Posture you can actually fix.
Continuous cloud security posture management for AWS, GCP, and Azure. Real misconfig detection, real identity hygiene, real remediation — not another backlog nobody reads.
What CloudGuard does.
Multi-cloud posture (CSPM)
One rulebook across AWS, GCP, and Azure. Findings surface with the same severity language everywhere — no cloud-by-cloud context switching.
Identity hygiene (CIEM)
Find the dormant admin, the cross-account trust nobody documented, and the role that can assume itself. CloudGuard maps effective permissions, not just assigned ones.
Container and Kubernetes security (KSPM)
Evaluate cluster configurations, pod security policies, and workload permissions against CIS Kubernetes Benchmarks and your own policy baselines.
Infrastructure-as-Code scanning
Catch misconfigurations before they deploy. CloudGuard evaluates Terraform, CloudFormation, and Helm charts in CI, not after the fact in production.
Attack-path analysis
Connect the dots between an overpermissioned role, a public S3 bucket, and a sensitive data store. See the paths an attacker would walk, not just isolated findings.
Compliance evidence, ready to export
Every finding maps to a control. SOC 2, ISO 27001, and PCI DSS evidence exports cleanly — so audit prep is a click, not a project.
How CloudGuard works
- 1
Connect your cloud accounts
Grant read-only access using cloud-native IAM roles in AWS, Azure, or GCP. CloudGuard never needs write permissions — it enumerates resources and configuration state directly from provider APIs without touching your workloads.
- 2
Continuous policy evaluation
Every resource is evaluated against CloudGuard's built-in ruleset plus any custom policies you've committed to version control. When a configuration changes, new findings surface within minutes — not the next scheduled scan.
- 3
Prioritize by exploitability, not severity score
CVSS scores rank findings in isolation. CloudGuard's attack-path engine chains findings together — overpermissioned role to public bucket to sensitive store — so teams address the paths an attacker would actually walk.
- 4
Remediate or review — your call
Low-risk fixes like enabling versioning or removing public-access overrides can be automated behind a review gate. Higher-impact changes produce a draft PR or a runbook for human sign-off. Nothing reaches production automatically.
Built for…
Security teams inheriting a multi-cloud mess
You didn't pick three clouds. You still have to secure them. CloudGuard gives you a single pane across AWS, Azure, and GCP without requiring three separate tools.
Platform teams shipping infrastructure as code
Catch the misconfig in the PR, not in production. IaC scanning integrates with your existing CI pipeline so misconfigured resources never reach an environment.
Compliance leads preparing for audit
SOC 2 and ISO 27001 evidence that's ready when the auditor asks. Every finding maps to a control, and the export format is one your auditor can actually read.
Zero-trust teams mapping identity risk
CIEM surfaces every overpermissioned role and cross-account trust relationship in your environment. Build toward least-privilege with a clear picture of effective permissions today.
Integrations
- AWS
- Azure
- GCP
- Kubernetes
- Terraform
- GitHub Actions
Frequently asked questions
- How do I connect CloudGuard to my cloud accounts?
You create a read-only IAM role in each cloud provider and paste the ARN or credential reference into the CloudGuard console. There is nothing to install on your instances or network. For IaC and CI scanning, the sandworm CLI drops into your existing pipeline as a single command.
- What exactly does CloudGuard read from my cloud environment?
CloudGuard reads resource configuration state and metadata from cloud provider APIs — security group rules, IAM policies, bucket ACLs, cluster configurations, and so on. It does not read the contents of your data stores: no S3 object bodies, no database rows. Configuration snapshots are retained in your isolated tenant and never shared.
- How is CloudGuard priced?
CloudGuard is available in the Sandworm platform bundles and as a standalone add-on. Current rates are on the pricing page at /pricing. Billing is per-resource-account, not per finding — so running a thorough scan does not change what you pay.
- How does CloudGuard compare to AWS Security Hub or Microsoft Defender for Cloud?
Provider-native tools speak only their own cloud's severity and control vocabulary. CloudGuard normalizes posture findings across AWS, Azure, and GCP into a single model, overlays cross-cloud attack-path analysis, and feeds results into the Sandworm investigation workflow so posture gaps and active detections appear in the same place.
- Does CloudGuard support auto-remediation?
Yes, for a defined set of low-risk findings — enabling bucket versioning, removing overly permissive public-access grants, or enforcing encryption flags. Higher-impact changes produce a draft pull request or a step-by-step runbook that a human approves before anything runs. Auto-remediation is opt-in per finding type and can be disabled globally.
- What is on the CloudGuard roadmap?
Work in progress includes expanded KSPM coverage for managed Kubernetes services (EKS, AKS, GKE), continuous drift detection between your IaC definitions and live resource state, and deeper cross-tool correlation so a posture finding links directly into an open Sandworm investigation. Specific ship dates are not announced in advance.
Also in Sandworm.
Sandworm SIEM
Security information and event management with real-time correlation.
See Sandworm SIEM →Stop ignoring the misconfig dashboard.
We'll run CloudGuard against your own cloud accounts — live.