What is Ctadel?
The problem
Cloud security tools used to come in pieces: one for misconfigurations, one for vulnerabilities, one for IAM, one for runtime detection. Each surfaced its own list of issues, with no sense of which issue mattered most to your environment.
CNAPP, and Ctadel specifically, solves this by treating your cloud as a graph and surfacing toxic combinations: chains of findings that, taken together, describe an attack path. A vulnerable instance with no internet exposure is one path. The same vulnerable instance, exposed to the internet, holding a leaked secret that grants read access to a database with PII, is another, far more critical, path. Both are toxic combinations; the second is what should be fixed first.
What Ctadel scans
| What we scan | Where we look | |
|---|---|---|
| Misconfigurations (CSPM) | Resource configuration drift | Scaleway, AWS, GCP, Azure APIs |
| Kubernetes posture (KSPM) | Pod Security, RBAC, network policies | Live API server |
| Sensitive data (DSPM) | PII patterns in databases & buckets | Object storage, RDS-class DBs |
| Host configuration (HCR) | CIS benchmarks for Linux / Docker | Snapshots, AMIs, container images |
| Vulnerabilities | CVEs in installed packages | Disk images, container layers |
| Secrets | Leaked tokens, keys, credentials | Buckets, volumes, IaC, env files |
| Infrastructure as Code | Terraform / K8s / Dockerfiles | Git push or PR webhook |
| Identity & entitlements (CIEM) | Over-privileged users, dormant roles | IAM trees per cloud |
| Runtime activity (CDR) | Suspicious API calls, privilege escalations | CloudTrail, audit logs, activity logs |
Why a graph
Most CNAPPs store findings as a flat list. Ctadel stores resources, relationships, and findings in a property graph . That's what makes toxic combinations possible: a query like "any internet-reachable instance that contains a valid secret granting access to a database with PII" is one query away, and runs on every change.
What makes Ctadel different
- Sovereign by default. Hosted in Europe, on European clouds, by a European team. No data leaves the jurisdiction you connect.
- First-class Scaleway and OVH. Most CNAPPs treat European clouds as an afterthought. We start there.
- Agentless. No daemons in your VMs, no sidecars in your pods. We pull from cloud APIs and snapshot your disks read-only.
- Open about how it works. This documentation describes the actual detections, the graph model, and the rule engine, not just marketing.
Where to go next
If you've never used a CNAPP before, head to CNAPP in 5 minutes. If you're evaluating Ctadel for your team, the live demo is the fastest way to see it. If you want to connect your own cloud, jump to Connect your first cloud account.