Scanning Tiers
Three Tiers of Visibility
EchelonGraph provides three scanning tiers — each adding deeper visibility into your infrastructure. Start agentless with Tier 1 and expand as your security posture matures.
Tier 1: EcheSky (Agentless Cloud Scanning)
Deployment: Agentless — API-only, no software to install Scan mode: On-demand or scheduled Best for: Immediate cloud visibility without touching infrastructure
What Tier 1 Discovers
| Category | What's Scanned |
|---|---|
| Compute | VMs, serverless functions, container services |
| Network | VPCs, subnets, security groups, firewalls, load balancers |
| Storage | Object stores and block storage — encryption and access policies |
| Identity | IAM users, roles, policies, service accounts |
| Data | Managed databases — encryption, public access, backup status |
| Certificates | TLS certificates and expiry dates |
What Tier 1 Detects
- 440+ misconfiguration rules mapped to CIS v2.0 benchmarks
- CVE correlation — automatic matching of service versions to known vulnerabilities
- Attack path analysis — maps reachable paths from internet-facing nodes to sensitive data
- Compliance scoring across all 9 supported frameworks
> ⚠️ Kubernetes visibility (capability boundary): Your Kubernetes cluster surfaces as a single asset — the cloud control-plane row (e.g., EKS_cluster:my-prod, GKE_cluster:prod-1, AKS_cluster:eu-west). Tier 1 sees what's *registered* with your cloud provider's API, not what's *running inside*. Namespaces, pods, services, RBAC objects, NetworkPolicies, and CRDs are invisible from outside the cluster — that's a fundamental capability boundary, not a licensing decision. For inside-cluster topology, deploy Tier 3.
How It Works
- Scanner authenticates with your cloud provider using read-only credentials
- Discovers all assets using API calls — no agents or disk access
- Evaluates 440+ misconfiguration rules and correlates known CVEs
- Builds attack path graph from internet-facing nodes inward
- Findings appear in your dashboard and trigger alerts automatically
Tier 2: EcheNet (Deep Network Scanning)
Deployment: Standalone container (Docker or Helm chart), Cloud Run Job, or Kubernetes Deployment/CronJob Scan mode: One-shot (deploy-and-destroy) or Daemon (persistent with health/metrics endpoint) Best for: Network-level visibility, container security, Kubernetes hardening, private subnet scanning
Capabilities Beyond Tier 1
| Feature | Description |
|---|---|
| Deep network scanning | TCP port scanning with service detection (30+ protocols), SSL/TLS certificate analysis, HTTP fingerprinting, and DNS enumeration across private subnets |
| Shadow IT detection | Identify unauthorized services — open databases (Redis, MongoDB, Elasticsearch without auth), exposed admin panels (Jenkins, phpMyAdmin, Kibana), and rogue APIs |
| Container image scanning | Analyze running containers and registry images for CVEs using integrated Trivy CLI |
| SBOM generation | Software Bill of Materials in CycloneDX and SPDX formats for every container |
| Kubernetes security | CIS benchmark rules (12 rules), RBAC audit (5 rules), network policy analysis (3 rules), and K8s attack path graph generation |
| Runtime-enriched attack paths | Attack paths based on actual runtime state — scanned ports, exposed services, and live container topology |
| Config drift detection | Detect infrastructure drift between scan cycles — new hosts, changed ports, removed services |
| MITRE ATT&CK mapping | 14 technique mappings (T1046, T1190, T1530, etc.) applied to every finding |
| PCI DSS v4.0 mapping | Automated control mapping for payment card compliance |
| Agent enrollment | Two-step cryptographic handshake — one-time enrollment token exchanged for a long-lived agent credential |
Enterprise Features
| Feature | Description |
|---|---|
| BYOK encryption | AES-256-GCM encryption of all telemetry before transmission — SaaS backend never sees plaintext |
| Air-gapped mode | Zero outbound network — scan results written as SHA-256 integrity-verified JSON files to local disk |
| License validation | HMAC-SHA256 signed license keys with feature gating, asset caps, expiry warnings, and Prometheus health metrics |
| Zero-downtime key rotation | Dual-key decryption window — rotate encryption keys without scan interruption |
Tier 2 shows you what's actually running — not just what's configured.
> Kubernetes scope (Tier 2): CIS benchmark misconfig audit (12 rules), RBAC misconfig rules (5 rules), NetworkPolicy analysis (3 rules), and container image CVE scan via Trivy. Tier 2 reads via the K8s API for one-shot posture detection; it does not maintain a continuous in-cluster topology watch (no live event stream on namespaces / pods / RBAC objects / CRDs). Continuous topology + real-time RBAC inventory + shadow-secret detection + CRD-aware AI workload discovery require Tier 3.
Tier 3: EcheDeep (Runtime Telemetry)
Deployment: Kernel-level agent (Kubernetes DaemonSet) + SDK Scan mode: Continuous + event-driven Best for: Zero-day detection, lateral movement analysis, deep runtime security
Capabilities Beyond Tier 2
| Feature | Description |
|---|---|
| Live K8s topology — 16+ kinds | client-go informer watch on Namespace / Node / Pod / Service / Deployment / StatefulSet / DaemonSet / Job / CronJob / Ingress / NetworkPolicy / ServiceAccount / Role / ClusterRole / RoleBinding / ClusterRoleBinding / HPA / PVC / PV — plus CRD registry. Every change observed in real time (sub-second). Cloud flavour (GKE / EKS / AKS / on-prem) auto-detected from Node ProviderID so assets land under the correct cloud account in your inventory. |
| Strict-ZK Secret + ConfigMap inventory | Uses Kubernetes metadatainformer so the API server returns only PartialObjectMetadata envelopes — the agent process never holds .Data bytes in memory by construction. Detect shadow secrets created outside your Vault / KMS provisioning flow without ever reading their values. The strictest secret-discovery posture in the industry. |
| Shadow AI / ML workload discovery | First-class CRD watch for Kubeflow Notebook, KServe InferenceService, Argo Rollouts, KubeRay RayCluster, Seldon SeldonDeployment, Run:ai RunaiJob. Surfaces the data-science team's GPU pod that bypassed your CI gate — the security blind spot every other CSPM misses. |
| End-to-end Zero-Knowledge with browser-side decrypt | Sensitive findings (T3.4 process, T3.5 anomaly, T3.6 IOC) encrypted on-host with a per-event AES-256-GCM DEK wrapped under your KMS (AWS / GCP / Vault). EchelonGraph SaaS stores ciphertext only; the analyst's browser decrypts via our open-source TypeScript Browser SDK. The only commercial agent where the SaaS operator can't read your raw runtime data — Sysdig, Aqua, Wiz all decrypt server-side. |
| Shadow API discovery | Detect undocumented APIs communicating across your network |
| Zero-day correlation | Threat intelligence integration via STIX 2.1 + TAXII 2.1 (abuse.ch URLhaus, Feodo Tracker, CISA KEV) |
| Lateral movement simulation | Model how an attacker could move through your infrastructure |
| Kernel-level telemetry | Deep process and system call monitoring via eBPF — XDP, TC, tracepoints |
| Predictive threat detection | ML-based anomaly detection on runtime patterns (24h baseline + EWMA + seasonality) |
| Auto-remediation | 9 IaC patch templates (K8s NetworkPolicy / PodSecurity / RBAC / Capabilities + AWS Terraform SG / S3 / IAM / CloudTrail / RDS) with GitHub PR + Slack approval flow |
Tier Comparison Matrix
| Capability | Tier 1 | Tier 2 | Tier 3 |
|---|---|---|---|
| Cloud resource discovery | Yes | Yes | Yes |
| Network topology mapping | Yes | Yes | Yes |
| IAM and identity audit | Yes | Yes | Yes |
| 440+ misconfiguration rules | Yes | Yes | Yes |
| CVE correlation | Yes | Yes | Yes |
| CIS benchmark mapping | Yes | Yes | Yes |
| 3D blast radius visualization | Yes | Yes | Yes |
| Compliance scoring (9 frameworks) | Yes | Yes | Yes |
| Deep network scanning (TCP/SSL/HTTP/DNS) | — | Yes | Yes |
| Shadow IT detection | — | Yes | Yes |
| Container image scanning | — | Yes | Yes |
| SBOM generation | — | Yes | Yes |
| Kubernetes CIS + RBAC audit | — | Yes | Yes |
| Runtime-enriched attack paths | — | Yes | Yes |
| Config drift detection | — | Yes | Yes |
| MITRE ATT&CK mapping | — | Yes | Yes |
| PCI DSS v4.0 control mapping | — | Yes | Yes |
| BYOK encryption | — | Yes | Yes |
| Air-gapped mode | — | Yes | Yes |
| K8s cluster as a single asset (cloud control plane) | Yes | Yes | Yes |
| K8s namespaces / pods / services as individual assets | — | — | Yes |
| K8s RBAC inventory (Roles, ClusterRoles, bindings, ServiceAccounts) — live | — | — | Yes |
| K8s Secret + ConfigMap inventory (metadata-only, zero-data-leak) | — | — | Yes |
| Shadow AI/ML workload discovery (Kubeflow, KServe, Argo Rollouts, KubeRay, Seldon CRDs) | — | — | Yes |
| Real-time eBPF runtime detection (process, anomaly, threat-intel) | — | — | Yes |
| End-to-end Zero-Knowledge with browser-side decrypt | — | — | Yes |
| Shadow API discovery | — | — | Yes |
| Zero-day threat intelligence | — | — | Yes |
| Lateral movement simulation | — | — | Yes |
| Kernel-level telemetry | — | — | Yes |
Which Tier Is Right for You?
| Use Case | Recommended |
|---|---|
| On a budget — need cloud security without spending today | Tier 1 (Free Forever — 3 cloud accounts, 500 assets, 90-day retention) |
| Quick cloud posture assessment | Tier 1 |
| Compliance audit preparation | Tier 1 |
| Private subnet and network scanning | Tier 2 |
| Container and Kubernetes posture audit | Tier 2 |
| Runtime vulnerability detection | Tier 2 |
| Regulated industry (finance, healthcare, government) | Tier 2 or 3 |
| Air-gapped / self-hosted deployment | Tier 2 |
| Live Kubernetes inventory — namespaces, pods, RBAC, NetworkPolicies | Tier 3 |
| Shadow AI / ML workload discovery (Kubeflow, KServe, Ray, Argo) | Tier 3 |
| Shadow secret detection without reading secret values | Tier 3 |
| Zero-Knowledge encryption with browser-side decrypt | Tier 3 |
| Zero-day threat detection | Tier 3 |
| Advanced threat hunting | Tier 3 |
All tiers include the full compliance engine, blast radius visualization, and alerting capabilities. Higher tiers add deeper data sources — they build on lower tiers rather than replacing them. Tier 1 is free forever (3 cloud accounts, 500 assets, 90-day retention) — start there if you're shopping for the best cloud security platform on a budget; upgrade to Tier 2 ($49/node/mo) for network depth or Tier 3 ($149/node/mo) for the live in-cluster topology + shadow AI/ML workload discovery + Zero-Knowledge runtime detection no other commercial agent ships end-to-end.