Vornin
Start free
Cloud security posture · AWS · Azure · GCP · Kubernetes

Cloud posture checks, alongside every other scan.

32 live CIS checks across AWS, Azure, and GCP, plus Kubernetes cluster scanning. Identity, storage, networking, and key management posture, read from stored read-only credentials. Every finding lands in the same tracking, compliance, and evidence pipeline as your web and infrastructure scans.

Read-only access · Working scan data deleted after each scan · EU-hosted

The problem

Misconfiguration drifts between audits.

Cloud misconfigurations cause more breaches than code-level CVEs, yet the checks happen by hand, one console at a time. A bucket goes public and nobody sees it until the next manual sweep.

Coverage

CIS checks across every cloud you run.

Connect each account with read-only credentials and Vornin runs the CIS-aligned checks on a schedule. Calibrated for teams that need real coverage without an enterprise posture budget.

Amazon Web Services

Root and IAM MFA

Root account MFA, console MFA, and stale access keys.

S3 storage exposure

Public buckets and unencrypted storage.

EC2 and security groups

Open security-group ports and exposed instances.

Microsoft Azure

Identity and access

Privileged role assignments and access hygiene.

Key Vault

Key and secret protection settings.

Network security groups

Over-permissive inbound rules and open ports.

Google Cloud

IAM

Over-broad role bindings and service-account keys.

Cloud Storage

Public buckets and weak access controls.

Firewall rules

Ingress exposed to the public internet.

Kubernetes

Workload misconfig

Privileged pods and unsafe defaults.

Cluster secrets

Secrets exposed inside the cluster.

Image vulnerabilities

Known CVEs in the images you are running.

One pipeline

Posture findings join the same lifecycle.

A cloud misconfiguration is not a second tool with its own inbox. It is a finding that dedupes, ages against an SLA, and maps to compliance controls exactly like every other.

  • One finding inbox. Posture findings deduplicate, rank, escalate on SLA breach, and map to your frameworks alongside web, infrastructure, and code results.
  • Read-only by design. Credentials are stored encrypted and used read-only. The Kubernetes kubeconfig is written to a temporary file with locked-down permissions and deleted after the scan.
  • A cloud account is one target. Connect AWS, Azure, GCP, and Kubernetes on any paid tier. Each account counts once on the target slider, with no separate cloud surcharge.

See how findings move from detection to proven closure on the vulnerability management page.

Scan. Resolve. Prove.

Add cloud posture to your scan schedule today.

Start free, then connect a provider when you are ready.

Read-only access · Working scan data deleted after each scan · EU-hosted