Two jobs. One product.
CloudArq runs up to 172 checks · 6 pillars · CIS mappings where applicable — coverage scales with tier. What changes between roles is which findings rise to the top, what alerts fire, and what shape the export takes.
Stop being the bottleneck on cloud questions.
Your CTO asks "are we secure?" once a quarter. CloudArq gives you a one-glance scoreboard so the answer is a screenshot, not a sprint.
- Pre-deploy: run a scan in CI · block PRs that introduce critical findings.
- On-call: every finding ships with remediation steps you can paste-and-resolve.
- Slack alerts you can ignore — criticals only, not the medium-severity noise.
- Diff audits across deploys to see what your team actually changed in AWS.
Sleep through the night without an AWS hire.
You shipped fast. The bill went up. CloudArq tells you what cost money you didn't realize, what got exposed in a 2 a.m. push, and what to fix this Friday.
- Cost Intelligence: catch runaway AI & AWS spend — Bedrock has no spend cap, so a runaway agent or a stolen key (LLMjacking) can run up five figures before you notice. Pro and up.
- Weekly digest in your inbox — no dashboard you have to remember to check.
- Spend report by AWS service · with a one-line "fix this" for each line item.
- Set up cost controls in one step — generated Terraform & CloudFormation for AWS Budgets + a billing alarm, templated from your real spend. (Honest: budgets alert you early; AWS has no hard spend cap.) Export the fix for every cost finding as one bundle.
- Investor-ready PDF audit on demand, with severity-sorted findings.
- Tier-upgrade nudges when usage crosses thresholds — no surprise overages.
Each pillar, distilled to a sentence.
IAM mis-config, public S3 buckets, open ports, no-MFA root, unrotated keys, KMS rotation, GuardDuty status, Security Hub coverage.
Unattached EBS volumes, idle NAT gateways, oversized EC2, gp2 → gp3 conversions, stopped instances with attached volumes, unused EIPs. Cost Intelligence (Pro+) adds where your AWS spend — including AI/Bedrock — is going, with spend-spike and possible-LLMjacking detection, each with the fix.
Missing RDS backups, single-AZ databases, no auto-recovery, missing CloudWatch alarms, DynamoDB without PITR, single-AZ load balancers.
Burstable EC2 with depleted credits, missing CloudFront caching, RDS read replicas, Lambda memory tuning, S3 transfer acceleration.
Missing CloudWatch log retention, no CloudFormation drift detection, IAM Access Analyzer disabled, Systems Manager unmanaged hosts.
Workloads in non-renewable regions, Graviton candidates, unused snapshots, oversized Lambda packages, S3 lifecycle gaps.
· This is a sample — not the full scanner enumeration. View the complete check set in the docs.
Pull every finding into your own tools.
The public REST API lives at /api/v1. Authenticate with an X-API-Key header (mint keys from API Docs in-app). API access is a Max-tier feature. Pair it with Slack, PagerDuty, and signed webhooks (Pro+) to wire findings straight into your incident flow.
List completed audits with scores, finding counts, and waste totals.
Every finding for an audit — severity, service, remediation.
Cost breakdown by AWS service, plus the AI/Bedrock spend view.
Kick off a read-only scan on a connection from CI or a cron.
· Every API call is read-only against your AWS account. Full reference + auth flow in the docs.
Not sure which one is you? That's fine — run a scan.
The first scan is free on the Starter tier. We'll show you what the platform finds in your account — and which persona ranking surfaces the most relevant findings.