16 checks across every connected project
An agentless scan reads each connected Google Cloud project through a read-only viewer role and runs 16 checks — flagging over-broad IAM, publicly exposed storage, wide-open firewalls, unprotected databases, and missing audit and DNS integrity.
IAM & service accounts
Primitive owner/editor roles granted at project level, user-managed service-account keys, service accounts with token-creator or actAs, and default service accounts left with broad access.
Cloud Storage exposure
Buckets granted to allUsers or allAuthenticatedUsers, uniform bucket-level access disabled, public objects, and missing default encryption or versioning on data-critical buckets.
VPC firewall & network
Firewall rules open to 0.0.0.0/0 on SSH, RDP and database ports, the default network left in place, and VPC flow logs disabled on the subnets that carry real traffic.
Cloud SQL & data
Cloud SQL instances with a public IP, SSL not enforced, no automated backups, and authorized networks opened to the whole internet — the databases attackers reach first.
DNSSEC & Cloud DNS
Managed DNS zones with DNSSEC disabled and weak signing configuration — the record integrity gap that lets an attacker forge answers for a client's domains.
Logging & audit export
Data-access audit logs disabled, no log sink or export configured, and short retention — so nothing meaningful happens in the project with a durable, exportable record.