System 01 — cloud posture

Cerberos

The cloud attack surface is not one thing. Container images, account configuration, the Kubernetes control plane, and the node operating system each fail differently. Cerberos is four scanners, one per surface, not one scanner pretending to cover all four.

Role design + build, end to end Surface AWS + Kubernetes Output OpenSearch · ticketing Runtime ephemeral ECS Fargate

The problem

A single monolithic scanner does every layer badly: the data models conflict, one slow check stalls the others, and a failure anywhere blinds you everywhere. The commercial alternative is one product per layer — each priced as if it were the only thing you buy. Together they are expensive, overlapping, and still leave the node operating system, where containers actually run, only loosely covered.

What I built

Four focused scanners, each owning exactly one surface and emitting findings in one shared shape so everything downstream — dashboards, deduplication, ticketing — stays uniform.

EagleEye — container image exposure. Discovers every image actually running across the full range of AWS compute service types, deduplicates by image digest so the same image is scanned once, and scans with Trivy.
IronSeal — account configuration and perimeter. Runs CIS AWS benchmark and perimeter controls across every account in the organisation via Steampipe/Powerpipe.
KuTy — the Kubernetes control plane. CIS benchmark validation per cluster with Kubescape, in both machine and report form.
SlyFox — the node operating system. Discovers each unique node image in a cluster and runs a validation job pinned to a node of that exact image, because node-level CIS is only true if it is checked on the image that is actually running.

   ┌──────────────────────────────────────────────────┐
   │ EagleEye  ·  container images, 10+ AWS service   │
   │              types · Trivy · digest-deduplicated │
   └──────────────────────────────────────────────────┘
   ┌──────────────────────────────────────────────────┐
   │ IronSeal  ·  AWS config + perimeter, every org   │
   │              account · Steampipe · CIS v5.0.0    │
   └──────────────────────────────────────────────────┘
   ┌──────────────────────────────────────────────────┐
   │ KuTy      ·  Kubernetes control plane            │
   │              · CIS benchmarks (Kubescape)        │
   └──────────────────────────────────────────────────┘
   ┌──────────────────────────────────────────────────┐
   │ SlyFox    ·  Kubernetes node OS, per-AMI · job   │
   │              pinned to each unique node image    │
   └──────────────────────────────────────────────────┘

   four scanners → one finding shape → OpenSearch + ticketing
   ephemeral ECS Fargate tasks · no idle infrastructure

cerberos — four surfaces, one finding contract

Design decisions

Four scanners, not one

Each surface gets a tool that fits it, its own cadence, and its own failure domain. EagleEye breaking does not stop IronSeal. A noisy new Kubernetes check can be tuned without risking account compliance scans.

Trade-off four deployables and a shared finding contract that has to be governed, not assumed.

Ephemeral tasks, no standing infrastructure

Every scanner is a task that starts, scans, emits, and exits. Nothing is idle between runs, which is most of the time.

Trade-off you need real orchestration and a completion signal; you trade always-on convenience for near-zero idle cost.

Per-image node validation

SlyFox does not check "a node" — it discovers every distinct node image in use and validates each one on a node that actually runs it, with matching scheduling constraints. Anything less is checking a machine that is not the machine your workloads land on.

Trade-off dynamically generating correctly-targeted jobs is the hard part; the result is a node posture you can actually trust.

Open-source engines, owned integration

Trivy, Steampipe, and Kubescape are excellent and transparent. The value I add is not re-implementing them — it is discovery, deduplication, a single finding shape, and ticket noise control around them.

Trade-off you own the glue: digest dedup, severity gating, and keeping the finding contract stable as engines change.

Operating profile

Findings are deduplicated before they reach anyone — by image digest, by control — and only high and critical findings open tickets, so the queue stays a signal rather than a feed. Dashboards carry the full picture for when someone wants it.

What I would change

The shared finding contract was discovered, not designed. It worked, but it should have been an explicit, reviewed schema from the first scanner rather than the third. That lesson is exactly what Pentagon exists to fix: a real taxonomy and lifecycle for findings, treated as a contract from day one.