FAQ
Is Escher safe to run in production?
Yes. Escher is read-only by default. It reads metadata about your cloud resources — the same data your security audit tool already reads. It does not modify anything unless you explicitly approve a specific action.
Every action Escher takes (read or write) is recorded in your cloud's own audit log (CloudTrail, Azure Activity Log, GCP Cloud Audit Logs).
Does Escher store my cloud data?
Estate metadata is stored locally on your machine and (on team plans) in your team's tenant database. It is never shared across customers and never used to train any model.
Your cloud credentials never leave your device.
See Security & Privacy.
Will Escher work if I have a multi-account / multi-cloud setup?
Yes. That's where Escher is most valuable. You can connect any number of AWS accounts, Azure subscriptions, GCP projects, or all of the above. Escher answers questions across all connected scopes in a single pass.
How long does the first scan take?
Typically 3–8 minutes for an account with a few thousand resources. For very large accounts (10,000+ resources), the first scan can take 15–20 minutes. Subsequent refreshes are incremental and faster.
Can I use Escher offline?
Once your estate is mapped, most questions can be answered without re-reading your cloud — Escher uses the local map. You'll need network access for live correlations (e.g. checking a CloudTrail event from this morning) and for the AI reasoning step.
What happens if I revoke Escher's IAM permissions?
Escher stops being able to refresh the estate. Past Canvases remain accessible — they're snapshots, not live queries. Re-grant permissions whenever you want to refresh.
Can I connect a sandbox before production?
Yes, and we recommend it. Connect a single non-production account first to get a feel for the tool. When you're comfortable, add production.
Is there a free trial?
Escher is currently distributed via a Design Partner program. Contact your Tessell account contact or sales@tessell.com for trial access.
Is Escher available outside the US?
Yes — regional residency is offered. The current set of available regions for your tenant is decided per agreement; ask your Tessell contact or security@tessell.com for the current list.
What's the difference between Escher and a CSPM tool?
CSPM tools (Wiz, Lacework, Orca) scan for security findings against a fixed rule set. Escher answers arbitrary questions about your cloud — security being one domain among seven. Many customers run both.
A CSPM tells you "you have 1,400 findings." Escher tells you "of those 1,400, here are the 12 that actually matter, here's why, and here's how to fix them."
What's the difference between Escher and a chatbot like ChatGPT?
A general LLM doesn't have access to your cloud. Escher does, and it grounds every answer in evidence from your actual estate. Every Canvas claim is backed by a specific log, config, billing line, or event — not a guess.