Security Questions
Audit posture, trace blast radius, prep for security reviews — without opening five consoles.
What Escher is great at
| You ask | What you get | Time |
|---|---|---|
| "What's exposed to the public internet?" | Inventory of internet-facing resources + risk ranking | ~3 min |
| "Who has admin access in production?" | IAM admin inventory + privilege paths | ~5 min |
| "If this user / role were compromised, what's the blast radius?" | Reachable resources + sensitive data exposure | ~4 min |
| "Which storage buckets / objects are public?" | List of publicly-accessible storage + remediation order | ~3 min |
| "Are our security groups / NSGs sane?" | Findings ranked by exposure severity | ~5 min |
| "Have any of these IAM users not used MFA in 30 days?" | List + last-activity timestamps | ~2 min |
Example: Public exposure audit
"Show me everything that's publicly accessible in production."
Example output (illustrative — the actual Canvas you see will be specific to your estate):
Conclusion: 14 production resources are exposed to 0.0.0.0/0
across AWS and Azure. 3 are HIGH severity.
HIGH severity (3):
S3 bucket prod-customer-uploads
Public read enabled (objects directly accessible)
Last access from public: 4 hours ago
Recommended: enable Block Public Access
Security group sg-0abc123 (us-east-1)
Port 22 open to 0.0.0.0/0 on 4 EC2 instances
Recommended: restrict to bastion CIDR
GCS bucket prod-logs-archive
Allusers: roles/storage.objectViewer
Recommended: revoke allUsers binding
MEDIUM severity (5): ...
LOW severity (6): ...
Evidence: 28 citations attached.Each finding includes:
- A direct citation to the resource configuration
- The risk in plain English (what an attacker could do)
- A one-click remediation (with approval gate)
Example: Blast radius
"If iam-user-bot-deploy was compromised, what could the attacker reach?"
Returns a graph-style Canvas: every resource the user can read or modify directly, every role it can assume, every secret it can decrypt, ranked by sensitivity.
This kind of analysis usually takes a senior security engineer half a day with iam:SimulateCustomPolicy and a graph database. Escher does it in five minutes.
Tips that get better security answers
TIP
Be explicit about environment. "In production" / "in dev" filters out noise from non-production accounts.
TIP
Ask for severity ranking. "...ranked by blast radius" or "...most critical first" gets you a prioritized list, not a flat dump.
TIP
Combine with compliance. "Which of these findings would block our SOC 2 audit?" maps the security findings to your active compliance frameworks.