Traditional assessments rely on static reports, vendor questionnaires, surface scanners, and point-in-time audits, which are outdated the moment they’re completed. Findings CloudVRM™ connects directly and securely to vendor cloud environments in real time, providing continuous security insights and automated compliance tracking

Like all good things, it depends. CloudVRM™ complements your existing security stack. Traditional scanners check only external-facing assets; Findings go deeper by monitoring vendor cloud environments directly, giving you insights you can’t get anywhere else. If you have cloud-based vendors only, you can rely entirely on Findings Cloud VRM; in other cases, you can use Cloud VRM as your starting point alongside your current solutions until you’ll be convinced they are redundant

vendors execute a one-time, minimal-permission setup. CloudVRM™ then connects securely with API, fetching real-time security data. Your vendor can opt-out at any moment, and the data is end-to-end encrypted between you and your vendor

Yes! Findings CloudVRM™ automates compliance tracking and provides continuous oversight of vendor risks, helping you stay audit-ready for DORA, ISO 27001, SOC 2, and other regulatory frameworks.

Instantly. The moment a vendor connects to CloudVRM™, you get live visibility into their AWS, Azure, and GCP security risks. No waiting for security reports, no delays—just real-time insights

CloudVRM™ establishes a secure connection to a vendor’s cloud account by having the vendor execute a setup script provided by Findings.co. This script creates a dedicated, minimal-permission, read-only role within the vendor’s cloud environment—whether that’s AWS or Azure. For example, in AWS, the script deploys a CloudFormation stack that automatically sets up an IAM user and a corresponding IAM role with read-only permissions (specifically limited to Security Hub data). In Azure, a similar process occurs via an App Registration, Service Principal, and a custom role with strictly controlled access.
This process ensures that Findings.co can securely retrieve security-related telemetry data via API without risking any modification of the vendor’s sensitive resources. Essentially, the connection is established in a way that enforces the principle of least privilege, ensuring that only the necessary data is accessed for assessment purposes

CloudVRM™ collects security telemetry that includes detailed security control statuses—such as whether controls have passed or failed—categorized security controls, identified security gaps, severity levels (e.g., low, medium, high, critical), due dates, and remediation guidance. This data is gathered from the vendor’s cloud environment via an API connection and is updated on a 24‑hour cycle. These regular updates help ensure that the security assessments reflect the current posture of the vendor’s environment

The vendor opt‑out mechanism is designed to give vendors control over the security data they disclose. Here’s how it works: Initial Visibility: When the telemetry is first collected, vendors can review all security control results privately on the Findings.co platform. Selective Sharing: Vendors then decide which specific control statuses they wish to share. They can opt out of sharing controls that they consider irrelevant, confidential, or sensitive. Customer Awareness: For any control that is withheld, customers won’t see the actual Pass/Fail result; instead, they will notice that the result is missing, prompting potential follow‑up if necessary. Engagement and Justification: If a control is opted out, customers have the ability to engage directly with the vendor via the built-in chat feature to request further clarification or justification for the omission. The process doesn’t enforce a predetermined list of controls that must be shared; it provides vendors with the discretion to decide which security controls are disclosed. This balance allows vendors to protect sensitive information while still enabling customers to make informed risk assessments. In addition, vendors can revoke the entire setup and disable the CloudVRM completely

CloudVRM secures its integrations with AWS and Azure using dedicated setup scripts that enforce minimal, read-only access: AWS Integration: A CloudFormation stack is used to automatically create a dedicated IAM user and an associated IAM role. This role is strictly limited to read-only permissions—specifically, it grants access to AWS Security Hub data only. Additionally, Findings leverages AWS’s strict, standard APIs that ensure access is confined solely to security posture data, preventing any modifications or access to sensitive resources. Azure Integration: A similar approach is taken by provisioning an Azure App Registration, Service Principal, and a custom role. The custom role provides minimal read-only access, and Findings utilizes Azure’s standard APIs to ensure that only security telemetry is accessed, thereby safeguarding the environment. These security measures, combined with the use of standardized APIs from the cloud providers, ensure that CloudVRM™ collects only the necessary security data while keeping the vendor’s cloud environment secure and isolated from other sensitive information.

CloudVRM™ leverages industry-recognized standards to assess vendor security postures. For AWS, it uses the AWS Foundational Security Best Practices v1.0.0 (FSBP), which comprises over 300 security controls to ensure comprehensive coverage of critical areas such as secure network configuration, access management, and vulnerability management. For Azure, CloudVRM integrates with the Microsoft Cloud Security Benchmark (MCSB), which provides a detailed framework of controls across network security, identity management, and data protection, among other areas. These standards ensure that the security assessments are thorough, consistent, and aligned with best practices from the leading cloud providers

Minimal access is enforced by designing the connection process to operate under the principle of least privilege. For instance, in AWS, a dedicated CloudFormation stack creates an IAM user and a corresponding IAM role that is strictly limited to read-only access—specifically, it only allows retrieval of AWS Security Hub data. Similarly, in Azure, a dedicated App Registration, Service Principal, and custom role are set up to ensure only minimal, read-only access is granted. Additionally, Findings leverages the strict, standard APIs provided by AWS and Azure to ensure that only security posture data is accessible, thereby preventing any exposure to sensitive information