Cloud Scan Engine

Cloud Posture and Identity
Attack Paths, Unified

A proprietary cloud security posture and cloud identity attack-path engine, built by CVEasy. It reads AWS, Azure, and GCP from one place, scores every finding, and sits in the same CTEM app as your on-prem exposure.

204
CIS-tagged checks
3
Cloud providers
CSPM
+ CIEM engine
Local
Findings stay put

Key Features

One engine for cloud posture and cloud identity, built in-house and wired into the same platform that scores your on-prem exposure.

Cloud Security Posture (CSPM)

Configuration and posture analysis across storage, network, encryption, logging, and public exposure. Every finding is scored and ranked so the misconfiguration that actually matters rises to the top.

Cloud Identity and Attack Paths (CIEM)

Maps roles, permissions, trust relationships, and privilege escalation routes. Shows how an over-permissioned identity chains into a path toward sensitive resources, before an attacker walks it.

AWS, Azure, and GCP in One Place

Three providers, one console. No separate tool per cloud and no stitching results together by hand. Multi-cloud posture and identity read from a single view inside the CTEM app.

204 CIS-Tagged Checks

Every check maps to a CIS Benchmark control: 88 for AWS, 61 for Azure, 55 for GCP. A per-framework coverage rollup shows exactly where each cloud stands against the benchmark.

Read-Only Access

The engine runs against your own cloud accounts using read-only credentials. It inspects configuration and identity state, it never changes it. You grant read scope, nothing more.

Local-First Results

This engine scans your cloud, it is not the app phoning home. Findings stay in your local CVEasy instance, so the core platform stays local-first while it reaches out read-only to the accounts you point it at.

Coverage by Provider

204 CIS-tagged checks split across the three major clouds, each with its own compliance coverage rollup.

Amazon Web Services
88
CIS-tagged checks
Microsoft Azure
61
CIS-tagged checks
Google Cloud
55
CIS-tagged checks

Each provider rolls up to a per-framework compliance coverage view. Scope covers CSPM and CIEM. Container image scanning and agent-based workload runtime are not part of this engine.

How the Scan Runs

Point it at your accounts, and it reads posture and identity, scores what it finds, and hands proven paths to BASzy for validation.

Step 1

Connect Read-Only

Grant read-only access to your AWS, Azure, or GCP accounts. The engine authenticates and enumerates configuration and identity state.

Step 2

Run 204 Checks

Every posture and identity control runs against the accounts. Each result maps to its CIS Benchmark tag for the matching provider.

Step 3

Score and Rank

Findings are scored and reranked in the CTEM app alongside on-prem exposure, so cloud and network risk share one priority queue.

Step 4

Validate the Path

Identity attack paths feed BASzy validation to confirm which routes are actually reachable, separating real exposure from theory.

The Cloud Value, Without the Cloud Bill

Teams buy Wiz for cloud posture and identity attack paths. CVEasy delivers that value with flat-rate pricing and one unified console.

CVEasy Cloud vs Wiz

One Console, Not a Second Bill

Wiz is the incumbent for cloud posture and identity attack paths, and it does that job well. The critique is the model, not the people: per-asset cloud pricing and a console that lives apart from your on-prem program. CVEasy folds the same cloud posture and identity attack-path value into the CTEM app you already run, at flat-rate pricing.

  • Cloud posture and identity attack paths, built by CVEasy, not resold
  • Flat-rate pricing, no per-asset cloud metering
  • Unified with on-prem exposure, not a separate console
  • Cloud paths validated by built-in BASzy attack simulation
One platform, four surfaces
Cloud posture (CSPM)Same app
Cloud identity (CIEM)Same app
On-prem exposureSame app
BASzy validationSame app

Cloud and network exposure in one priority queue.

See your cloud posture
and your network, together.

Proprietary CSPM and CIEM across AWS, Azure, and GCP. Read-only, local-first, and unified with on-prem exposure in one CTEM app.

Request a Demo → Contact Sales