How Escher Works
A simple mental model of what happens between your question and the answer.
You don't need to understand Escher's internals to use it well — but five minutes of context here will make you better at asking questions and reading the answers.
The five steps
1. You connect your cloud accounts
You point Escher at your existing AWS or Azure CLI credentials on your machine. Escher runs locally on your laptop and uses your signed-in identity to make read-only API calls to your cloud — there's no role granted to a Tessell-hosted service, and no credentials leave your device. Setup is about 15 minutes per cloud. (GCP is on the roadmap.)
Escher never modifies anything in this step. It just reads.
2. Escher maps your estate
When you run an estate scan, Escher reads your resources, configurations, costs, IAM, events, and recent changes — and builds a map of how everything relates.
This is where Escher learns your environment: which buckets are public, which roles can assume which other roles, which workloads cost what, which services depend on which databases. The map stays current as long as you refresh it.
3. You ask a question
In plain English. No query language. No dashboards to navigate. No SQL to write.
You don't need to know which service the answer lives in — Escher figures that out from your question.
4. Escher reasons across the map
When you ask a question, Escher:
- Identifies what kind of answer is needed (a cost analysis, a security finding, an incident timeline)
- Searches the map for relevant signals
- Correlates across clouds, services, and time
- Picks out what matters and why
You can think of it as a senior cloud engineer who has already memorized your entire estate, available to answer any question in 30 seconds.
5. You get an answer (sometimes as a Canvas)
For structured analyses — security audits, compliance readiness, root-cause investigations, multi-source correlations — Escher renders the answer as a Canvas: a document with sections, tables, citations, and (when relevant) recommended actions.
For simpler questions, the answer may come back inline in the chat as plain prose, optionally with a small table or list.
When Escher does produce a Canvas, every claim in it is backed by evidence — a specific log line, billing entry, configuration value, or deployment event. You can click any citation to see the underlying data, and you can export the Canvas as PDF for sharing or audit (JSON and Markdown exports are on the roadmap). See Canvas Overview for when Canvas is used and what it contains.
What you ask vs what Escher returns
| What you ask | What Escher returns | Typical time |
|---|---|---|
| "Why did our bill spike?" | Root cause, responsible change, remediation estimate, dollar impact | 4 minutes |
| "Are we SOC2-ready?" | Control-by-control status, gaps, affected resources, evidence pack | 8 minutes |
| "What caused this incident?" | Timeline, responsible change, affected resources, blast radius | 3 minutes |
| "Is our IAM posture clean?" | Findings grouped by severity and blast radius, top remediations | 5–8 minutes |
| "What's running and where?" | Inventory across all connected clouds, with tags, cost, and ownership | 2 minutes |
| "What changed in the last 24 hours?" | Diff of resources / configs / IAM, ranked by risk | 3 minutes |
A few things worth knowing
Escher works locally. The app runs on your laptop. Your cloud credentials and the data Escher reads stay on your machine. Nothing is uploaded to a Tessell-hosted database.
When Escher returns a Canvas, every claim in it is cited. If a Canvas claims a bucket is public, the evidence shows you the exact Block Public Access setting and the bucket policy. If it claims a deployment caused a spike, the evidence links to the commit and the cost line. Every Evidence record also carries a one-click link into the AWS Console or Azure Portal for the resource in question.
Escher is read-only until you say otherwise. Some answers come with optional actions ("apply this tag," "restrict this security group"). Those actions never run without your explicit approval, and every action produces an evidence record you can export.
Escher gets better the more you connect. A single AWS account gives you AWS answers. Connecting Azure unlocks cross-cloud questions: "Where do we have similar workloads in different clouds, and which is cheaper to run?"
What's next
- Quickstart — Try the five steps with a real question
- Asking Questions — Phrasing tips that get better answers
- Canvas Overview — How to read and export a Canvas