sandbox · example data only · not your workspace
← all scenarios

Security Finding Demo

Detect IAM/public resource risk → explain impact → human approves remediation.

Security Engineer reads → analyzes → recommends. Remediation requires approval.

Steps
4
Est. time
~6 min
Audience
public
Reviewed
2026-05-23
engineer · Security Engineer

read first

Scanning ModelInventory + risk surfaces + scan frequency.
Terraform ExportExecution PlansApproval Workflow

data flow

scenario architecture


   scan  ──finding──▶  Security Engineer  ──impact──▶  blast radius
                              │
                          remediation plan
                          (terraform diff + rollback)
                              │
                              ▼
                      two-person approval  ──tip──▶  apply
step 1/4·No approval needed

Public bucket detected

S3 bucket with public-read ACL surfaces in the scan.

visionxixlabs.com

risk #1

highCVSS-style score · 7.1 / 10·rule · iam-admin-access

Public bucket detected

S3 bucket with public-read ACL surfaces in the scan.

· evidence rows: 4
· blast radius: prod account
· compliance: SOC2 CC6.1
· owner team: platform-sec
· exploit reachability: high
· first seen: 14 days ago
kernelSeverity is a pure function of (exposure, blast radius, compliance binding, exploit reachability). Same inputs always yield the same severity; the function is unit-tested against a fixture set.

Read-only inventory

The first scan touches list-* and describe-* APIs only. Findings are computed in pure kernels (no provider mutation). A live → preview → blocked source-mode flag travels with every row so you always know what's real.

safety invariants in play

  • Read-only by default No write API is even minted until you explicitly grant write scope.

expected result

Risk card with severity + evidence.

read more

Scanning Model

engineering principle

Security findings travel with provenance: which scan, which rule, which resource, which compliance binding. The recommendation is a separate kernel from the detection — easier to evolve them independently.

Platform reference →Architecture overview →← Back to all scenariosSet up your real workspace →