Ctadel

CNAPP in 5 minutes

If you have used a SIEM or an EDR but never a CNAPP, this page is for you. It covers the five ideas that drive everything else in the documentation.

1. Posture vs. runtime

There are two complementary ways to look at cloud security:

  • Posture is what your environment looks like right now: which buckets are public, which IAM roles are over-privileged, which packages are out of date. It's a static photo, taken daily.
  • Runtime is what your environment is doing: who just attached an AdministratorAccess policy, which identity downloaded 2 GB from a sensitive bucket in the last five minutes. It's a stream of events.

A CNAPP covers both. The posture side stops issues before they're exploited; the runtime side catches what slips through.

2. Agentless scanning

Older cloud security tools required you to install agents on every VM and a sidecar in every pod. That model accumulates problems quickly: compatibility issues across kernels and OS versions, unexpected crashes, CPU and memory overhead on busy nodes, and a permanent maintenance burden as the agent itself needs to be patched.

A modern CNAPP, including Ctadel, is agentless. It pulls from cloud APIs (read-only credentials), takes read-only snapshots of your disks for offline scanning, and queries the Kubernetes API directly. Nothing runs on your workloads.

3. The graph

A CNAPP isn't useful if it gives you a flat list of 10,000 findings. The differentiator is how it correlates them. Ctadel, like Wiz, Orca, and a few others, stores everything as a graph: nodes are resources (VMs, buckets, identities, secrets), edges are relationships (uses-role, can-reach, contains-secret).

The graph is what makes the next two ideas possible.

4. Attack paths

An "attack path" is a sequence of edges in the graph that an attacker could chain. Example:

Internet → Public VM → Leaked secret → Database holding PII

No single node in that path is necessarily critical on its own. The path as a whole is what's dangerous. Listing nodes alone, the way old CSPM tools do, buries the lede.

5. Toxic combinations

A toxic combination is the pre-canned, named version of an attack path. It's a pattern the platform looks for continuously: "any internet-reachable VM that holds a valid secret granting access to a database with sensitive data". When the pattern matches, you get one finding instead of four, and that finding has a complete remediation story.

This is the single most useful concept in CNAPP. It cuts your alert volume by an order of magnitude and tells you which fixes actually break attack paths.

What that means for using Ctadel

  • The Findings page is the flat-list view. Useful for compliance audits, less useful for triage.
  • The Toxic Combinations page is the prioritised view. This is where you go to decide what to fix first.
  • The Inventory page is the graph from the resource angle: open any resource, see all its findings, all its relationships, all its toxic combos.

Where to go next