One Posture Plane for the
AI Software Factory
AI-assisted teams ship apps, APIs, agents, and MCP servers at machine speed, across the big clouds and the new ones. Kloudle gives that whole estate a single security posture — built on engines that refuse to promote a finding without proof, and kept entirely inside your network.
From Raw Finding to Verified, Accountable Fix
Findings are cheap. The platform's job is to turn them into accountable issues a human governs and an agent can safely act on. Each step is labeled with where it stands today — the worked sample below shows one issue moving through it.
- 01Live today
Raw finding
A scanner reports a misconfiguration. One line among many — not yet a security issue.
- 02Live today
Evidence
The raw configuration that proves it is captured and stored with the finding.
- 03Near-term
Promoted issue
Cross-plane context decides it matters; the finding becomes an accountable, ranked issue.
- 04Near-term
Graph + ledger
The issue is linked to related risk and recorded in the ledger you own.
- 05Near-term
Human gate
A human blocks, allows a scoped fix, or waives — and sets what an agent may touch.
- 06Destination
Agent action
An agent works the promoted, scoped item from the ledger and returns proof of the change.
- 07Near-term
Verification
Kloudle re-runs the check and records the verified outcome against the responsibility view.
Humans stay responsible across the whole loop and decide what agents may touch. Agents act from the promoted ledger, never from raw scanner noise.
Five Surfaces, One Discipline
Cloud is the first surface taken all the way to production-evidenced scanning. The rest are real engines being productized onto the same rails — not greenfield promises.
Cloud Posture (CSPM)
LiveThe trust anchor. 1,800+ SQL-based checks across AWS, GCP, Azure, DigitalOcean, and Kubernetes, run on your infrastructure and stored in your database.
- Severity-mapped to CIS, NIST, and PCI-DSS
- Dashboard, CLI, and MCP server on one engine
- Every check is readable SQL you can audit
Neocloud Posture
In developmentThe half of the modern estate incumbent scanners can't see — Vercel, Cloudflare, Netlify, Render, Fastly. No Prowler-for-Vercel exists. We're defining the coverage on the same factory that powers cloud.
- Same ledger-driven check discipline as cloud
- Built for teams that ship on the new clouds
- Definitional coverage, not a bolt-on
MCP Server Posture
In developmentThe MCP servers your team runs and consumes are production attack surface with no benchmark behind them. Our MCP scanning engine is field-validated against real-world servers and is being folded into the platform.
- Posture standard for a category with zero incumbents
- Only proven issues get promoted to findings
- Validated against widely-used MCP servers
App & API Posture (ASPM)
RoadmapThe software your factory ships — exposed endpoints, leaked secrets, broken authorization. A production-grade engine proven on real engagements, being productized onto the same rails as cloud and MCP.
- Secret, endpoint, and library detection
- Authorization probing on deployed apps
- Confirmed / disproven evidence ledger
Agent Activity & Provenance
RoadmapWhen agents change your estate, the question becomes which factory line keeps producing risk. Answered from the audit logs you already collect — like CloudTrail — with no instrumentation in your pipelines.
- "Which identity made this change" from existing logs
- Surface the agents creating misconfigurations
- Zero customer instrumentation required
We Unify the Evidence, Not the Code
Merging the engines into one codebase is a year of work that ships nothing. Instead, each engine runs as a native worker and feeds one shared evidence layer — the integration that actually produces the connected picture.
One finding schema
Every engine emits structured, fingerprinted, severity-tagged, evidence-referenced findings. Normalized into one contract so a cloud finding and an MCP finding speak the same language.
One evidence ledger
All findings land in one map-governed store inside your network — the same coverage-DB discipline that gates cloud, extended across every surface. The ledger is the control plane, not a slide.
One cross-plane graph
Once findings share one store, the attack path that crosses layers becomes traversable: a weak MCP server, a leaked token, a cloud write, a public bucket, egress. No incumbent collects on every plane.
How a Promoted Issue Is Meant to Read
Findings are cheap. A promoted issue is accountable. This is a sample operating model: one redacted entry showing the ledger shape we are building toward, where a finding moves from raw scanner output to a verified fix. It is an illustration of the target, not a claim that every stage is live today (see the maturity split below).
-
Raw finding
Observedkloudle-aws-s3 reports public-access-block disabled on a bucket. One line in a scan that returned hundreds of results, not yet a security issue.
resource: s3://█████-assets-prod · account: ████████ · check: S3.PublicAccessBlock
-
Evidence
ProvenThe bucket policy and ACL are captured at scan time and stored alongside the finding. The raw config, not a score, is what supports promotion.
evidence: bucket-policy.json, acl.json, public-access-block.json (snapshot)
-
Promoted issue
PromotedCross-plane context makes it matter: this bucket is reachable from a public CloudFront distribution and holds objects written by a deploy role an agent uses. The graph is why it ranks; the ledger records that it was promoted.
severity: High · why: public reachability + agent-written objects
-
Human gate
Human decisionA human sets the gate: block the line, allow a scoped fix, or waive with a reason and an expiry. Humans also define what an agent may touch: here, this one bucket's public-access settings, nothing wider.
gate: allow-scoped-fix · waiver alternative: expires in 30d with reason · agent scope: S3.PublicAccessBlock on this resource only
-
Agent-safe action
Acted from ledgerThe agent pulls this promoted, scoped item from the ledger, not raw scanner output, and applies the fix within the boundary the human set. It returns proof of exactly what it changed.
remediation: enable public-access-block · scope: this resource only · change-proof returned to ledger
-
Verification
VerifiedKloudle re-runs the check and records the outcome. The ledger now holds the full trace: observed, promoted, who decided, what an agent did, and proof it holds.
re-scan: S3.PublicAccessBlock → pass · status: resolved, verified
Evidence-backed cloud findings and pass/fail history in your own database.
Promotion, gates, waivers, and agent-scoped work queues across the ledger.
Proof that responsibilities were met across every plane of the factory.
In this model, humans stay responsible and decide what agents may touch. Agents act from the promoted ledger, never from raw scanner noise.
Why incumbents can't follow
Wiz and Datadog make money by centralizing your security data in their cloud. Kloudle makes money by keeping it in yours. The cross-plane graph — agent to tool call to credential to cloud resource to exposure — is only buildable by whoever collects on every plane with one evidence model, inside the enterprise. Copying it would mean breaking the business model the incumbents are built on.
Every claim above is gated on production evidence. We never quote catalog counts as coverage — only checks that run and evaluate against real accounts.
Put a Posture Layer in Your Factory
Self-serve signup is closing. Exclusive access opens issue gating across your MCP-connected apps — built on the 1,890 checks that run today.
Or explore Self-hosted deployment and Agent tools