Identity threat detection and response startup Permiso Security Inc. today announced the launch of a new open-source tool designed to help security teams quickly detect threat actors in their Microsoft Corp. Azure and Amazon Web Services Inc. environments.

Called CloudGrappler, the new tool is built on the foundation of Cado Security Ltd.’s cloudgrep project to offer enhanced detection capabilities built from the tactics, techniques and procedures, TTPs for short, of modern cloud threat actors such as LUCR-3/Scattered Spider.

CloudGrappler queries activity across notorious threat actors in the cloud and is said to excel in detecting and analyzing singular log events. It does so while offering a comprehensive view of potential security incidents that are occurring or have occurred in an organization’s environment, leveraging the capabilities of cloudgrep to extend detection capabilities to find threats more effortlessly in AWS and Azure environments.

The tool is freely available on GitHub and allows users to define the data sources they want to scope in their scan. Through another JSON file, users can leverage a list of predefined TTPs that are commonly used by cloud threat actors.

CloudGrappler users can also add new queries dynamically or add a new file with multiple queries to scan the target data set. After scanning, CloudGrappler delivers a full JSON report that includes a detailed breakdown of the scan results.

“Knowing where to look and what to look for is key when searching for malicious activity,” said Andi Ahmeti, associate threat researcher at P0 Labs, the research arm of Permiso. “CloudGrappler makes ongoing hunting for malicious activity as simple as a one-line command. It lets you seamlessly integrate Permiso intel and TTP-based detections into your threat hunting and incident response process, even if you don’t have a SIEM.”

Permiso is a venture capital-backed startup, having raised $10 million in funding, according to Tracxn, from investors including Point72 Ventures LLC, Foundation Capital LLC, Work-Bench, 11.2 Capital LP and Rain Capital Management LLC.

The company offers an identity threat detection platform that finds “evil” in cloud-based environments. It creates session constructs for identities across cloud and software-as-a-service applications to break down visibility boundaries and understand user behavior and intent across your environment.

The platform creates a unified identity across authentication boundaries and presents this as a forensically sound access chain. By tying all activity back to a singular identity, Permiso can detect access anomalies, behavioral anomalies or specific activities associated with compromised credentials.

Image: Permiso