritical
👁Access logging: disabledMedium
🔧AI Fix AvailableAuto-PR Ready

Attack Path Graph

Visual graph of exploitable chains — from initial compromise through privilege escalation to sensitive data access. Each path is ranked by impact score so your team prioritises the chains that matter, not individual findings in isolation.

  • Graph visualisation of multi-step attack chains across cloud resources
  • Ranking by combined impact score (blast radius × exploitability)
  • Links each node back to its IaC source and pre-deployment findings
  • Suggests single-fix chokepoints that break multiple attack paths at once
  • Exportable as evidence for risk acceptance or compliance reviews
⚠ Critical Attack Path — Impact Score: 9.4
👤Compromised dev IAM userEntry
⬆️Assume role: lambda-execution-roleEscalation
📦s3:GetObject on prod-customer-dataExfiltration

Live Runtime Event Stream

Real-time Falco eBPF event stream filterable by severity, namespace, cloud account, and event type. Every runtime alert links directly to its resource node, pre-deployment findings, and IAM context — so you investigate in seconds, not minutes.

  • Sub-second event stream from Falco DaemonSet across all clusters
  • Filter by severity, namespace, cloud account, or custom rule tags
  • Every event cross-linked to resource graph, IaC source, and IAM context
  • Cloud audit log integration for control-plane events alongside kernel events
  • SIEM export via webhook on every event or on severity threshold breach
Runtime Events — Last 5 minutes
🚨Reverse shell spawned — pod/api-server-7k9pCritical
⚠️Unexpected outbound connection — /16 rangeHigh
ℹ️New binary executed in containerMedium
ℹ️Sensitive file read: /etc/shadowHigh
🔵Container privilege escalation attemptCritical
Compliance Coverage

Every Major Framework.
Audit-Ready Evidence on Demand.

CSPM maps every cloud resource configuration against nine major compliance frameworks simultaneously. When your auditor asks for evidence, you export — you don't scramble. Same framework engine used for code findings means unified compliance reports across your entire stack.

CIS Benchmarks
NIST 800-53
PCI DSS 4.0
ISO 27001:2022
HIPAA Security Rule
SOC 2 Type II
DORA
NIS2
GDPR
📄 Export Formats
PDF audit report · CSV findings · SARIF · JSON · Per-control evidence packages
🔄 Scan Frequency
24-hour full compliance audit · 1-hour inventory refresh · Real-time runtime events · All configurable
📊 Unified Reporting
Same compliance framework as code findings — one report covers IaC, runtime, and live cloud state simultaneously
Coverage Matrix

What CSPM Scans
Across Every Cloud.

CSPM coverage spans configuration auditing, asset inventory, drift detection, identity analysis, and runtime monitoring — across every major cloud provider and Kubernetes.

Amazon Web Services

AWS Coverage

  • EC2, S3, RDS, Lambda, EKS
  • IAM roles, policies, users
  • VPC, security groups, NACLs
  • CloudTrail, GuardDuty, Config
  • Privilege escalation paths
Microsoft Azure

Azure Coverage

  • VMs, AKS, Storage, SQL
  • Entra ID (formerly AAD)
  • NSGs, firewalls, VNet
  • Key Vault, Defender for Cloud
  • IAM (beta) · RBAC analysis
Google Cloud Platform

GCP Coverage

  • GCE, GKE, Cloud Run, BigQuery
  • IAM service accounts (beta)
  • VPC firewall rules, subnets
  • Cloud Audit Logs, SCC
  • Workload Identity Federation
Kubernetes

K8s Coverage

  • RBAC misconfigurations
  • Network policies, pod security
  • Exposed Secrets in manifests
  • NSA/CISA + MITRE ATT&CK
  • Runtime via Falco DaemonSet
IaC Drift

Drift Detection

  • Field-level IaC vs live diff
  • Terraform & CloudFormation
  • Tracks console-bypassed changes
  • Links finding to source module
  • Continuous via Steampipe SQL
Runtime

Runtime Threats

  • Reverse shells & backdoors
  • Cryptomining detection
  • Container escape attempts
  • Privilege escalation at runtime
  • Suspicious file access patterns
Not in scope: Data classification / DSPM, agent-based workload scanning (non-container), SaaS posture management (e.g. Salesforce, Okta), network traffic analysis. These are separate product modules on the AquilaX roadmap.
Auto-Remediation

Finding to Fix,
Without a Human in the Loop.

CSPM auto-remediation is disabled by default. When you opt in, administrators select eligible finding types and choose an action policy. Every remediation action is logged with full context — resource, account, time, triggering finding, applied action — and exported to your SIEM.

1

Finding Detected

Prowler, Steampipe, Falco, or Kubescape surfaces a misconfiguration, drift, or runtime threat in your cloud account.

2

Securitron Triage

AI filters false positives, deduplicates cross-engine overlaps, enriches with business context, and ranks the finding against your risk threshold.

3

Policy Match

Cloud Custodian matches the finding against your configured action policy — alert-only, auto-tag, delayed remediate, or immediate remediate.

4

Action + Audit

Action executes using the scoped remediation role. Full context logged to dashboard and SIEM. Notification sent to Slack/Teams/email.

Alert Only
Notify, no action. Always available on all findings.
Auto-Tag
Tag resource for tracking. Zero risk, full visibility.
Delayed Fix
Apply remediation after configurable delay with approval window.
Immediate Fix
Instant remediation for critical findings. Admin approval required to enable.
Setup

Connected in Minutes.
First Scan in Under 15.

Each cloud connection takes approximately 5 minutes to configure. AquilaX provides CloudFormation stacks, Terraform modules, and Helm charts so you never manage scanning tools separately — everything is bundled and versioned inside the platform.

🟠

AWS

  • Deploy cross-account IAM role via CloudFormation one-click
  • Grants SecurityAudit + ViewOnlyAccess policies only
  • Narrower remediation role granted separately if you opt in
  • CloudTrail + Config integration enabled automatically
~5 min · CloudFormation stack
🔵

Azure

  • Service principal with Reader + Security Reader roles
  • Terraform module provided for automated provisioning
  • Multi-subscription support with single registration
  • Defender for Cloud integration optional
~5 min · Terraform module
🟢

GCP

  • Service account with securityReviewer + viewer roles
  • Workload Identity Federation supported
  • Multi-project via organisation-level binding
  • Cloud Audit Logs streaming enabled automatically
~5 min · gcloud CLI / Terraform

Kubernetes

  • Read-only ClusterRole for Kubescape posture assessment
  • Falco DaemonSet for runtime detection via Helm chart
  • Works on EKS, AKS, GKE, and self-managed clusters
  • Helm values provided for air-gapped environments
~5 min · Helm chart
Why CSPM Matters

Native Cloud Console vs.
AI-Driven CSPM.

Cloud provider security centres give you a starting point — not a complete picture. CSPM adds cross-cloud correlation, IaC drift detection, AI-prioritised findings, and the code-to-cloud link that native tools fundamentally cannot provide.

Native Cloud Security Centres AquilaX CSPM
Cloud Coverage Single provider — no cross-cloud view AWS + Azure + GCP + K8s, unified dashboard
IaC Drift Detection No awareness of IaC source or intent Field-level diff between live state and Terraform
False Positive Rate Thousands of raw findings, manual triage needed 10–50 findings per account after Securitron AI
Code-to-Cloud Linkage None — cloud findings are disconnected from code Every finding traces back to IaC module and code commit
IAM Analysis Basic access advisor, no escalation paths Full privilege escalation graphs via Cloudsplaining
Runtime Detection Partial — CloudTrail events only, no kernel-level eBPF kernel events + cloud audit logs via Falco
Compliance Reporting Single framework, no cross-cloud audit export 9 frameworks, unified PDF + per-control evidence
Attack Path Analysis Individual findings, no chain visualisation Ranked attack graphs with impact scoring
AppSec Integration Separate tool from code scanners Same platform as SAST, SCA, IaC, Container scanning
Auto-Remediation Limited, proprietary, AWS-only Multi-cloud, fully audited via Cloud Custodian
Measured Results

What CSPM Delivers
From Day One.

Cloud security programmes stall when teams face thousands of raw findings with no prioritisation. CSPM with Securitron AI changes the economics of cloud security — fewer findings, faster resolution, continuous compliance.

4
Clouds in One View
AWS, Azure, GCP, and Kubernetes — one unified dashboard
~95%
Finding Reduction
Securitron AI cuts thousands of raw alerts to 10–50 per account
<15m
First Scan Delivery
From cloud account connection to first findings on screen
9+
Compliance Frameworks
CIS, NIST, PCI DSS, ISO, HIPAA, SOC 2, DORA, NIS2, GDPR
Real-time
Runtime Threat Detection
eBPF events surface in milliseconds — not at next scan cycle
5m
Per-Cloud Setup
CloudFormation, Terraform, or Helm — no manual tool installation
FAQ

Common Questions About
AquilaX CSPM.

How is CSPM different from AquilaX IaC scanning?
IaC scanning analyses your Terraform, CloudFormation, Pulumi, and ARM templates before deployment — it catches misconfigurations in code. CSPM monitors your live cloud accounts after deployment. Together they form a full pre-and-post-deployment loop: IaC catches issues before they ship, CSPM catches drift, accumulation, and runtime threats after they do. Both findings appear in the same AquilaX dashboard with unified compliance mapping.
Does CSPM replace my cloud provider's security centre (AWS Security Hub, Microsoft Defender for Cloud, GCP Security Command Centre)?
AquilaX CSPM complements rather than replaces native security centres — you can forward events from those services into AquilaX for unified correlation. The key differentiation is code-to-cloud linkage (IaC source tracing), cross-cloud unified view, Securitron AI false positive elimination, and AppSec integration. If you need a single pane of glass across all four cloud environments with your code security findings, CSPM provides that; native tools each only see their own cloud.
How does Securitron AI reduce findings from thousands to 10–50?
Securitron applies cross-finding context. A flagged internet-facing load balancer is deprioritised if upstream services contain no sensitive data and no privileged access. An S3 bucket flagged for public access is elevated if it sits in an attack path chain leading to production data. The model also learns from your accepted-risk markings over time — so resources you've deliberately exempted stop generating noise. The result is a signal-only feed rather than a raw scanner dump.
What permissions does AquilaX need in my cloud account?
AWS: a cross-account IAM role with SecurityAudit and ViewOnlyAccess managed policies — read-only, no write permissions unless you opt in to auto-remediation, which uses a separate narrower role you approve explicitly. Azure: a service principal with Reader and Security Reader roles. GCP: a service account with securityReviewer and viewer roles. Kubernetes: a read-only ClusterRole plus a Falco DaemonSet for runtime events. None of these grant write access by default.
Can I use CSPM on my existing Kubernetes clusters — EKS, AKS, GKE, self-managed?
Yes. The Kubescape component deploys with a Helm chart using a read-only ClusterRole and works on any CNCF-conformant Kubernetes distribution. Falco runtime detection is an optional add-on within the same Helm chart — recommended for production clusters. Air-gapped deployment is supported via private image registry; Helm values for custom image repositories are documented in the install guide.
Is CSPM included in the free or premium plan?
CSPM is available on the Ultimate plan exclusively and is separately licensed per connected cloud account or Kubernetes cluster. Volume discounts apply at 5, 25, and 100+ accounts/clusters with blended rates for multi-cloud environments. Annual commitment with monthly or quarterly billing options. Contact the AquilaX team for a detailed pricing quote based on your cloud footprint.
Can I write custom compliance rules or queries?
Yes. Custom Steampipe queries are fully supported — you write SQL over any cloud API endpoint that Steampipe exposes. Custom Cloud Custodian policies are also supported for remediation. Custom runtime detection rules are on the product roadmap. All engine versions are managed and updated by AquilaX with no action required on your side.
Get Started

Your Cloud Security Posture,
Continuously Measured.

Connect your first cloud account in 5 minutes. First scan in under 15. No agents to install on workloads — just a read-only role and a Helm chart for runtime detection.

Start Free Trial → Book a Demo
CSPM available on Ultimate plan · View Pricing · Also see: ASPM · IaC Scanner · Container Security