Cloud Security (CSPM)
Misconfigurations, exposure, provider threat signals, and compliance — one cloud risk view.
What this replaces
Native cloud security consoles stop at their own cloud, free tiers stop at the basics, and multi-account sprawl means nobody can answer 'are we exposed anywhere?' in one place.
What Offload does
Continuous security posture management across AWS, Google Cloud, and Microsoft Azure: misconfigurations, public exposure, compliance benchmarks, and provider threat signals, normalized into the platform's unified risk workflow.
What you get
- Multi-account AWS, GCP, and Azure onboarding with read-only, encrypted credentials
- Native signals: AWS Security Hub, Config, GuardDuty; GCP Security Command Center; Azure Defender for Cloud
- Open policy-engine checks layered on top for provider-independent benchmark coverage
- Region-aware parallel scanning for AWS; GCP organization onboarding with recursive project discovery
- Scheduled scans with staggered execution windows
- Asset inventory with lifecycle status and deletion reconciliation
- Per-account compliance scoring mapped to framework controls
How it works
A scan request creates a tracked run, fans out per region and account under concurrency caps, and executes on worker infrastructure. Credentials are decrypted only inside the worker for the duration of the scan.
Findings from every provider are normalized to one schema — severity, resource, region, rule, compliance mapping — and managed through the same lifecycle as every other finding on the platform.
One platform, one risk view
Cloud findings feed unified vulnerability management, the risk register, compliance posture, attack-path analysis, and central alerts — one data model shared with code and Kubernetes findings.