Compare All Three Tiers
EcheSky (Tier 1) is agentless and ships in minutes. EcheNet (Tier 2) adds a lightweight in-cluster agent. EcheDeep (Tier 3) runs an eBPF DaemonSet for runtime detection — without your data ever leaving the cluster in plaintext.
Agentless cloud scanner. Read-only IAM, hourly scans, 440+ misconfig rules.
Lightweight pod/sidecar. Continuous container scanning, runtime CVE correlation, SBOM.
DaemonSet eBPF agent. Runtime anomalies, IOC matching, customer-KMS envelope encryption, on-cluster remediation.
| Feature | Tier 1 EcheSky | Tier 2 EcheNet | Tier 3 EcheDeep |
|---|---|---|---|
| Deployment & Operations | |||
| Deployment model | Agentless (API only) | Lightweight agent | Continuous on-cluster |
| Scan trigger | Manual / scheduled | Continuous (real-time) | Continuous + event-driven |
| Customer infra footprint | Read-only IAM only | Pod / sidecar | DaemonSet (1 per node) |
| Egress required | ✓ | ✓ | ✓ |
| Air-gapped install | — | ◐ | ✓ |
| Asset Discovery | |||
| Cloud resources (compute, DB, storage) | ✓ | ✓ | ✓ |
| Network topology (VPC, subnets, FW) | ✓ | ✓ | ✓ |
| IAM & service accounts | ✓ | ✓ | ✓ |
| Container images & registries | — | ✓ | ✓ |
| Runtime processes & syscalls | — | ✓ | ✓ |
| Shadow API discovery | — | — | ✓ |
| Vulnerability Detection | |||
| Cloud misconfiguration (440+ rules) | ✓ | ✓ | ✓ |
| CVE correlation (version → CVE) | ✓ | ✓ | ✓ |
| CIS benchmark mapping | ✓ | ✓ | ✓ |
| Runtime vulnerability detection | — | ✓ | ✓ |
| Container image scanning | — | ✓ | ✓ |
| SBOM generation | — | ✓ | ✓ |
| Zero-day correlation (threat intel) | — | — | ✓ |
| Runtime & Detection | |||
| Process anomaly detection (eBPF) | — | ◐ | ✓ |
| Network anomaly + IOC matching | — | ◐ | ✓ |
| Lateral movement simulation | — | — | ✓ |
| PII redaction at the bridge (zero-knowledge) | n/a | n/a | ✓ |
| Per-event KMS-wrapped envelope encryption | n/a | n/a | ✓ |
| Customer-controlled KMS (AWS / GCP / Vault) | — | — | ✓ |
| Compliance & Frameworks | |||
| CIS v2.0 | ✓ | ✓ | ✓ |
| SOC 2 Type II controls | ✓ | ✓ | ✓ |
| HIPAA / PCI DSS v4.0 | ✓ | ✓ | ✓ |
| Custom Compliance Builder (Pro+) | — | ✓ | ✓ |
| Cross-framework score recompute | ✓ | ✓ | ✓ |
| Daily score snapshots + 30-day trend | — | ✓ | ✓ |
| Scheduled compliance reports (HTML/CSV/PDF) | — | ✓ | ✓ |
| Remediation | |||
| Remediation suggestions | ✓ | ✓ | ✓ |
| Approval-gated patches (dry-run by default) | — | ✓ | ✓ |
| Auto-PR via GitHub / GitLab connectors | — | ✓ | ✓ |
| Per-tenant remediation mode (dry-run / approval / pr / auto) | — | ✓ | ✓ |
| Apply patches in customer cluster | — | — | ✓ |
| Observability & SLA | |||
| Prometheus /metrics endpoint | n/a | ✓ | ✓ |
| Cross-pod log correlation IDs | n/a | ◐ | ✓ |
| 99.9% ingester uptime target | ✓ | ✓ | ✓ |
| Detection latency P95 ≤ 15s (process anomaly) | — | — | ✓ |
Need runtime detection + zero-knowledge?
Tier 3 (EcheDeep) ships eBPF process + network detection, IOC matching against URLhaus/Feodo/CISA KEV, customer-controlled envelope encryption (AWS KMS / GCP Cloud KMS / Vault), and on-cluster remediation — without data leaving your cluster in plaintext.