SecOps
Posture, exposure, blast radius, and threat surface — across every cloud you've connected.
What SecOps in Escher covers
| Capability | Example question |
|---|---|
| Public exposure | "What's reachable from the internet?" |
| IAM blast radius | "If this role were compromised, what could the attacker reach?" |
| Storage posture | "Which buckets / blobs / objects are public?" |
| Network posture | "Which security groups / NSGs are dangerous?" |
| Threat surface | "What's our attack surface look like right now?" |
| MFA / key hygiene | "Which IAM users haven't used MFA in 30 days?" |
Sample answers
"Show me everything publicly accessible in production."
Returns a Canvas with every internet-facing resource ranked by severity. Each finding includes the exposure mechanism (open SG, public bucket, etc.), the data or system at risk, and a one-click remediation.
"What's the blast radius if this CI/CD service account were compromised?"
Returns a graph: every resource the principal can read or modify, every role it can assume transitively, every secret it can decrypt — with sensitivity ranking.
"Are our security groups consistent across regions?"
Returns an exception report: SGs that exist in some regions but not others, divergent rules for similar resource sets, drift since last snapshot.
What Escher does well in SecOps
- Cross-account, cross-cloud reasoning. A single question can cover all your AWS accounts, Azure subscriptions, and GCP projects in one pass.
- Privilege graph traversal. Escher follows transitive
sts:AssumeRolechains to find paths an attacker would actually take. - Severity ranking that matches reality. Findings ranked by blast radius and exploitability, not just CVSS.
Tips
TIP
Start broad, then drill in. "Show me the riskiest findings in prod" gets a prioritized list. Then "tell me more about #3" expands the third finding into a deep-dive Canvas.
TIP
Combine with Compliance. "Which of these findings would block our SOC 2 audit?" maps SecOps findings to your active compliance frameworks.