Analyzer Groups
Analyzer groups organize related analyzers into security domains. Each group represents a distinct area of security posture — cloud infrastructure, data stores, application pipelines, or AI systems — and provides its own dashboard, risk score, and insight feed.
Groups
| Group | Domain | What it covers |
|---|---|---|
| CSPM | Cloud Security Posture Management | Cloud infrastructure misconfigurations, IAM risks, network exposure, compliance across AWS, Azure, and GCP |
| DSPM | Data Security Posture Management | Database access, storage encryption, sensitive data exposure across cloud storage and database services |
| ASPM | Application Security Posture Management | Code vulnerabilities, SBOMs, secrets, IaC misconfigurations, CI/CD pipeline security |
| AISPM | AI Security Posture Management | AI model security, agent permissions, prompt vulnerabilities, training data integrity |
Each group has its own:
- Security Risk Score (0-100 gauge) calculated from active analyzers within the group
- Insight Map showing findings across its analyzers
- Overview dashboard with group-specific KPI metrics
Analyzers Within Groups
Analyzers are assigned to groups based on their security domain. A single group can span multiple cloud providers — for example, CSPM includes AWS IAM, Azure IAM, and GCP IAM.
CSPM Analyzers
| Analyzer | Cloud | Focus |
|---|---|---|
| AWS IAM | AWS | IAM users, roles, policies, MFA |
| Azure IAM | Azure | Azure AD roles and access |
| GCP IAM | GCP | Service accounts, IAM bindings |
| AWS Compute | AWS | EC2, ECS, Lambda security |
| GCP Compute | GCP | Compute Engine instances |
| AWS Network | AWS | VPCs, security groups, NACLs |
| Azure Network | Azure | VNets, NSGs, DNS |
| GCP Network | GCP | VPCs, firewall rules |
| Kubernetes | Multi | Cluster state, RBAC, pod security |
| AWS Streaming | AWS | Kinesis, streaming infrastructure |
| Azure Streaming | Azure | Event Hubs, streaming security |
DSPM Analyzers
| Analyzer | Cloud | Focus |
|---|---|---|
| AWS Storage | AWS | S3 buckets, EBS volumes |
| Azure Storage | Azure | Storage accounts, containers |
| GCP Storage | GCP | Cloud Storage buckets |
| Database | Multi | Direct database environments |
| AWS RDS | AWS | RDS instances, encryption |
| Azure Database | Azure | SQL Database, Cosmos DB |
| GCP Database | GCP | Cloud SQL, Spanner |
ASPM Analyzers
| Analyzer | Focus |
|---|---|
| Code Security | SAST findings, code vulnerabilities |
| Application | Application-level security posture |
| SCA | Dependency vulnerabilities, SBOM |
| Artifact | Container image and build artifact security |
| IaC | Terraform, CloudFormation misconfigurations |
| Repository | Branch protection, unsigned commits |
| Secrets & PII | Hardcoded secrets, sensitive data in code |
| GCP DevOps | GCP-specific DevOps security |
AISPM Analyzers
| Analyzer | Focus |
|---|---|
| AI IAM | Overprivileged tokens, agent permissions |
| AI SAST | Insecure AI code patterns, exposed prompts |
| AI DAST | Prompt injection, jailbreak testing |
| Azure AI | Azure Cognitive Services, OpenAI security |
| GCP AI | Vertex AI, Model Garden security |
Active Analyzers
An analyzer is active within a group only if a blueprint account is configured for it. For example:
- If you only have an AWS blueprint configured, the CSPM group score is based solely on AWS IAM, AWS Compute, and AWS Network
- Adding an Azure blueprint automatically activates Azure IAM, Azure Network, and Azure Streaming within CSPM
This means analyzer groups adapt to your environment — you only see scores and insights for the platforms you actually use.
Group Risk Scores
Each group has a 0-100 security risk score calculated from its active analyzers. The weight of each analyzer is determined dynamically by the number and severity of its enabled insight rules. See each domain page for details:
Related
- Insight Rules — How individual detection rules work within analyzers
- KDefend Overview — Unified view across all groups