Ctadel

Quickstart: triage to remediation

This is the shortest realistic path from "just signed up" to "I closed my first attack path". It assumes you have at least one cloud account you can connect.

1. Sign up (5 min)

Follow Sign up. You should end up logged in as a Admin.

2. Connect your cloud account(s) (10 to 30 min)

Connect at the broadest scope possible: an organisation-level credential covers every account / project / subscription underneath. The wider the coverage, the more realistic the toxic combinations.

Follow Connect your first cloud account for each cloud you have.

3. Wait for the first full scan

Resource discovery starts within minutes and your inventory populates progressively. A complete scan, including disk snapshots and audit log baselines, takes longer:

  • A small environment (one account, dozens of resources): tens of minutes.
  • A medium one (multi-account, hundreds of resources): a few hours.
  • A large one (organisation, thousands of resources): up to a day.

The Findings page is usable as soon as the first results land; you do not have to wait for steady state to start triaging.

4. Open the highest-severity toxic combination

Open Toxic Combinations. Sort by severity if it is not already.

Click the top row. The detail panel shows you:

  • The full attack path as a graph (Internet, VM, Secret, Database, etc.).
  • Which resources are involved.
  • A list of findings that participate in the path.

Read the path top to bottom. The first node is usually Internet; the last node is usually the high-value asset (a database, a bucket with PII, an admin role). The "fix" is to break any one edge of the path, usually the cheapest one.

5. Apply a remediation

Click on a finding inside the path. The detail panel includes a Remediation tab with console / Terraform / CLI examples.

The cheapest break-point is almost always one of:

  • Remove public exposure. Restrict a security group, disable a public IP, switch a bucket to private.
  • Rotate or remove the leaked secret. Most toxic combinations involve a secret somewhere in the chain.
  • Reduce a privilege. Replace * actions with the actual ones used.

Apply the fix in your cloud console.

6. Wait for verification

Ctadel verifies fixes automatically on the next scan cycle (daily). You don't have to mark anything yourself, when the rule no longer matches the resource, the finding moves to RESOLVED and the toxic combination disappears from the list.

If the finding is still OPEN after the next scan, the fix did not take. Re-read the remediation and try again.

You're done

You've now seen the entire core loop: scan, correlate, triage, fix, verify.

From here:

  • Set up alerts so the next critical finding pings your team on Slack instead of waiting in the UI.
  • Invite teammates and assign roles. not match your environment.