Cloud

Your cloud isn't misconfigured.
It's just reachable.

CSPM finds 12,000 findings. KSPM adds 4,000 more. CNAPP dashboards glue them into a heatmap. CYBRET ingests AWS, GCP, Azure, and your clusters into a single identity-and-network graph, then reasons about which IAM chains, RBAC bindings, and secret reachabilities an attacker could actually traverse across accounts.

3
Clouds, one graph
12k→47
Findings deduped
100+
Services modeled
<30s
Cross-account path reconstruction
Capabilities

KSPM and CNAPP
replaced by reachability.

Multi-cloud graph ingest
AWS, GCP, Azure, and OCI unified into one typed graph, the same night you connect them. Resources, identities, network, data, and the edges that actually link them.
IAM chain analyzer
AssumeRole, workload identity, and federated principals resolved end-to-end. We surface the three-hop escalations your policy reviewer never caught.
K8s RBAC reasoning
ClusterRoles, ServiceAccounts, and pod-level tokens reasoned against the workloads that mount them, so impersonate-then-exec paths become visible.
Secret reachability
A secret in a bucket is noise. A secret a public Lambda can read and decrypt is a path. We rank by who can actually reach the material, not where it sits.
Cross-account privilege trace
Follow an identity from one account, through a trust policy, into a peer VPC, onto a pod, and out to customer data, with every hop cited in evidence.
Data-exposure ranking
Buckets, warehouses, and volumes scored by real tenancy, encryption state, and who can reach them from the edge. "Public" is a property, not a verdict.
How it works

From cloud sprawl
to a graph of real paths.

Cloud teams live in a graveyard of posture findings. We shorten the queue to the handful of paths that could actually move an attacker, and give the owning team the fix.

01
Connect
Read-only roles in AWS, GCP, Azure, plus kubeconfigs for your clusters and federation for your IdP. Thirty minutes per cloud, zero agents.
Read-only, zero agents
02
Model
Every principal, resource, and trust relationship lifted into a typed graph. We model the service catalog, so "EKS node → IRSA → S3" is a first-class edge, not a guess.
100+ services modeled
03
Reason
Graph walkers simulate what an attacker with a stolen token, a public endpoint, or a CI key could actually reach, across accounts and clouds.
Cross-account, cross-cloud
04
Remediate
Findings grouped by root-cause policy or binding, routed to the owning team with the exact diff, Terraform hunk, or IAM patch that closes the path.
Root-cause, not row-by-row
Surface

One graph, every cloud.

Get a guided tour
app.cybret.ai / cloud
17
Exploitable paths
3
Cross-cloud
9
Public entry
0
Accepted risk
Top paths by exploitability
LIVE
CRITICALPublic Lambda → IRSA → customer-pii bucket4 hops
HIGHCI role → AssumeRole prod-deploy → KMS decrypt3 hops
HIGHGKE node SA → impersonate → BigQuery warehouse3 hops
MEDDev IAM user → cross-account → staging RDS5 hops
Spec sheet

The boring details
that determine fit.

For procurement, architecture review, and that one engineer who reads every datasheet front-to-back. We respect them.

Clouds supported
AWS · GCP · Azure · OCI · custom via SDK
Kubernetes support
EKS · GKE · AKS · self-hosted · OpenShift
Identity sources
Okta · Entra ID · Google Workspace · AWS IAM Identity Center · Ping
Ingest mode
Read-only APIs · no agents · no in-line proxies
Outputs
Jira · Linear · ServiceNow · Slack · webhook · GraphQL API · Terraform patch
Deployment
SaaS · single-tenant · BYO-VPC · air-gapped on Enterprise
Data residency
US · EU (Frankfurt) · UK · AU · CA · BYOK on Enterprise
Compliance
SOC 2 audit underway · ISO 27001 Stage 2 scheduled · GDPR DPA available
Next in the fabric
Start today

Connect a repo.
See your first proven path.

Read access. 30 minutes. No credit card.