The security graph
Why a graph
Cloud environments are graphs by nature: VMs run in subnets, subnets are inside VPCs, identities assume roles, roles attach policies, policies grant access to resources. Stored as flat lists, you lose the connections that make security questions answerable.
A graph stores the relationships as first-class. "How can the Internet reach this database?" becomes a single path query instead of joining many tables in your head.
What's in the graph
| Family | Examples |
|---|---|
| Compute | Instances, serverless functions, containers, Kubernetes workloads |
| Storage | Buckets, databases, volumes, snapshots |
| Network | VPCs, subnets, security groups, load balancers, public IPs |
| Identity | Users, service accounts, roles, policies, groups |
| Cluster | Kubernetes clusters, nodes, namespaces |
| Findings | Every detected issue, attached to the resource it concerns |
| Special | The Internet (the implicit external boundary), external accounts |
Every node carries its cloud and project so multi-tenant views stay scoped.
How edges are built
Edges encode the relationships that matter for security:
| Edge | Read as |
|---|---|
| Deployed in | An Instance lives in a Subnet |
| Can reach | The Internet can reach an Instance (security group + ACL allow it) |
| Assumes | A user can assume a role |
| Can access | A role grants effective access to a database |
| Has finding | A bucket has an open finding attached |
| Contains PII | A database holds sensitive data, marked by DSPM |
| Shared with | A database is shared with an external account |
How it stays current
Ctadel pulls inventory from your cloud APIs on a schedule and builds the security graph incrementally. The result is an eventually-consistent graph that converges to your actual cloud state, scan after scan. Most changes appear within a few minutes of happening in the cloud.
How you use it
Three ways:
- Implicitly, every detector queries the graph. You don't need to think about it.
- The detail panel for any finding includes a slice of the graph centered on the affected resource.
- The Explorer lets you ask the graph your own questions, with templates for the common ones.
What's next
- Toxic combinations & attack paths, what the graph enables
- The Explorer module