Canvas Overview

A Canvas is one of the ways Escher can return an answer — structured, cited, and shareable. It's used for analyses that benefit from sections, tables, and citations; simpler answers come back inline in the chat.

When you'll see a Canvas

Canvas is Escher's structured output format — typically for security audits, compliance readiness checks, cost-spike root cause, incident timelines, and any multi-source analysis. For short factual questions ("how many EC2 instances do I have?"), the answer usually renders inline in chat without producing a Canvas.

Evidence and citations

Every factual claim in a Canvas is backed by Evidence — a typed, immutable record of what Escher saw, when it saw it, and where it came from. Citations on a claim let you do two things:

Open an in-app drawer showing the underlying raw data (the CloudTrail event JSON, the bucket policy, the billing line, the IAM policy document, etc.)
Jump straight to the source-of-truth cloud console — one click takes you to the resource in the AWS Console or Azure Portal so you can verify the claim in the cloud's own UI

Each Evidence record carries at least one cloud-console deep link. So when a Canvas says "S3 bucket prod-customer-uploads allows public read", the citation chip on that claim has:

A "view payload" link → shows the actual BlockPublicAccess settings and the bucket policy
A "View bucket in S3 Console ↗" link → opens the bucket in the AWS Console directly

This means you never have to take Escher's word for anything — every claim has a one-click path to the source.

Design intent vs shipped

The Evidence model — typed records, mandatory cloud-console deep links, drawer rendering — is the target design. Some Canvases shipped today carry citations and links inline; the full drawer + console-link UX is rolling out. Specific behaviour may differ in your build; see Edit on GitHub (admin mode) to flag mismatches, or Reports, Findings, Plans for the canonical model.

What a Canvas contains

A Canvas is typically structured like this — though the exact sections that render depend on the question and the skill that answered it. Treat this as the canonical shape; specific Canvases may include only the relevant sections.

Section	What's in it
Conclusion	One or two sentences: the direct answer to your question
Findings	The supporting analysis, organized by what matters most
Evidence	Citations: links to the exact log, config, billing line, or event
Recommended actions	Optional next steps you can approve (or ignore)

Canvases are not chat replies. They're documents — designed to be read, exported, and shared.

A simple example

You ask: "Which production S3 buckets are public?"

┌──────────────────────────────────────────────────────────┐
│ Public S3 Buckets in Production                          │
│ Account: prod-aws (123456789012) · Generated: 14:23 UTC │
├──────────────────────────────────────────────────────────┤
│                                                          │
│ Conclusion                                               │
│ 3 production S3 buckets allow public read. 1 also       │
│ allows public write — fix this first.                    │
│                                                          │
│ Findings                                                 │
│                                                          │
│ ⚠ HIGH    prod-customer-uploads                         │
│           Public read AND write enabled                  │
│           Last public access: 12 minutes ago             │
│           [view evidence] [remediate]                    │
│                                                          │
│ ⚠ HIGH    prod-static-assets                            │
│           Public read enabled                            │
│           Block Public Access not configured             │
│           [view evidence] [remediate]                    │
│                                                          │
│ ✓ MEDIUM  prod-public-cdn-origin                        │
│           Public read enabled (intentional — CDN)        │
│           Tagged: purpose=cdn-origin                     │
│           [view evidence]                                │
│                                                          │
└──────────────────────────────────────────────────────────┘

Each finding is clickable. Click view evidence to see the actual bucket policy and BlockPublicAccess settings. Click remediate to apply Escher's suggested fix (with your approval).

How to read a Canvas

TIP

Read the Conclusion first. It's designed to be enough on its own. The findings below are the why — read them when you need to defend the conclusion or take action.

TIP

Trust the citations. Escher doesn't paraphrase what's in your estate — it links you to the source. If a Canvas claims something, you can always click through to the underlying data.

TIP

Use the recommended actions sparingly. Escher will only act with your explicit approval. Read the change preview carefully before clicking — it's the same principle as terraform plan before terraform apply.

How long is a Canvas valid?

A Canvas is a snapshot taken at a specific time, against a specific version of your estate map. If your infrastructure changes, the Canvas may go stale.

Escher tells you when a Canvas was generated and when the underlying estate was last refreshed:

Canvas generated: Mar 15, 2026 at 14:23 UTC
Estate snapshot:  Mar 15, 2026 at 14:01 UTC (22 min ago)

Re-running the same question produces a new Canvas against the latest estate.

What's next

Export a Canvas — PDF today, JSON and Markdown on the roadmap
Sharing — Send a Canvas to a teammate
Asking Questions — Get better Canvases from better prompts

Canvas Overview ​

Evidence and citations ​

What a Canvas contains ​

A simple example ​

How to read a Canvas ​

How long is a Canvas valid? ​