All features Cloud · Google Cloud

CSPM for Google Cloud

16 checks for Google Cloud — IAM and service accounts, public storage buckets, open firewall rules, Cloud SQL exposure, DNSSEC and log export. Agentless, read-only, per project.

Get started Run a free scan
16GCP checks
6services
Perproject
gcp-security-posture 54
IAMPrimitive rolesFAIL
GCSPublic bucketFAIL
FWFirewall 0.0.0.0/0CHECK
LOGAudit log exportPASS
What we check

16 checks across every connected project

An agentless scan reads each connected Google Cloud project through a read-only viewer role and runs 16 checks — flagging over-broad IAM, publicly exposed storage, wide-open firewalls, unprotected databases, and missing audit and DNS integrity.

IAM & service accounts

Primitive owner/editor roles granted at project level, user-managed service-account keys, service accounts with token-creator or actAs, and default service accounts left with broad access.

Cloud Storage exposure

Buckets granted to allUsers or allAuthenticatedUsers, uniform bucket-level access disabled, public objects, and missing default encryption or versioning on data-critical buckets.

VPC firewall & network

Firewall rules open to 0.0.0.0/0 on SSH, RDP and database ports, the default network left in place, and VPC flow logs disabled on the subnets that carry real traffic.

Cloud SQL & data

Cloud SQL instances with a public IP, SSL not enforced, no automated backups, and authorized networks opened to the whole internet — the databases attackers reach first.

DNSSEC & Cloud DNS

Managed DNS zones with DNSSEC disabled and weak signing configuration — the record integrity gap that lets an attacker forge answers for a client's domains.

Logging & audit export

Data-access audit logs disabled, no log sink or export configured, and short retention — so nothing meaningful happens in the project with a durable, exportable record.

How it connects

A read-only viewer role, then it runs itself

Connecting a project is a one-time service-account authorization with a read-only viewer role — no agent to install, no keys to hand over, and no write access anywhere in your environment.

Read-only viewer role

A service account is granted the read-only Viewer and Security Reviewer roles, scoped per project or folder. Paste the credentials and the project is connected — no stored owner keys, no agent, no write permissions.

Continuous re-scan

Once connected, the project is re-scanned on a schedule with the same zero footprint. Each scan tracks what is new and what has been resolved since last time, so both drift and fixes surface on their own.

Unified findings

Google Cloud findings land in the same queue as every other source — ranked by real-world risk, paired with AI remediation guidance, mapped to your compliance frameworks, and folded into cross-surface attack paths.

Part of one platform

Google Cloud exposure, in the context of everything else

Google Cloud posture never sits in its own console. Every finding is correlated with your Windows, Linux and macOS endpoint agents and your other cloud and identity data on one platform — so a public bucket or an over-privileged service account becomes a named step in a real attack path, not an isolated ticket.

  • Correlated with endpoint & other cloud identity
  • Findings become steps in named attack paths
  • KEV / EPSS-ranked, real-world severity
  • Paired with AI remediation, mapped to 10 frameworks
See the full platform
82
+27 pts
projected after top fixes

Run your first scan free

See a client’s real posture in minutes — then unlock all 1,692 checks.