Skip to main content
CloudKey
Français English
Request a demo

Cybersecurity platform

Find what's exposed.
Fix what matters first.

CloudKey monitors your attack surface continuously and tells your team what to fix first. Every finding is backed by evidence, not noise.

Get your free exposure report Talk to sales
Live KEV feed, synced 2h ago
VulnMonitor operations dashboard: live queue, SLA counters, severity breakdown

SLA tightening

CVE-2025-7621 · 7 assets 14d
CVE-2024-31497 · 14 assets 12d
TEMP-2025-0418 · 4 assets 9d

The problem

Every month brings thousands of new vulnerabilities. Almost none of them put your business at risk. Finding the few that do is the real work.

0

vulnerabilities catalogued in the public record

Source: NVD. Placeholder, replace before launch

0

carry confirmed evidence of active exploitation

Source: CISA KEV. Placeholder, replace before launch

0

vendor advisories published every year

Source: vendor advisories. Placeholder, replace before launch

Our approach

How we rank thousands of advisories into what to fix this week.

Six rules behind every CloudKey output. Scroll through them, or jump.

  1. Triage

    Ranked by exploitability, not just severity

    Each finding is checked against KEV, EPSS, and your asset map before it lands on your queue. The first ten matter more than the next five hundred.

  2. Evidence

    Every finding traceable to its source

    Behind each entry sits the original advisory, the version we matched against, and the asset record. An auditor opens it and reads it. No folklore.

  3. Cadence

    Daily, not quarterly

    Advisory feeds sync every day. Exposure changes get caught the day they happen. The report your board reads next month reflects this month, not last quarter.

  4. Honesty

    No claim inflation

    If we can't show it, we don't claim it. Every number on this site is sourced or flagged as a placeholder. The product follows the same rule.

  5. Method

    Our scoring is documented, not opaque

    Read how we weight KEV, EPSS, and asset reachability before you book a demo. The methodology page is not behind a sales deck.

  6. Fit

    We work alongside your existing team

    SOC, MSP, or platform team, we plug into whoever runs production today. We do not replace tools that already do their job.

Services and products

Five capabilities. Three layers of defense. One partner.

See what's exposed outside and inside, verify what works, control what's privileged, with evidence on every finding.

Layer 01 . Visibility

Know what's exposed, outside and inside.

DarkWeb Report shows the view an attacker has of your domain. VulnMonitor reconciles every advisory against the equipment you actually run.

DarkWeb ReportVulnMonitor

Layer 02 . Verification

Prove your defenses hold.

Security Audit measures posture against CIS Benchmarks. Penetration testing runs adversarial scenarios, external and internal scope, RoE-gated, with re-test included.

Security AuditPentest

Layer 03 . Control

Lock down privileged access. Trace every action.

PAM vaults privileged credentials, records every session, and gives auditors a full trace of who touched which server and when.

PAM
  1. Visibility DarkWeb Report . VulnMonitor
  2. Verification Security Audit . Pentest
  3. Control PAM

01 . Visibility, external

DarkWeb and external exposure report

The view an attacker has of your business. A monthly scan of your domain pulls leaked credentials from breach corpora, exposed subdomains, open ports on internet-facing IPs and vulnerabilities on edge services, ranked into one executive risk score.

  • Leaked passwords cross-checked against known breach databases
  • Subdomain discovery and external attack-surface inventory
  • Open ports and vulnerabilities on internet-facing services
Monthly deliveryDomain-scopedPairs with VulnMonitor
See a sample report
Monthly external scan report with executive overview, KPIs, risk score, and priority concerns

02 . Visibility, internal

Continuous vulnerability monitoring

The view from inside your perimeter. VulnMonitor reconciles every advisory against your real equipment inventory, servers, network gear, endpoints, applications, and surfaces zero-day exposure the moment an advisory drops, not when the CVE lands days later.

  • Zero-day exposure surfaced before a CVE is issued
  • AI predicts 30-day exploit likelihood; confirmed-exploited CVEs auto-promote
  • Compliance evidence auto-populated for ISO 27001, SOC 2, NIST CSF and NIST 800-53
Zero-day awareAI exploit predictionCompliance evidence
Explore VulnMonitor
VulnMonitor executive brief: risk score, KEV-listed findings, and a must-patch list

03 . Verification, posture

Security audit

A structured review of your production systems against CIS Benchmarks, every gap documented, owned by a named person, and given a remediation estimate.

  • Production hardening against CIS Benchmarks
  • Identity and access reviewed, exceptions documented
  • Remediation roadmap with effort estimates
CIS BenchmarksRe-audit scheduled
Explore security audit

04 . Verification, adversarial

Penetration testing

Scoped, authorized testing of your web apps, APIs and network, external and internal scope. Every engagement opens with a signed Rules of Engagement and closes with reproducible, prioritized findings.

  • Signed Rules of Engagement before any active test
  • Findings with reproduction steps and evidence
  • Fixes re-tested, attestation included
RoE-gatedExternal plus internal scopeRe-test included
Explore penetration testing

05 . Control, privileged access

Privileged access management

Vault privileged credentials, record every privileged session, and grant access just-in-time, with a full trace of who touched which server and when, mapped to the controls your ISO 27001 and SOC 2 auditors read.

  • Credentials vaulted, every privileged session recorded
  • Just-in-time access and full traceability per server, per user
  • Plugs into your existing directory and identity provider
ISO 27001 mappedSOC 2 mappedSession traceability
Explore PAM
CloudKey privileged access portal sign-in screen

By the numbers

Four numbers that map to the five things CloudKey covers.

Security is not one chart. Each number below is the kind of risk one of our services is built to close.

  1. 01 . External exposure

    0 B+

    Credentials sitting in public breach corpora today.

    If staff reuse passwords, this is the first well attackers draw from. DarkWeb Report cross-checks your domains against breach databases every month and flags the hits before they become an incident.

    DarkWeb Report

    Source: aggregate breach corpus counts (Have I Been Pwned and similar). Placeholder, replace before launch

  2. 02 . CVE volume

    0 +/yr

    New vulnerabilities published every year.

    About 110 advisories hit the NVD catalog daily. VulnMonitor reconciles each one against the gear you actually run, then ranks the few that matter against KEV and EPSS.

    VulnMonitor

    Source: NVD 2024 CVE feed. Placeholder, replace before launch

  3. 03 . Time to detect

    0 days

    Median time to identify a breach.

    Posture reviews and adversarial testing shorten this number. Security Audit measures your stack against CIS Benchmarks. Penetration testing proves the controls hold under attack, then re-tests every fix.

    Security Audit + Pentest

    Source: IBM Cost of a Data Breach Report 2024. Placeholder, replace before launch

  4. 04 . Compromised credentials

    0 %

    Of breaches involve compromised or stolen credentials.

    Privileged accounts are the keys to the kingdom. PAM vaults them, records every session, and gives auditors a full trace of who touched which server and when.

    PAM

    Source: Verizon Data Breach Investigations Report 2024. Placeholder, replace before launch

CloudKey covers the full chain. See what's exposed, prove your defenses hold, lock down privileged access. Three layers, evidence on every finding.

Book a platform demo

Resources

Reading the team publishes

All resources
New

Methodology

Why KEV-tracked CVEs deserve attention before CVSS scores

What CISA's exploit-evidence list tells you about patch order, illustrated with two real CVEs from this month.

Read

Field notes

What a useful monthly exposure report actually contains

We take a redacted monthly report and walk through it section by section. The open-finding ledger. The re-test attestations. The bits people actually argue about.

Read

Engineering

Mapping SBOM evidence onto a fast-moving asset inventory

What your team thinks is in production is rarely exactly what the package manifests say. This is how CloudKey reconciles the drift.

Read

Start with visibility

See your monthly DarkWeb and exposure report, then layer on what you need.

One redacted report a month: leaked credentials, exposed subdomains, edge vulnerabilities, scoped to the domains you authorize, delivered to a named owner. Verification and Control layers follow once the picture is clear.

Subscribe to the monthly report Book a platform demo

Reconnaissance only runs after written authorization. Our scope policy. →