Amazon Web Services
FullFull coverage today — 578+ security checks across 82 AWS services, mapped to CIS, PCI DSS and AWS Well-Architected. Multi-region, multi-account discovery.
Connect your clouds read-only, route prioritized findings to chat and ticketing, export remediation as code, and build anything else on top with a full REST API and webhooks. No agents, no rip-and-replace.
Clouds · frameworks · chat · ticketing · IaC · identity
A read-only, cross-account role secured with a unique external ID — no agents, no inbound network access.
Full coverage today — 578+ security checks across 82 AWS services, mapped to CIS, PCI DSS and AWS Well-Architected. Multi-region, multi-account discovery.
Compute, storage, IAM and GKE coverage growing fast, with CIS Google Cloud benchmark support rolling out across organizations and projects.
The same comprehensive approach for VMs, Blob storage, Entra ID and AKS, with CIS Azure benchmark mappings expanding across subscriptions.
Every check is mapped to recognized frameworks so evidence and gap analysis come for free. More frameworks are added regularly.
CIS Benchmark coverage for AWS, with Google Cloud and Azure expanding — the de facto baseline for cloud hardening.
Continuous PCI DSS monitoring with automated evidence collection for the controls that touch your cloud environment.
Security-pillar checks aligned to the AWS Well-Architected Framework so reviews stay accurate between assessments.
SOC 2 control mappings are on the way, joining a growing library of frameworks driven by customer demand.
Route only AI-prioritized findings into the tools your team already lives in — no alert firehose.
Push critical findings and posture changes to any channel via incoming webhooks, with context and a direct link back to the finding.
Native Teams channel notifications are on the roadmap; today you can deliver the same alerts through generic webhooks.
Open and sync issues so remediation work lands in your existing backlog. Available now through the API and webhook automation.
Trigger incidents for the highest-severity findings. Webhook-based escalation is available today ahead of the native integration.
Scheduled digests and real-time email alerts for new criticals, posture-score drops and framework status changes.
Send signed JSON events to any endpoint and wire CSPM.io into your own automation, SIEM or downstream tooling.
CSPM.io doesn't just flag issues — it generates remediation you can review and apply through your existing IaC workflow.
Ready-to-apply HCL for the affected resources, with the change scoped tightly to the finding.
Generated templates for teams standardized on native AWS infrastructure as code.
Copy-paste commands for quick, imperative fixes — complete with validation steps.
Remediation output in Pulumi for teams that define infrastructure in general-purpose languages.
Centralize access and deprovisioning through the directory you already manage.
Enterprise single sign-on with the major identity providers, including SP-initiated and IdP-initiated flows and group-based role mapping.
OAuth 2.0 and OpenID Connect sign-in for modern identity providers, with automatic user provisioning on first login.
Everything in the product is backed by an API, so CSPM.io fits the workflow you already have instead of forcing a new one.
A JSON REST API over resources, findings, accounts, scans and compliance frameworks. Authenticate with scoped, revocable API keys and rate-limited access — the same API the product is built on.
Subscribe to events — new findings, posture changes, completed scans — and receive signed JSON payloads at your endpoint to drive notifications, ticketing and automation.
The API and webhooks connect CSPM.io to almost anything today, and our roadmap is shaped by what customers ask for. Tell us what you need.
Connect an account read-only, route findings where your team works, and export fixes as code.