Your perimeter changed 47 times today.
STACK Pulse is the continuous diff of every exposed surface — security groups, NACLs, route tables, peering connections, load-balancer listeners, public buckets — with full replay of any prior state.
CSPM scans every six hours. Your perimeter changes every six minutes.
Snapshot-based posture management is structurally too slow. Pulse taps the cloud audit stream and rebuilds perimeter state in near-real-time.
Event-Tap Architecture
CloudTrail, Azure Activity Log, GCP Audit Log streamed and replayed into live perimeter state. No periodic scan windows.
Ingress Delta Stream
Every port open, rule add, peering accept surfaced with blast-radius context — which subnets, which workloads, which data.
Public Surface Inventory
S3, Blob, GCS, ELB, ALB, API Gateway, K8s LoadBalancer — one tracked object per exposed thing.
Drift to Baseline
Known-good states preserved with one-click revert. Approval-gated re-application.
ChatOps Approval Hooks
High-blast-radius changes — ingress to data tier, new peering, IAM trust adds — gated via Slack or Teams.
Forensic Replay
Reconstruct any prior perimeter state at second-precision for incident scoping and post-mortem.
→ Ingress: sg-0ab12cd34 rule added — 0.0.0.0/0:443 → data-tier subnet UNAPPROVED
→ Peering: pcx-7e8f9012 accepted from ext-vendor-vpc NEW
→ NACLs: nacl-3b4c5d6e rule 110 removed (deny ssh) DRIFT
→ Route: rtb-1a2b3c4d 10.0.0.0/8 → igw-0e1f2345 UNEXPECTED
→ Buckets: s3://prod-logs-2026 public-read ACL detected CRITICAL
→ Delta: 47 changes / 24h — 3 CRITICAL, 8 UNAPPROVED, 36 nominal
→ BASELINE drift-to-approved report emitted to compliance.evidence.json
From first event to full perimeter awareness, in two weeks
Pulse is a read-only overlay on your existing cloud audit streams, not a replacement for anything. CloudTrail, Activity Log, GCP Audit Log keep doing what they do — Pulse builds the perimeter model on top.
1. Connect
Read-only IAM role plus CloudTrail / Activity Log subscription. First perimeter event in your console within five minutes.
Week 12. Baseline
Known-good perimeter state captured and versioned. Approval workflows wired to Slack or Teams for high-blast-radius changes.
Week 13. Monitor
Full delta stream live. Drift alerts, forensic replay, and compliance evidence flowing to your SIEM and Compli.
Week 2Questions teams ask before deploying
Straightforward answers about scope, integration, data handling, and rollout.
How is this different from Wiz, Orca, or Prisma Cloud?
They re-scan every 6-24 hours. We tap the cloud audit stream — sub-minute alerts on any change, plus replay you don't get from posture snapshots.
Does it require agents?
No. Read-only IAM role plus event subscription. Five minutes to first event in your console.
Which clouds and platforms?
AWS, Azure, GCP, OCI. Kubernetes via audit-webhook subscription. On-prem edge via NetFlow + config polling.
Does it integrate with our SIEM?
Yes — every delta is also a structured event. Native Splunk, Sentinel, Chronicle, Elastic, and Datadog destinations.