Platform / Cloud Security (CSPM)

Cloud Security (CSPM)

Misconfigurations, exposure, provider threat signals, and compliance — one cloud risk view.

The problem

What this replaces

Native cloud security consoles stop at their own cloud, free tiers stop at the basics, and multi-account sprawl means nobody can answer 'are we exposed anywhere?' in one place.

The solution

What Offload does

Continuous security posture management across AWS, Google Cloud, and Microsoft Azure: misconfigurations, public exposure, compliance benchmarks, and provider threat signals, normalized into the platform's unified risk workflow.

Capabilities

What you get

  • Multi-account AWS, GCP, and Azure onboarding with read-only, encrypted credentials
  • Native signals: AWS Security Hub, Config, GuardDuty; GCP Security Command Center; Azure Defender for Cloud
  • Open policy-engine checks layered on top for provider-independent benchmark coverage
  • Region-aware parallel scanning for AWS; GCP organization onboarding with recursive project discovery
  • Scheduled scans with staggered execution windows
  • Asset inventory with lifecycle status and deletion reconciliation
  • Per-account compliance scoring mapped to framework controls
Under the hood

How it works

A scan request creates a tracked run, fans out per region and account under concurrency caps, and executes on worker infrastructure. Credentials are decrypted only inside the worker for the duration of the scan.

Findings from every provider are normalized to one schema — severity, resource, region, rule, compliance mapping — and managed through the same lifecycle as every other finding on the platform.

One platform, one risk view

Cloud findings feed unified vulnerability management, the risk register, compliance posture, attack-path analysis, and central alerts — one data model shared with code and Kubernetes findings.

See Cloud Security (CSPM) on your own data.