Skip to content
Kloudle
The Platform

One Posture Plane for the
AI Software Factory

AI-assisted teams ship apps, APIs, agents, and MCP servers at machine speed, across the big clouds and the new ones. Kloudle gives that whole estate a single security posture — built on engines that refuse to promote a finding without proof, and kept entirely inside your network.

How It Works

From Raw Finding to Verified, Accountable Fix

Findings are cheap. The platform's job is to turn them into accountable issues a human governs and an agent can safely act on. Each step is labeled with where it stands today — the worked sample below shows one issue moving through it.

  1. 01

    Raw finding

    Live today

    A scanner reports a misconfiguration. One line among many — not yet a security issue.

  2. 02

    Evidence

    Live today

    The raw configuration that proves it is captured and stored with the finding.

  3. 03

    Promoted issue

    Near-term

    Cross-plane context decides it matters; the finding becomes an accountable, ranked issue.

  4. 04

    Graph + ledger

    Near-term

    The issue is linked to related risk and recorded in the ledger you own.

  5. 05

    Human gate

    Near-term

    A human blocks, allows a scoped fix, or waives — and sets what an agent may touch.

  6. 06

    Agent action

    Destination

    An agent works the promoted, scoped item from the ledger and returns proof of the change.

  7. 07

    Verification

    Near-term

    Kloudle re-runs the check and records the verified outcome against the responsibility view.

Humans stay responsible across the whole loop and decide what agents may touch. Agents act from the promoted ledger, never from raw scanner noise.

Five Surfaces, One Discipline

Cloud is the first surface taken all the way to production-evidenced scanning. The rest are real engines being productized onto the same rails — not greenfield promises.

Cloud Posture (CSPM)

Live

The trust anchor. 1,800+ SQL-based checks across AWS, GCP, Azure, DigitalOcean, and Kubernetes, run on your infrastructure and stored in your database.

  • Severity-mapped to CIS, NIST, and PCI-DSS
  • Dashboard, CLI, and MCP server on one engine
  • Every check is readable SQL you can audit
Explore Sovereign CSPM

Neocloud Posture

In development

The half of the modern estate incumbent scanners can't see — Vercel, Cloudflare, Netlify, Render, Fastly. No Prowler-for-Vercel exists. We're defining the coverage on the same factory that powers cloud.

  • Same ledger-driven check discipline as cloud
  • Built for teams that ship on the new clouds
  • Definitional coverage, not a bolt-on

MCP Server Posture

In development

The MCP servers your team runs and consumes are production attack surface with no benchmark behind them. Our MCP scanning engine is field-validated against real-world servers and is being folded into the platform.

  • Posture standard for a category with zero incumbents
  • Only proven issues get promoted to findings
  • Validated against widely-used MCP servers

App & API Posture (ASPM)

Roadmap

The software your factory ships — exposed endpoints, leaked secrets, broken authorization. A production-grade engine proven on real engagements, being productized onto the same rails as cloud and MCP.

  • Secret, endpoint, and library detection
  • Authorization probing on deployed apps
  • Confirmed / disproven evidence ledger

Agent Activity & Provenance

Roadmap

When agents change your estate, the question becomes which factory line keeps producing risk. Answered from the audit logs you already collect — like CloudTrail — with no instrumentation in your pipelines.

  • "Which identity made this change" from existing logs
  • Surface the agents creating misconfigurations
  • Zero customer instrumentation required
One Evidence Layer

We Unify the Evidence, Not the Code

Merging the engines into one codebase is a year of work that ships nothing. Instead, each engine runs as a native worker and feeds one shared evidence layer — the integration that actually produces the connected picture.

One finding schema

Every engine emits structured, fingerprinted, severity-tagged, evidence-referenced findings. Normalized into one contract so a cloud finding and an MCP finding speak the same language.

One evidence ledger

All findings land in one map-governed store inside your network — the same coverage-DB discipline that gates cloud, extended across every surface. The ledger is the control plane, not a slide.

One cross-plane graph

Once findings share one store, the attack path that crosses layers becomes traversable: a weak MCP server, a leaked token, a cloud write, a public bucket, egress. No incumbent collects on every plane.

Evidence Ledger

How a Promoted Issue Is Meant to Read

Findings are cheap. A promoted issue is accountable. This is a sample operating model: one redacted entry showing the ledger shape we are building toward, where a finding moves from raw scanner output to a verified fix. It is an illustration of the target, not a claim that every stage is live today (see the maturity split below).

ledger entry · ISSUE-████ Sample: redacted example, not a customer record
  1. Raw finding

    Observed

    kloudle-aws-s3 reports public-access-block disabled on a bucket. One line in a scan that returned hundreds of results, not yet a security issue.

    resource: s3://█████-assets-prod · account: ████████ · check: S3.PublicAccessBlock

  2. Evidence

    Proven

    The bucket policy and ACL are captured at scan time and stored alongside the finding. The raw config, not a score, is what supports promotion.

    evidence: bucket-policy.json, acl.json, public-access-block.json (snapshot)

  3. Promoted issue

    Promoted

    Cross-plane context makes it matter: this bucket is reachable from a public CloudFront distribution and holds objects written by a deploy role an agent uses. The graph is why it ranks; the ledger records that it was promoted.

    severity: High · why: public reachability + agent-written objects

  4. Human gate

    Human decision

    A human sets the gate: block the line, allow a scoped fix, or waive with a reason and an expiry. Humans also define what an agent may touch: here, this one bucket's public-access settings, nothing wider.

    gate: allow-scoped-fix · waiver alternative: expires in 30d with reason · agent scope: S3.PublicAccessBlock on this resource only

  5. Agent-safe action

    Acted from ledger

    The agent pulls this promoted, scoped item from the ledger, not raw scanner output, and applies the fix within the boundary the human set. It returns proof of exactly what it changed.

    remediation: enable public-access-block · scope: this resource only · change-proof returned to ledger

  6. Verification

    Verified

    Kloudle re-runs the check and records the outcome. The ledger now holds the full trace: observed, promoted, who decided, what an agent did, and proof it holds.

    re-scan: S3.PublicAccessBlock → pass · status: resolved, verified

Live today

Evidence-backed cloud findings and pass/fail history in your own database.

Near-term

Promotion, gates, waivers, and agent-scoped work queues across the ledger.

Destination

Proof that responsibilities were met across every plane of the factory.

In this model, humans stay responsible and decide what agents may touch. Agents act from the promoted ledger, never from raw scanner noise.

Why incumbents can't follow

Wiz and Datadog make money by centralizing your security data in their cloud. Kloudle makes money by keeping it in yours. The cross-plane graph — agent to tool call to credential to cloud resource to exposure — is only buildable by whoever collects on every plane with one evidence model, inside the enterprise. Copying it would mean breaking the business model the incumbents are built on.

Every claim above is gated on production evidence. We never quote catalog counts as coverage — only checks that run and evaluate against real accounts.

Put a Posture Layer in Your Factory

Self-serve signup is closing. Exclusive access opens issue gating across your MCP-connected apps — built on the 1,890 checks that run today.

Or explore Self-hosted deployment and Agent tools